Google fixes APK nightmare-waiting-to-happen, sends patch to partners
(Phys.org) —As if Android was not getting enough press about exploit opportunities, a Bluebox Security expert let the world know earlier this month that its security team discovered a Master Key vulnerability where hackers could sidestep app verification and install Trojans that can sail through verification without any problems. With this exploit, a hacker can modify a normal Android application package file (APK) without having to break the app's cryptographic signature. That's the ticket. The signature break would have sent off red flags. (Explains Threatpost: Applications are digitally signed to establish or confirm the identity of the developer and the signatures make sure that future updates come from only the developer of the application.)