Recently Bluebox Security research team announced that they have discovered an Android security bug 8219321 (master keys) , according to Bluebox team the security flaw “Master key” can allow hackers to modify legitimate applications (apk) in to malicious Trojans, this bug was there since the release of Android 1.6 (Donut ).
However, Zdnet reported that Google has found a fix for this vulnerability and the patch was pushed to OEMs Samsung, Sony, HTC, etc. The patch from Google has already been merged to Cyanogen Mod 10.1 and it seems Samsung started rolling out this fix to their devices, I think other Android device manufactures will release the fix for their devices, so soon you may expect a firmware update for your device.
But if you want to know whether your Android device is patched or vulnerable to “Master key” flaw, then you must download Bluebox Security Scanner app, released by the same research team who discovered this security bug.
Interestingly using this app I came to know that the “Master key” bug has already been patched on my Galaxy S3 phone, but at the same time the app showed that my Galaxy Tab 2 was vulnerable to this bug. So I think this flaw may already be fixed on the latest devices like Galaxy S4 and HTC one, because Bluebox Security team reported this flaw was disclosed to Google in February 2013,although the security team announced it publicly on July 7th,2013.
Coming back to the Bluebox Security Scanner app, this free app is available on Google Play, Amazon AppStore for Android and GetJar , just download it and run the app on your device.
The app will scan for reported Android security bug 8219321 on your device and let you know whether your device is vulnerable to this bug or not. Not only this,the app will check whether anyvmalicious apps are installed on your device.The Bluebox scanner cannot scan apps in the copy protected folder under /mnt/asec/ due to Android OS limitations.
Bluebox says the app does a partial device integrity check by searching for malicious apps leveraging the “master key” vulnerability so you won’t have to purchase a mobile AV application just to check for malware leveraging this vulnerability.
“The scanner will save you significant time and keep you from having to do the ‘leg work’ to figure out if your device has been safely patched. If your device has not been patched, it will provide you with the information you need to ask your device manufacturer when a fix will be available,” Bluebox explained
Another intersting information is my Nexus 7 tablet is still vulnerable to this flaw,although Google found a fix and issued a patch for this bug to OEM’s.It seems Google didn’t issued “Master key” bug patch for their own Nexus devices,may be they don’t want to release a 4.2.x patch update if 4.3 is coming out very soon.