Android owners should take a look at the Bluebox Security in the Google Play store. It’s an app that notifies you if your device secure from the ‘Master Key’ exploit.
Discovered by security research firm Bluebox Labs, the vulnerability “allows a hacker to modify APK code without breaking an application’s cryptographic signature.” Um, whatever. Just know that’s a bad thing, and according to Bluebox, 99 percent of Android devices are vulnerable.
In much simpler terms, the firm says that this exploit could be used to turn any legitimate application into a malicious Trojan. The app store and the user would never notice. According to the firm, this exploit seems to date back as far as Android 1.6 Donut, possibly further, and “could affect any Android phone released in the last four years, “or nearly 900 million devices.”
Such a Trojan could potentially give the malicious application full access to the user’s device and all its applications and data. It could read email, SMS messages, documents and more, it could even retrieve stored account passwords. In short, it could be used to really ruin your weekend.
If you’re scan comes back with the warning that Non-Google market Installs are allowed (shown in the image above) you can fix it. Go to Settings > Security and uncheck Unknown Sources. If that isn’t checked you won’t be able to side-load apps, but you can enable it if you need to, then disable it again after the side-load.
You can get more detailed information on the exploit here.
The good news is that there are patches on the way from most manufacturers. Unfortunately, that’s up to the maker. We’re sure they want to keep customers, and they will work to fix it. However, for now, what you can do is check your device’s vulnerability.
Bluebox Security Scanner
To check your Android device, download and run the Bluebox Security Scanner.
Here’s some more details about the Bluebox Security Scanner app:
DescriptionThe Bluebox “Master key” Security Scanner will scan your device to determine:
- If your system is vulnerable or patched to the Bluebox “Master key” security flaw affecting most Android devices
- If your system settings allow non-Google Market application installs
- If any installed application on your device is trying to maliciously take advantage of the security flawNOTICE: the scanner currently cannot check .APKs in the /mnt/asec/ (copy protected apps) directory; this is a security limitation enforced by Android OS.By using this free tool, you can scan your device to determine if you are vulnerable, safe, or have already been exploited/compromised.
Speaking of Android security, you should read our article: Which Free Android Security Device is the Best? In that article, Austin tests and compares three different security apps and Avast comes out as the winner.