“Even the system software itself is signed by the manufacturer of the device; applications signed by that same key are thereby able to do anything that the system software can. Normally, this is only possible if you are the manufacturer; however, using bug #8219321, anyone could steal those signatures for their own.

A key concern this raises is that applications in the wild might be signed with the system keys of your device; while you think you are just installing a harmless game, that application would look to the package manager as if it came from the manufacturer, giving it elevated and dangerous system permissions.”

“The vulnerability involves discrepancies in how Android applications are cryptographically verified & installed, allowing for APK code modification without breaking the cryptographic signature; that in turn is a simple step away from system access & control.” stated Freeman in a past post.

Freeman’s exploit allows an attacker to gain complete access to a user’s Android handset via a modified system APK, without any modification to the his original cryptographic key, the consequence under security perspective are evident, a malware can obtain full access to Android OS and on the overall installed applications and related data.

So far no evidence of this exploit has been found in apps already available in Google Play, since now Android users haven’t been affected by the Master Key vulnerability, the eventual risk is limited to manually installing from not official stores.

Waiting for a fix for the Android Master Key vulnerability it is strongly suggested to download applications only from trusted sources avoiding third-party app stores, Freeman also announced an update for his Cydia Impactor that includes a patch for the bug.