We use cookies on our websites. Information about cookies and how you can object to the use of cookies at any time or end their use can be found in our privacy policy.
Android Master Key Makes 99% Of Android Devices Vulnerable
Hardware Apps 3 min read 6 comments

Android Master Key Makes 99% Of Android Devices Vulnerable

Security is often the paramount concern for many of today’s tech savvy users, and the same applies to the mobile world, too. Just before you wonder how secure the Android operating system is, hold on to your seats as we reveal a shocker - Bluebox Security claims that they have discovered what they call the Android ‘master key’ that could eventually turn just about any Android app into a malicious “zombie” program, and this Android master key could eventually affect up to 99% of the Android-powered phones and tablets in the world. This does not bode well for Android at all, as it has been considered to be in pole position where malware is concerned.

cyberhacker keyboard
Android Master Key discovered? / © Gerd Altman/pixelio.de, nh/AndroidPIT


One must take into consideration that over 900 million Android devices have already been activated in the past, so to find out that an Android master key can allow people armed with enough programming knowledge and tempered by malicious intent is a scary thought, clearly bringing this issue to the ‘major vulnerability’ level.

With this vulnerability in the Android platform, malware that is spread could eventually enable hackers to remotely capture data and control functions on a device, and these would include your phone calls as well as messages. These can even be achieved without raising an inkling of suspicion of the phone owner, and Google as well as the app developer will be kept in the dark, too.

BlueBox CTO Jeff Forristal did mention that this vulnerability can be traced all the way back to Android 1.6 - which is better known as Android 1.6 Donut. Forristal claimed that they discovered a method where a hacker could potentially modify an app’s APK code without having to break the cryptographic signature that is used to authenticate it. In plain and simple English, apps can be loaded with malware within, all the while being cleared as legitimate on the outside. Of course, there is still a glimmer of hope for users, as this potentially explosive situation remains theoretical as it remains unclear how malicious apps and updates would be served to users.

As a user, I guess one of the main ways you can take preventative steps would be to remain true to official apps stores for downloads, and only frequent third-party app stores if you really have to. It is nice to know that Bluebox Security has already reported this flaw to Google back in February this year, and the issue has been fixed for the Samsung Galaxy S4, and a fix for Google’s own Nexus range is in the pipeline. The main worry should come from older devices that will no longer receive newer versions of the Android operating system.


Write new comment:
All changes will be saved. No drafts are saved when editing

  • Thanks Ed Eldridge

  • Ed E. Jul 7, 2013 Link to comment

    Affects all Android down to 1.6

  • Maybe a dumb question but does this affect (wifi only) tablets too?

  • Ed E. Jul 6, 2013 Link to comment

    We can only hope that google closes the loopholes.

  • Google seems to be draging their feet wit fixing this issue it seems but maybe this is the reason why there are rumors that android 5.0 key lime pie will have better support for older devices.

  • Ed E. Jul 5, 2013 Link to comment

    It's great to report things like this but also not great to be general knowledge. Just reporting this will make someone out there the chance to try and find out what ever loopholes there are for android and go on a rampage to cause as much damage they can to android and the people who are not very tech savvy before google could ever close the loopholes.
    Yes I know there are always people looking for these loopholes and always will be........but please before reporting this kind of thing allow google the chance to close them.......then say there was a master key for android and that google has closed it...