Earlier this month, security firm Symantec revealed details of serious Android vulnerability that it had detected – ‘Master Key’.
Android applications require a digital signature, which ensures that the code within the app has not been tampered with. It is also a sign that the code was provided by the official publisher.
According to Symantec, Android utilises an app-level permission system where each app must declare and receive permission to perform sensitive tasks. Digital signing prevents apps and their accompanying permissions from being hijacked.
The Master Key vulnerability allows attackers to inject malicious code into legitimate apps without invalidating the digital signature.
This enables an attacker to hide code within a legitimate application and use existing permissions to perform sensitive functions through those apps.