Root Master Key Bluebox, Root fix

Chief YYZ

Well-Known Member
Am I correct in understanding this applies only to "side-loaded" apps? From what I've gathered Play Store apps are checked by Google prior to being made available and will not contain malicious code.

Chief YYZ

Well-Known Member
I was basing that off the xda thread:

[FIX][XPOSED][4.0+] Universal fix for "Master Key" + "Bug 9695860" vulnerabilities
While technically different, both of these vulnerabilities permit that legitimate APKs can be manipulated to replace the original code with arbitrary one without breaking the signature. This allows someone to take an update from a well known publisher (e.g. Google Maps), change the APK, and a device receiving it will happily apply the update as if it was indeed from that publisher. Depending on the apps being updated in this way, priviledge escalation can be achieved.
Google has already mentioned that all apps published on the Play Store are checked for this kind of manipulation, but those of us installing APKs from other sources aren't safe.

Probably better safe than sorry, just wondering who to believe on the vulnerability of play store apps.


The PearlyMon
The Play Store has a watchdog - their name for their bot that assures apps are clean.

It's good but not perfect.

I personally know of two users here who were infected by malware before the watchdog kicked in.

In both cases, Google reaching out and automagically uninstalled the apps.

In one case that was insufficient because it was an indirect payload and despite being uninstalled, the real payload stayed behind causing damage.

So the vulnerability is high but the susceptibility is low - not zero, but low.

The two-part fix that replaces the framework can lose features on some custom roms.

I'm skipping that part, but I do so knowing that I've chosen that risk.