The method described in the Chinese language blog post is plausible and credible and has the same impact as the original Android "masterkey" vulnerability found by Bluebox researchers, said Jeff Forristal, the chief technology officer of Bluebox Security, via email on Thursday. "However, Bluebox is aware of a slightly different, more comprehensive method with less constraints than the one technically illustrated in that blog post."
That more comprehensive method was disclosed by Bluebox to Google, and a patch has already been released, he said. "Applying the released AOSP [Android Open Source Project] patch will protect against either method."
Technical details about the issue are currently being withheld in order to allow device manufacturers enough time to release new firmware versions containing the patch.
Information shared by Google with Bluebox Security suggests that Google Play can detect apps that attempt to exploit the new vulnerability, Forristal said. However, Bluebox has not performed any tests in order to confirm this, he said.
Google declined to comment on the matter.
Vulnerabilities that allow legitimate APKs to be modified without failing Android's digital signature checks could present benefits for cybercriminals. Attempting to pass malicious apps as popular games and other well-known applications has long been a technique used by Android malware authors to distribute their creations.
Some of the devices affected by this vulnerability will most likely never receive a patch because they've reached end of support. However, if Google Play already detects such exploits, users who don't install apps from alternative sources such as third-party app stores should be protected.