Following the news that Chinese hackers have discovered a second Android master key vulnerability, Michael Sutton, VP Security Research at Zscaler comments:
“Both the original 'master key' vulnerability and this latest 'integer mismatch' vulnerability allow a hacker to inject malicious code into an Android application (.apk) file and the injected code won't be detected due to issues with the verification logic. The techniques are different, but they achieve a similar goal. The 'integer mismatch' isn't as universal, as it's dependent upon the specific .apk that you're injecting into, but it does appear to impact most .apk's.
While Google will no doubt issue a quick fix, the greater concern is getting that fix onto handsets in use today. Due to the nature of the Android ecosystem, having Google update the main branch of the Android operating system with a fix is only step one. The master key vulnerability discovered by Jeff Forristal was reported to Google months ago, and we're still waiting for patches from certain hardware vendors. It appears that this time around Google doesn't have the luxury of having the vulnerability reported privately. What does this mean for the average end user? Google still validates apps in the Google Play store to ensure that they aren't harbouring malware either overtly, or using a technique such as one of the aforementioned vulnerabilities. Therefore, users should stick to 'official' app stores such as Google Play to avoid the possibility of downloading a Trojanised app.”