Chinese researchers have identified another vulnerability that could be leveraged to modify Android apps without altering their cryptographic signatures.In a blog post (Chinese), the experts explain that the security hole is different from the one identified by Bluebox Security, but its effects are the same.
Pau Oliva Fora, the one who wrote the POC exploit for the “master key” flaw, and Bluebox representatives have confirmed for IDG that the new attack method is plausible.
However, the method described by the Chinese experts is more limited because it works only on APK files that are under 64KB in size.
Bluebox Security says that it has discovered a “slightly different” vulnerability than the one from the Chinese blog post that has fewer limitations. This method has already been reported to Google and a patch has already been released for it.