The application has been released by Duo Security and Northeastern University

Jul 17, 2013 07:58 GMT  ·  By

Google has already addressed the “master key” vulnerability in Android that allows cybercriminals to alter legitimate apps and turn them into malicious Trojans without breaking their cryptographic signature. OEMs have also started working on a patch.

However, it will take some time until the patch reaches end-users, and those who have older Android phones might not get the fixes at all.

Recent studies have shown that 50% of Android devices have unpatched vulnerabilities. In many cases, Android users are exposed by security holes for months and even years.

As far as the “master key” vulnerability is concerned, this is a serious issue since most Android devices are impacted by the flaw.

Fortunately, Android users don’t have to wait for the patch. Researchers from Northeastern University's System Security Lab (NEU SecLab) and cloud-based two-factor authentication company Duo Security have released a mobile app called “ReKey” which addresses the vulnerability.

In addition to patching the flaw, ReKey also notifies users in case they’re about to install an application that abuses the “master key” bug.

“ReKey is the latest of our research projects designed to make the Internet a safer place,” said Collin Mulliner, a postdoctoral researcher at NEU SecLab.

“We hope that ReKey will provide a practical tool for users to protect themselves and, at the same time, raise awareness of the challenges in the mobile security space.”

ReKey is the first mobile app to deliver a third-party security patch outside of the carrier’s control. The app patches the vulnerability by injecting a small piece of code into the Android framework.

“The security of Android devices worldwide is paralyzed by the slow patching practices of mobile carriers and other parties in the Android ecosystem,” noted Jon Oberheide, CTO of Duo Security.

“We are excited to bring forward innovative technology like ReKey that puts security controls back into the hands of users and enterprises.”

It’s worth noting that ReKey only works on rooted Android devices. That’s because the app requires escalated privileges to work.

ReKey is available for download on Softpedia as well.