A newly-revealed vulnerability in Android allows attackers to bypass the usual app authenticity and integrity checks. Normally, the checks allow Android to verify that an app has not been modified.
This new issue allows those with ill intent to modify an app with malicious code, without breaking the security signature. This will cause Android to report that the app is genuine and unmodified, when in fact it is not. The issue does not affect apps downloaded and updated exclusively through Google’s Play Store. Apps downloaded or updated through any other sources may be affected. Full protection can only be provided by a patch to Android itself, which is up to phone manufacturers (and carriers) to provide.
Samsung has implemented a fix on its Galaxy S 4, but the fix has not been confirmed for any other phones, and Google has not yet patched the issue in the base Android code, nor on its Nexus devices.
Google was first notified about the issue in February, and notified its major partners in March. It affects all versions of Android from 1.6 through 4.2.
