July 13, 2013
2

CyanogenMod logo

The developers behind CyanogenMod, bless their hearts, have committed code to prevent exploitation of a second, recently discovered “master key” security bug. Designated CyanogenMod 10.1.2, the update addresses a flaw in Android that, much like the hole uncovered earlier this month by researchers at Bluebox, is related to the way many versions of the mobile operating system verify signed apps.

Android Security Squad, the China-based group that uncovered the bug, describes how a nefarious individual or business could, with some knowledge of a legitimate app’s file contents, disguise a malicious code as a harmless application update. That’s certainly troubling, but it’s important to note that, as we mentioned in our post about the “master key” exploit last week, those with affected devices who download apps from the Play Store exclusively are likely protected by Google’s app-scanning feature. Apps from shady third-party stores and websites represent the greatest risk to owners of unpatched devices.

The update marks the second time this month CyanogenMod has responded to a security threat by releasing an updated CM build. Google has already patched both bugs, so it’s good to see the CyanogenMod team catching up. Builds are appearing on Get.CM slowly, but most should be available now. If you’re running an older CyanogenMod 10.1 ROM, it’s recommended you update.

Kyle Wiggers
Kyle Wiggers is an avid writer, web designer, podcaster, and video producer with an acute interest in all things technology. When not reviewing or commentating on gadgets, apps, and videos, he enjoys reading New Yorker feature articles, tinkering with computers, and playing the occasional game of Rock Me Archimedes.
Show 2 comments