The developers behind CyanogenMod, bless their hearts, have committed code to prevent exploitation of a second, recently discovered “master key” security bug. Designated CyanogenMod 10.1.2, the update addresses a flaw in Android that, much like the hole uncovered earlier this month by researchers at Bluebox, is related to the way many versions of the mobile operating system verify signed apps.
Android Security Squad, the China-based group that uncovered the bug, describes how a nefarious individual or business could, with some knowledge of a legitimate app’s file contents, disguise a malicious code as a harmless application update. That’s certainly troubling, but it’s important to note that, as we mentioned in our post about the “master key” exploit last week, those with affected devices who download apps from the Play Store exclusively are likely protected by Google’s app-scanning feature. Apps from shady third-party stores and websites represent the greatest risk to owners of unpatched devices.
The update marks the second time this month CyanogenMod has responded to a security threat by releasing an updated CM build. Google has already patched both bugs, so it’s good to see the CyanogenMod team catching up. Builds are appearing on Get.CM slowly, but most should be available now. If you’re running an older CyanogenMod 10.1 ROM, it’s recommended you update.