A second vulnerability that can be exploited to modify legitimate Android apps without breaking their digital signatures has been identified. The flaw is different from the so-called “masterkey” vulnerability announced last Wednesday. Android records the digital signature of an application when it is first installed and a sandbox is created for it. The new vulnerability allows attackers to inject code into files that exist in APKs, specifically in their headers, in a way that bypasses the signature verification process. Attackers can trick users into installing fake updates for their already installed applications that would get access to potentially sensitive data.”]

