Vulnerability does not involve any cryptographic primitive, but instead it is all about stashing inside an Android application (the apk file) two versions of the same resource. This means that an application released and signed by FamousCompany might include some pieces of malicious code without the user noticing. Play Store (the most widely adopted application store) has been patched so to refuse applications packed as zip files including the same file twice. Only few devices (reportedly only the Samsung Galaxy S4) are known to run the code patching this vulnerability.”]
Source: https://securelist.com/master-keys-and-vulnerabilities/57494/