Chinese researchers have published a second Android Master Key attack, leveraging the same vulnerability that allows attackers to modify signed apps with malware. The vulnerability occurs in the way Android conducts integrity checks on APK files. Attackers could store in a zip archive a benign and malicious version of the same file, give them the same name, and the benign file will pass the signature check in Android, which enables the malicious modification to be added as well. Nearly 900 million devices are potentially affected by the vulnerability.
Source: https://threatpost.com/second-android-master-key-attack-surfaces/101297/