Find out if your Android is vulnerable to the MasterKey exploit

Martin Brinkmann
Jul 10, 2013
Updated • Feb 24, 2014
Apps, Security

Bluebox Security some time ago discovered a vulnerability in nearly every Android device released in the last four years that allowed attackers to modify code of legitimate applications without breaking their cryptographic signature. Hackers can exploit the vulnerability for all kinds of malicious activities, including data theft or abusing infected devices as botnets.

You can read up on the technical details of the vulnerability on the Bluebox website. Google in the meantime has created a patch for the issue which it delivered to Android device manufacturers. It is however up to each individual manufacturer to deploy the patch, so that your device may have received it already, or is still vulnerable to the exploit.

Bluebox has released a new application for Android that checks whether your smartphone or tablet is vulnerable or patched. Simply go to Google Play and install the Bluebox Security Scanner application from there.

masterkey vulnerability scanner android

All you have to do then is to run the application on your phone or tablet to find out if it is patched or not:

  1. Patch Status indicates whether your device manufacturer has distributed the patch already or if your device is still unpatched and therefore vulnerable to the MasterKey exploit. The status reads unpatched/vulnerable in this case.
  2. Non-Google Market installs checks if application installations from unknown sources are allowed on the device or not.
  3. Malicious App Scan scans all installed apps for traces of malicious code and will report back to you if any are found so that you can react immediately to the threat.

The scanner cannot scan apps in the copy protected folder under /mnt/asec/ due to operating system limitations.

You do not need to do anything if your device is listed as patched. If it is unpatched, you cannot really do a lot about it either. What you should do however is be very careful in regards to new application installations, especially if they come from sources outside the Google Marketplace.

From the looks of it, it appears that Samsung has already pushed out the update to its devices, and that HTC has already patched at least some of the company's devices as well.


The application highlights if your system has been patched or not which may ease your mind if it is already patched or at least make you aware of the issue if it has not been patched yet. You can uninstall the application if the vulnerability has been fixed on your device, but may cling on to it if it has not. (via Caschy)


Tutorials & Tips

Previous Post: «
Next Post: «


  1. Françoise said on July 12, 2013 at 8:52 am

    I saw this mentioned elsewhere, and don’t understand why this is news. The Belarc Security Advisor, also on Google Play, scans your phone or tablet for every known Android vulnerability, not just one. There are over 350 Android vulnerabilities listed in the NVD
    And the Bluebox app checks for one?! Lol.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.