Pau Oliva Fora, a security researcher for the firm Via Forensics, published a small, proof of concept module on GitHub (https://gist.github.com/poliva/36b0795ab79ad6f14fd8) that exploits the flaw in the way Android verifies the authenticity of signed mobile applications. The flaw was first disclosed last week by Jeff Forristal, the Chief Technology Officer at Bluebox Security, ahead of a presentation at the Black Hat Briefings in August. (https://securityledger.com/2013/07/flaw-leaves-900m-android-devices-vulnerable/). It affects versions of Android going back four years.
The simple program leverages APKTool, a common, open source tool for reverse engineering Android applications – decompiling and then recompiling their contents. His script allows a user to select and then decompile a legitimate Android application and then recompile it, creating an altered, “malicious” APK that will have the same, cryptographic signature as the original file. In an e-mail statement, Google said that a patch for Forristal’s vulnerability was provided to Google’s OEM (original equipment manufacturer) and carrier partners in March, and that some (Samsung) have already shipping a patched version of Android to customers. However, that response hasn't been universal — a reflection of Android's fragmented install base. (https://securityledger.com/2013/03/android-ecosystem-still-fragmented-insecure/)"
Link to Original Source