This so-called "master key" bug allows attackers to modify the code of any app without breaking its cryptographic signature and makes it easy for them to substitute malicious apps with legitimate ones. The magnitude of the risk is big, especially now that proof-of-concept code for its exploitation has been published.
Bluebox has now made available an app called Bluebox Security Scanner that allows users to see whether their device is vulnerable to the bug.
Available for download from Google Play, Amazon AppStore for Android and GetJar, the app scans the users' device and tells them whether their Android installation has already been patched or still sports the vulnerability, whether their system settings allow non-Google Market application installs, and whether they have already installed one or more apps that take advantage of the flaw.
"The scanner will save you significant time and keep you from having to do the 'leg work' to figure out if your device has been safely patched," explaines Jeff Forristal, Bluebox CTO. "If your device has not been patched, it will provide you with the information you need to ask your device manufacturer when a fix will be available."
In the description of the app on Google Play the company has also warned users of Nexus devices that even though Google has given out the patch for the flaw to other vendors (Samsung, Sony, HTC, etc.), it has not yet issued updates for their own Nexus devices. "It is unknown why, but speculation is they don't want to do a 4.2.x patch update if 4.3 is coming out very soon," they said.