The Bluebox "Master key" Security Scanner will scan your device to determine:
- If your system is vulnerable or patched to any of the "master key" security flaws affecting most Android devices (there are multiple 'master key' flaws at this point)
- If your system settings allow 'Untrusted Sources' application installs
- If any installed application on your device is trying to maliciously take advantage of any of the 'master key' security flaws
ANTIVIRUS ALERT: we have confirmed that the Bluebox Security Scanner can cause alerts for "Exploit.CVE-2013-4787.A" Trojan, which is the MasterKey bug CVE designator. The Bluebox Scanner does not use the "Master Key" vulnerability in any way in the application itself (testing vulnerabilities with real exploits is against Google's terms of service), but it includes non-application test ZIP files with empty entries to verify patch status when processed by the ZipFile Java class (vulnerable systems open the ZIP files without error; patched systems throw an exception when opening/processing). It seems the antivirus applications are triggering a false positive Trojan warning due to the included test ZIP files.
Further details of the Android "Master key" security flaw are available at:http://bluebox.com/corporate-blog/bluebox-uncovers-android-master-key/NOTICE: the scanner currently cannot check .APKs in the /mnt/asec/ (copy protected apps) directory; this is a security limitation enforced by Android OS. You are told how many were skipped, and given a checkbox (if one or more are skipped) to enable seeing the full list of details if you so choose.