The severity of the Master Key vunerability (bug #8219321) Bluebox Security discovered has been disputed and folks often are willing to look past theoretical vulnerabilities until a widespread zero day goes public. The original claims were that 99% of Android devices were vulnerable but that has since come down with patches and Google updates. Still, with manufacturers and carriers unable to see the long term value in quick (or any) updates to their phones, a huge amount of Android users are out there, unpatched.
(Bluebox has a scanner in the Play store to determine if your Android device is still vulnerable)
Enter Saurik, the developer/hacker/violinist responsible for the Cydia Jailbreak repository for iOS and Substrate for Android, who this morning, posted an exploit and a fix (as well as a wonderfully-detailed bug #8219321 writeup) for Android devices that are unpatched. In true jailbreak fashion, the exploit runs from a Mac or PC and in a few steps gives your su/Root access to the infected phone/tablet. While it isn’t as plug and play easy as recent iOS jailbreaks, it is easy enough for anyone who wants to root their unpatched phone to do in a few minutes.
No vulnerability exploit would be worth its salt if there also wasn’t a fix attached and this is no different. Folks who just want a fix that their carrier/manufacterer won’t supply can also use this to make sure they aren’t vulnerable.
We’ve reached out to Google for comment and will report back if we hear anything.