Last week we told you about a new security threat that was uncovered by Bluebox. It was actually uncovered several months ago and Google was informed about it in February. At the time of the posting, Google didn't make a comment, but it appears Google did indeed patch the hole back in March.
Gina Scigliano, Google's Android Communications Manager, did “confirm that a patch has been provided to our partners – some OEMs, like Samsung, are already shipping the fix to the Android devices.”
There is only one problem. The patch is in the hands of the OEMs and it's up to them to update devices. Anyone want to take a guess as to how long it will take for all Android devices to receive the update? Have no fear because there hasn't been one case of the exploit taking place. Google regularly scans the Play Store for such things and nothing has popped up.
source: ZDNet
Pretty sure the problem isn’t with the Play Store, as they’d also have to spoof the login credentials to post a new apk as an existing app developer.
The problem is when someone exports an apk for, say, a Google app, creates malware with it, uses this hack to digitally sign it and then get people to side-load it or load it through some other app store.