The only way an Android user can be attacked via this master key flaw is if they download a vulnerable application.
“It all comes down to where you get your applications from,” Forristal said.
That means if a user gets their applications from trusted sources like Google Play, the risk of the master key exploit is not high, even if the given device has not been updated with the latest patched Android code. Forristal noted that he has seen reports that he has not been able to independently verify, that indicate Google is already scanning apps in the Play store to mitigate risk.
Bluebox Security has released a free app designed to help Android users check if their device has been patched for the master key vulnerability.