This is about the Master Key vulnerability allowed an attacker to create two files with the same name in an APK, which would cause the Android package manager to only verify the first file's cryptographic signature while ignoring the second file with the same name. This would allow an attacker to inject malicious code into the APK without breaking the signature, making it difficult for security measures to detect the tampering.

Google released a patch for the Master Key vulnerability shortly after it was discovered, and it's recommended that Android users keep their devices updated to the latest security patches to protect against this and other security vulnerabilities

Let’s start step by step:

At the first place we try to change content of a file in apk. To do that we open apk in winrar and then select file and open it in editor. Then we change small piece of data:

The error is:

Ok in next step, let’s calculate the hash of this file and then put it back on MANIFEST.SF.

First we calculate hash:

Then we change the hash in MANIFEST.SF:

Then let’s install it:

Also we can’t add new file in this archive or delete one. But what if we add file with name which is exists in this archive?

Is it possible?