If you are an android programmer already knew that an app can have some permissions for use internet, read contacts etc.. but also there are permissions that allow to do more low-level things like READFRAMEBUFFER. Of course for security this permissions cannot be use for all the apps, but only for apps that are signed with the same key that the main system rom.

Now bluebox has a way to inject code without invalidate the signature, basically it works because ZipFile.java use a HashLinkedList for store the files of the zip and if you have duplicates it only use the last one, but android loader always use the first. So you can add your injected code without pass the signature validation.

[Presentation] http://bluebox.com/corporate-blog/android-master-key-presentation/

[Tool to experiment] http://www.cydiaimpactor.com/