Re: At the rish of being downvoted into Oblivion
They don't have the "master keys", the application developers have the keys, what is happening here is the keys are used to verify the valid file and another file with the same name is being installed.
What the chocolate factory have done is patched Android, unfortunately that's only likely to make it's way to Nexus devices in the foreseeable future since manufacturers already have their money and would rather spend their time getting more of it by working on the next device.
Your reason for open vs closed source is off-base here, because vulnerabilities exist in all systems. The only difference between open/closed source is they can be found in the source code easier (by malicious or good coders) than on a closed system where the binaries must be tested/exploited. The advantage of open source is this will be patched in CyanogenMod (and other 3rd party ROMs) before manufacturers pull their fingers out.
I don't want this to come across as defending Google, as this is a pretty schoolboy design error, likely caused by a communication problem between the teams that coded the signature checking and installation systems.