Samsung’s Android App-Signing Security Key Leaks, Used to Sign Malware Apps
Google’s Android Security Team has discovered that several Android OEMs, most notably Samsung, LG, and MediaTek, have had their cryptographic app-signing keys leaked (via Ars Technica).
Cryptographic signing keys are an integral pillar of Android security. When your phone updates an app, it checks to make sure that the signing key of the already installed app matches the key of the update.
This handshake of sorts is used to verify that the original app and the update your phone is installing came from the same company. However, that is precisely why compromised signing keys can be really dangerous.
Bad actors could sign malicious apps with a leaked key belonging to a company, fooling Android into thinking an update is legitimate. In fact, the leaked security keys are actively being used to sign malware.
Łukasz Siewierski, a member of the Android Security Team, recently detailed all of the leaked app-signing keys in a post on the Android Partner Vulnerability Initiative (AVPI) issue tracker. Siewierski also shared examples of malware apps signed using each key.
To make matters worse, affected OEMs haven’t retired the compromised keys and replaced them with new ones. Instead, they are still using them — Samsung even released some app updates with the same key today.
What’s more, OEMs like Samsung and LG use the “platform certificate keys” that were leaked to sign the stock apps they put on their devices. These apps have much higher permissions than any third-party apps downloaded from the Play Store or elsewhere.
A platform certificate is the application signing certificate used to sign the “android” application on the system image. The “android” application runs with a highly privileged user id—android.uid.system—and holds system permissions, including permissions to access user data. Any other application signed with the same certificate can declare that it wants to run with the same user id, giving it the same level of access to the Android operating system.
As if all of that wasn’t enough, Samsung’s app-signing key has apparently been compromised since 2016. The company has been signing its app updates with a leaked key for six years.
“Samsung takes the security of Galaxy devices seriously,” the company told Adam Conway from XDA Developers.
“We have issued security patches since 2016 upon being made aware of the issue, and there have been no known security incidents regarding this potential vulnerability. We always recommend that users keep their devices up-to-date with the latest software updates.”
The Android Security Team provided the following statement on the matter:
OEM partners promptly implemented mitigation measures as soon as we reported the key compromise. End users will be protected by user mitigations implemented by OEM partners. Google has implemented broad detections for the malware in Build Test Suite, which scans system images. Google Play Protect also detects the malware. There is no indication that this malware is or was on the Google Play Store. As always, we advise users to ensure they are running the latest version of Android.
Neither Google nor any of the OEMs offered any instructions on how users can protect themselves from malware signed with the leaked keys. Sticking to the Play Store for all of your app updates for the foreseeable future and avoiding sideloading should be a good start, though.
The Play Store, at the very least, does some amount of virus scanning and due diligence. Last year, Google blocked 1.2 million policy-violating apps from being published on the Play Store.
Earlier this year, Google researchers also discovered malware from a Russian state-backed group that was disguised as a pro-Ukraine app and had to be sideloaded.