Google’s Android Security Team has discovered that several Android OEMs, most notably Samsung, LG, and MediaTek, have had their cryptographic app-signing keys leaked (via Ars Technica).
Cryptographic signing keys are an integral pillar of Android security. When your phone updates an app, it checks to make sure that the signing key of the already installed app matches the key of the update.
This handshake of sorts is used to verify that the original app and the update your phone is installing came from the same company. However, that is precisely why compromised signing keys can be really dangerous.
Bad actors could sign malicious apps with a leaked key belonging to a company, fooling Android into thinking an update is legitimate. In fact, the leaked security keys are actively being used to sign malware.
Łukasz Siewierski, a member of the Android Security Team, recently detailed all of the leaked app-signing keys in a post on the Android Partner Vulnerability Initiative (AVPI) issue tracker. Siewierski also shared examples of malware apps signed using each key.
To make matters worse, affected OEMs haven’t retired the compromised keys and replaced them with new ones. Instead, they are still using them — Samsung even released some app updates with the same key today.
What’s more, OEMs like Samsung and LG use the “platform certificate keys” that were leaked to sign the stock apps they put on their devices. These apps have much higher permissions than any third-party apps downloaded from the Play Store or elsewhere.
A platform certificate is the application signing certificate used to sign the “android” application on the system image. The “android” application runs with a highly privileged user id—android.uid.system—and holds system permissions, including permissions to access user data. Any other application signed with the same certificate can declare that it wants to run with the same user id, giving it the same level of access to the Android operating system.
As if all of that wasn’t enough, Samsung’s app-signing key has apparently been compromised since 2016. The company has been signing its app updates with a leaked key for six years.
“Samsung takes the security of Galaxy devices seriously,” the company told Adam Conway from XDA Developers.
“We have issued security patches since 2016 upon being made aware of the issue, and there have been no known security incidents regarding this potential vulnerability. We always recommend that users keep their devices up-to-date with the latest software updates.”
The Android Security Team provided the following statement on the matter:
OEM partners promptly implemented mitigation measures as soon as we reported the key compromise. End users will be protected by user mitigations implemented by OEM partners. Google has implemented broad detections for the malware in Build Test Suite, which scans system images. Google Play Protect also detects the malware. There is no indication that this malware is or was on the Google Play Store. As always, we advise users to ensure they are running the latest version of Android.
Neither Google nor any of the OEMs offered any instructions on how users can protect themselves from malware signed with the leaked keys. Sticking to the Play Store for all of your app updates for the foreseeable future and avoiding sideloading should be a good start, though.
The Play Store, at the very least, does some amount of virus scanning and due diligence. Last year, Google blocked 1.2 million policy-violating apps from being published on the Play Store.
Earlier this year, Google researchers also discovered malware from a Russian state-backed group that was disguised as a pro-Ukraine app and had to be sideloaded.
Want to see more of our stories on Google?
P.S. Want to keep this site truly independent? Support us by buying us a beer, treating us to a coffee, or shopping through Amazon here. Links in this post are affiliate links, so we earn a tiny commission at no charge to you. Thanks for supporting independent Canadian media!
Seriously, WTF? How can say they take any security seriously, when they haven’t updated the keys for 6 years? Then again, the only proof of how seriously they take it that he can offer is that there haven’t been any exploits reported.
Ugh. Samsung.
And google allowed this. It’s trivial to update to new keys and even required for Play apps but Google gave OEM’s an exception for the most sensitive apps on an android device. Genius.
If you’ve ever owned a samsung, you got what what you paid for.
dam….. time to move to IOS :/ . If this company can’t update its stuff eevery year at least then y go for it. I guess Apple wins in this case.. idk abt other OEM’s
What a clown show. I’m airgapping my Samsung TVs! :-]