Google’s Android Partner Vulnerability initiative, as part of a major security leak admission, has revealed a key new vulnerability that has affected Android smartphones from major brands such as Samsung and LG, among others. Due to the leaking of signing keys used by Android OEMs, impostor apps or malware could disguise themselves as “trusted” apps. The problem was reported earlier in May this year, following which several companies, including Samsung, took action to control the vulnerability.
The security flaw was discovered by Google employee Łukasz Siewierski (Going through Mishaal Rahman of Esper). Sirwierski, through his tweets, revealed how the platform’s certificates were used to sign malicious apps on Android.
People, this is bad. Very very bad. Hackers and/or malicious insiders have leaked platform certificates from multiple vendors. These are used to sign system apps on Android builds, including the “Android” app itself. These certificates are used to sign malicious Android apps! https://t.co/lhqZxuxVR9
— Mishaal Rahman (@MishaalRahman) December 1, 2022
At the heart of the problem is a vulnerability in the Android platform’s key trust mechanism that could be exploited by malicious attackers. By design, Android trusts any app that uses a legitimate platform signing key, which is used to sign core system apps, through Android’s shared user ID system.
However, Android original equipment manufacturers (OEMs) have had their platform signing keys leaked, allowing malware writers to gain system-level permissions on a target device. This would make all user data on the particular device available to the attacker, just like another manufacturer’s system application signed with the same certificate.
Another alarming part of the vulnerability is that it doesn’t necessarily require a user to install a new or “unknown” app. The leaked platform keys could also be used to sign common trusted apps such as the Bixby app on a Samsung device. A user who downloaded such an application from a third-party website would not see a warning when installing it on their smartphone, because the certificate would match that of their system.
Google, however, did not explicitly mention the list of devices or OEMs that have so far been affected by the critical vulnerability in its public disclosure. Nevertheless, the disclosure includes a list of examples of malicious files. The platform has since reportedly confirmed the list of affected smartphones, which include devices from Samsung, LG, Mediatek, Xiaomi and Revoview.
The search giant has also suggested ways for affected companies to mitigate the issue. The first step is to produce the Android platform signing keys that have been reported as leaked and replace them with new signing keys. The company also urged all Android makers to drastically minimize frequent use of the platform key for an app to sign other apps.
According to Google, the issue was first reported in May. Since then, Samsung and all other affected companies have already taken remedial actions to mitigate and minimize the vulnerabilities that were at hand. However, according to Android Police, some of the vulnerable keys listed in the disclosure have recently been used for Samsung and LG phone apps uploaded to APK Mirror.
“OEM partners quickly implemented mitigations as soon as we reported the key compromise. End users will be protected by user mitigations implemented by OEM partners,” Google said in a statement to BleepingComputer. .
Android users are advised to update their firmware versions to the latest available updates to stay protected from potential security vulnerabilities such as the one disclosed by Google, and to be vigilant when downloading applications from third-party sources.
Tech
