After a major security leak, devices from some of the world’s largest Android smartphone manufacturers are vulnerable to malicious apps that operating systems treat as trusted.
The message comes from Google Android Partner Vulnerability Initiative (APVI) Łukasz Siewierski, who publicly disclosed vulnerabilities in November 2022
As noted by 9to5Google (opens in a new tab)Siewierski’s disclosure does not directly reveal which major Android manufacturers leaked their platform signing keys, but virus scans of some of the affected files confirmed that Samsung, LG, Xiaomi, Mediatech, szroco and Revoview devices are affected, but it is a growing and incomplete list.
Abuse of trusted applications
To quote Mishaal Rahman, technical editor of the Esper cloud platform, “it’s wrong. Very, very bad.”
The vulnerability allows cybercriminals to create malicious apps with system-level permissions and even integrate malicious code into pre-existing, secure and trusted Android apps. And that’s because of the platform signing keys.
The platform signing key is what the endpoint uses to ensure that the operating system is legitimate. Used to build platform-signed apps that the device manufacturer has verified to be safe and malware-free.
If a cybercriminal obtains these keys, they can use Android’s “Shared User ID” system to create a malicious app with full access to the system.
What’s worse, it’s not just newly created apps that can be used in this way. Already installed apps still require regular signing, which means cybercriminals can transfer malware to trusted apps in no time.
After opting out, a simple app update that Android wouldn’t consider problematic would be enough to infect your device.
The issue was first noticed by Google in May 2022, and the company says all affected manufacturers have taken “mitigation measures to verify user impact,” though no further details have been provided.
It’s still unclear if these measures worked because 9to5Google he also claimed that some of the sensitive keys have been used in Samsung’s Android apps in the last few days at the time of writing.
Still, Google says Android phones are safe in a number of ways, including Google Play Protect, OEM mitigation, and more. Apparently, the apps found on the Play Store are also safe.
“OEM partners promptly implemented countermeasures as soon as we reported a key compromise. End users will be protected by countermeasures implemented by OEM partners,” a company spokesman said.
“Google has implemented extensive malware detection in its Build Test Suite, which scans system images. Google Play Protect also detects malware. There is no indication that this malware is or has been in the Google Play Store. As always, we advise users to make sure they are running the latest version of Android.”