A major security leak has led to the creation of “trusted” malware apps that can gain access to the entire Android operating system on devices from Samsung, LG, and others.
As shared by Googler Łukasz Siewierski (via Mishaal Rahman), Google’s Android Partner Vulnerability Initiative (APVI) has publicly disclosed a new vulnerability that affected devices from Samsung, LG, and others.
The core of the issue is that multiple Android OEMs have had their platform signing keys leaked outside of their respective companies. This key is used to ensure that the version of Android that’s running on your device is legitimate, created by the manufacturer. That same key can also be used to sign individual apps.
By design, Android trusts any app signed with the same key used to sign the operating system itself. A malicious attacker with those app signing keys would be able to use Android’s “shared user ID” system to give malware full, system-level permissions on an affected device. In essence, all data on an affected device could be available to an attacker.
Notably, this Android vulnerability doesn’t solely happen when installing a new or unknown app. Since these leaked platform keys are also in some cases used to sign common apps — including the Bixby app on at least some Samsung phones — an attacker could add malware to a trusted app, sign the malicious version with the same key, and Android would trust it as an “update.” This method would work regardless of if an app originally came from the Play Store, Galaxy Store, or was sideloaded.
Google’s public disclosure doesn’t lay out which devices or OEMs were affected, but it does display the hash of example malware files. Helpfully, each of the files has been uploaded to VirusTotal, which also often reveals the name of the affected company. With that, we know the following companies’ keys were leaked (though some keys have not yet been identified):
- szroco (makers of Walmart’s Onn tablets)
According to Google’s brief explainer of the issue, the first step is for each affected company to swap out (or “rotate”) its Android platform signing keys to no longer use the ones that have been leaked. It’s good practice to do this regularly anyway, to minimize the damage of potential future leaks. Also Android Best Wallpaper Apps Without Malware 100% Safe Wallpaper
Beyond that, Google has also urged all Android manufacturers to drastically minimize how often the platform key is used to sign other apps. Only an application that needs that highest level of permissions should be signed that way to avoid potential security issues.
Google says that, since the issue was reported in May 2022, Samsung and all of the other affected companies have already “taken remediation measures to minimize the user impact” of these major security leaks. It’s not clear what exactly this means, as some of the vulnerable keys were used in Android apps from Samsung in the last few days, according to APKMirror.
Notably, while Google’s disclosure says the exploit was reported in May 2022, some of the malware examples were first scanned by VirusTotal as early as 2016. It’s not yet clear if this means the leak and associated exploits have been actively used against some devices in that time.
In a statement, Google clarified that people’s devices are protected against this particular vulnerability in a handful of ways, including through Google Play Protect, “mitigations” from device makers, and more. Beyond that, this exploit did not make its way into apps distributed through the Google Play Store.
OEM partners promptly implemented mitigation measures as soon as we reported the key compromise. End users will be protected by user mitigations implemented by OEM partners. Google has implemented broad detections for the malware in Build Test Suite, which scans system images. Google Play Protect also detects the malware. There is no indication that this malware is or was on the Google Play Store. As always, we advise users to ensure they are running the latest version of Android.
— Google spokesperson
While the details of this latest Android security leak are being confirmed, there are some simple steps you can take to make sure your device stays secure. For one, be sure that you’re on the newest firmware available for your device. If your device is no longer receiving consistent Android security updates, we recommend upgrading to a newer device as soon as possible.
Beyond that, avoid sideloading applications to your phone, even when updating an app that’s already on your phone. Should the need to sideload an app arise, be sure you completely trust the file you’re installing.