Google publicly disclosed a major security leak impacting devices from Samsung, LG, Xiaomi and more. The leak enabled the creation of ‘trusted’ malware apps that can gain access to the entire Android operating system.
Shared by Googler Łukasz Siewierski (via 9to5Google), Google’s Android Partner Vulnerability Initiative (APVI) revealed the details, which you can view here. The main issue is that multiple Android manufacturers had their platform signing keys leaked. Those keys ensure that the version of Android running on your device is legitimate and created by the manufacturer. However, those keys can also be used to sign individual apps, which Android trusts by design.
However, a malicious actor with those signing keys could abuse that trust to give malware full, system-level permissions on an affected device since that device would see the official, signed key and, by default, trust the app. Since some manufacturers use these keys to sign relatively common apps — for example, 9to5 points to Samsung’s Bixby, which is signed with the company’s key on at least some phones — attackers could add malware to a trusted app, sign it with the same key, and then Android would trust it. Worse, this malicious version of the app could come from various sources — the Play Store, Samsung’s Galaxy Store, or be sideloaded.
Google didn’t say which devices or manufacturers were affected in its disclosure. However, the company did include hashes of example malware files, which were uploaded to VirusTotal. 9to5 notes that VirusTotal reveals the names of some of the affected companies, which include Samsung, LG, MediaTek, Szroco (which makes ‘Onn’ tablets for Walmart), and Revoview. There are more keys as well, but they have not been identified.
In the disclosure, Google recommends that manufacturers change their platform signing keys from the ones that leaked. It also urged all manufacturers to reduce how often they use those keys to avoid potential security issues. Moreover, Google said that Samsung and other affected companies took “remediation measures to minimize the user impact” of the security leaks after the issue was first reported in May 2022.
However, 9to5Google notes that Samsung used its vulnerable platform signing key in several Android app updates within just the last few days, based on details from APKMirror. It also remains unclear which Android devices, if any, are still vulnerable.
Moreover, while Google notes the exploit was first reported in May 2022, VirusTotal first scanned some of the malware examples as early as 2016. It remains unclear whether the leak and associated exploits were actively used against anyone in that time.
Google said in a statement to 9to5 that there are several systems in place to protect people from these kinds of security vulnerabilities, such as Play Protect. The company also said that “there is no indication that this malware is or was on the Google Play Store.”
To protect themselves, Android users should make sure their devices are up-to-date and avoid sideloading apps.
Source: Google, Łukasz Siewierski Via: 9to5Google