Google’s Android Partner Vulnerability Initiative has revealed a new major vulnerability affecting Android smartphones from major brands like Samsung and LG in a major security disclosure. By leaking the signing keys used by Android OEMs, fake apps or malware can masquerade as “trusted” apps. The issue was reported earlier in May this year, after which several companies, including Samsung, took steps to contain the vulnerability.
The vulnerability was revealed by Google employee Łukasz Siewierski (through Mishaal Rahman of Esper). Sirwierski revealed through his tweets how the platform certificates were used to sign malware apps on Android.
Folks, this is bad. Very, very bad. Hackers and/or malicious insiders have leaked platform certificates from various vendors. These are used to sign system apps on Android builds, including the “Android” app itself. These certificates are used to sign malicious Android apps! https://t.co/lhqZxuxVR9
—Mishaal Rahman (@MishaalRahman) December 1, 2022
The core of the problem lies in an Android platform key trust mechanism vulnerability that can be exploited by malicious attackers. By definition, Android trusts any application that uses a legitimate platform signing key, which is used to sign core system applications, via Android’s shared user ID system.
However, Android original equipment manufacturers (OEMs) have leaked their platform signing keys, allowing malware authors to gain system permissions on a targeted device. This would make all user data on the specific device available to the attacker, as well as any other manufacturer system app signed with the same certificate.
Another alarming aspect of the vulnerability is that it does not necessarily require a user to install a new or “unknown” application. The leaked platform keys can also be used to sign widely used trusted apps, such as the Bixby app on a Samsung device. A user who downloads such an application from a third-party website will not see a warning upon installation on their smartphone, because the certificate matches the certificate on their system.
However, Google has not explicitly mentioned the list of devices or OEMs affected by the critical vulnerability in its disclosure. Nevertheless, the disclosure includes a list of sample malware files. The platform has since Reportedly confirmed the list of affected smartphones, which includes devices from Samsung, LG, Mediatek, Xiaomi and Revoview.
The search giant has also suggested ways for affected companies to mitigate the issue. The first step is to produce Android platform signing keys that have been reported as leaked and replace them with new signing keys. The company has also called on all Android manufacturers to drastically minimize the frequent use of platform keys for one app to sign other apps.
According to Google, the issue was first reported in May. Since then, Samsung and all other affected companies have already taken corrective actions to mitigate and minimize the vulnerabilities present. However, according to Android Police, some of the vulnerable keys mentioned in the disclosure have recently been compromised used for apps for Samsung and LG phones uploaded to APK Mirror.
“OEM partners immediately implemented mitigations as soon as we became aware of the key compromise. End users are protected by user mitigations implemented by OEM partners,” Google said in a statement to BleepingComputer.
Android users are advised to update their firmware versions to the latest available updates to stay protected from potential security vulnerabilities, such as those disclosed by Google. They should also be vigilant when downloading third-party apps.
