As part of a major security leak, the certificates of several Android OEMs were exposed recently. This security flaw has left millions of Android devices worldwide vulnerable to malware.
A large-scale security leak has prompted security researchers to sound the alarm over the appearance of malicious apps that can access entire operating systems belonging to Android. The leak was reported by Łukasz Siewierski, a Google employee and malware engineer.
Google’s Android security team has discovered that several Android OEMs, including Samsung, LG, and MediaTek, have seen their cryptographic application signing keys be disclosedthus letting hackers easily deploy malicious apps on smartphones.
What are signing certificates for applications?
A crucial aspect of Android smartphone security is the app signing process. This is essentially a way to ensure that app updates come from the original developer, as the key used to sign apps should always be kept private.
Applications signed with this certificate work with a highly privileged user ID, android.uid.system. The latter holds system permissions, including permissions to access user data. Any other app signed with the same certificate can declare that it wants to run with the same user ID, giving it the same level of access to the Android operating system.
The problem is thata number of these platform certificates from Samsung, MediaTek, LG and Revoview appear to have been leaked and, even worse, being used to sign malware.
Simply put, an attacker with the private key can add malware to trusted applications. Since the malicious version of the app uses the same key that Android security trusts, the update of the application will be carried out, regardless of the origin of the application.
Also read – Android: millions of smartphones are vulnerable, a major security flaw discovered
Hackers were able to deploy malware to Android smartphones
To make matters worse, the affected OEMs failed to remove the compromised keys and replaced them with new ones. On the contrary, they continued to use them. On his side, Samsung even recently released app updates with the same key. Still, the problem was first spotted by Google in May 2022.
This means that hackers could potentially inject malware into official Samsung apps. The malware could have appeared as an update, passed all security checks upon installation, and given the malware almost full access to your user data in other apps.
Google has ensured that Android phones are secure in several ways, including through Google Play Protect, OEM mitigations, and more. Apps residing in the Play Store are also safe, apparently. ” The OEM partners quickly implemented mitigation measures as soon as we reported the key compromise. End users will be protected by mitigations put in place by OEM partners said a company spokesperson.
The tech giant urged affected companies to “ rotate the platform certificate by replacing it with a new set of public and private keys “. ” Also, they should conduct an internal investigation to find the root cause of the problem and take action to prevent the incident from happening again in the future. “added the company. It is therefore expected that LG, MediaTek, but also Samsung quickly update their certificates to protect their users from malicious hackers.