Bad news for Samsung mobile users. A data leak exposed the manufacturer’s software signature key, which helps ensure the legitimacy of an app update and prevent viruses, malware and other security breaches.
As Ars-Technica reveals it, Samsung is not the only manufacturer in trouble. LG and MediaTek are also affected and this poses big security risks.
What is code signing used for?
A manufacturer’s cryptographic key is used to authenticate the source of an app or update. During a normal process of the latter, an Android telephone compares the signature key of the application already installed with that embedded in its update. If the two match, the update is from a trusted source and can therefore be installed. A third person coming to get their hands on said key, they could sign a corrupted version and pass it off as legitimate. This is what is happening with Samsung, LG and MediaTek.
To make matters worse, these signing keys make it possible to exploit many authorizations on Android. Indeed, these are the ones used by manufacturers to install native apps on their smartphones. Samsung Pay, Samsung Phone, Bixby, Smart Switch use this software signature key. However, these apps have access to much more data than a standard third-party application from the Play Store.
This means that Samsung, LG and MediaTek app updates today may contain bits of code aimed at stealing user data. Moreover, the problem is not so recent concerning Samsung, since he confessed be aware since 2016. However, the manufacturer deployed new updates a few days ago using the same key.
The South Korean assures that he “there have been no known security incidents regarding this potential vulnerability” since its discovery in 2016. The Google cybersecurity specialist who discovered the flaw ensures that these software signatures “are used to sign malware”and advises manufacturers to change them, but also to limit the number of preinstalled applications that use them.
On the user side, be wary of system app updates from strange sources. If a shady site informs you that a Samsung Pay update needs to be deployed, avoid validating the installation.