Samsung’s Android app signing key leaked, used to sign malware

Samsung's Android app signing key leaked, used to sign malware
Written by admin

Samsung's Android app signing key leaked, used to sign malware

The developer’s cryptographic signing key is one of the mainstays of Android security. When Android updates any app, the signature key of the old app on your phone must be the same as the key of the update you installed. The appropriate keys ensure that the update actually comes from the company that developed your app in the first place and isn’t some malicious hacking scheme. If the developer’s signing key were leaked, anyone could distribute malware updates, and Android would happily install them, thinking they were legitimate.

The app update process on Android isn’t just for apps downloaded from the app store, you can also update system apps bundled by Google, your device manufacturer, and any other bundled apps. While downloaded apps have a strict set of permissions and controls, bundled Android system apps have access to stronger and more invasive permissions and aren’t subject to the usual Play Store restrictions (which is why Facebook always pays to be a bundled app. ). It would be bad if the third party developer lost the signing key. If one Android OEM it would be really bad if they lost the system application signing key.

Guess what happened! Lukasz Siewierski, a member of Google’s Android Security Team, has a post about the Android Partner Vulnerability Initiative (AVPI) issue tracker. leaked platform certificate keys actively used to sign malware. The script is just a list of keys, but it triggers each one APKMirror or Google’s VirusTotal the site will name some of the stolen keys: samsung🇧🇷 lgand media library along with some smaller OEMs are heavy hitters on the list of leaked keys overview is and Szroco Walmart’s Onn tablets🇧🇷

The signing keys of these companies were somehow leaked to outsiders, and now programs claiming to be from these companies cannot be trusted to actually be from them. To make matters worse, the “platform certificate keys” they lost have some serious permissions. To quote the AVPI post:

A platform certificate is an application signing certificate used to sign an “android” application in the system image. The “Android” application runs with a highly privileged user ID – android.uid.system – and has system permissions, including permissions to access user data. Any other application signed with the same certificate can declare that it wants to work with the same user ID, giving it the same level of access to the Android operating system.

Esper Senior Technical Editor Mishaal Rahmanas always, published excellent information About it on Twitter. As he explained, having an app have the same UID as the Android system isn’t root access, but it’s close and allows the app to escape the limited sandboxing available to system apps. These apps can communicate directly (or, in the case of malware, spy) on other apps on your phone. Imagine a worse version of Google Play Services and you get the idea.

About the author


Leave a Comment