Samsung’s Android app signing key has been leaked and is being used to sign malware

A developer’s cryptographic signing key is one of the main pillars of Android security. Every time Android updates an app, the signing key of the old app on your phone must match the key of the update you’re installing. Matching keys ensure that the update actually came from the company that originally created your app and is not a malicious hijacking scheme. If a developer’s signing key were to leak, anyone could distribute malicious app updates and Android would happily install them, thinking they’re legitimate.

On Android, the app update process is not just for apps downloaded from an app store, you can also update system built-in apps created by Google, your device manufacturer, and any other built-in apps. While downloaded apps have a strict set of permissions and controls, built-in Android system apps have access to much more powerful and invasive permissions and aren’t subject to the usual Play Store limitations (which is why Facebook always pays to be an integrated application). ). If a third-party developer ever lost your signing key, that would be bad. Yes one Android OEM ever lost the system app signing key, that would be very, very bad.

Guess what happened! Ɓukasz Siewierski, a member of Google’s Android security team, has a post on the Android Partner Vulnerability Initiative (AVPI) issue tracker detailing leaked platform certificate keys that are actively used to sign malware. The post is just a list of the keys, but running each one through APKMirror or Google’s VirusTotal site will put names to some of the compromised keys: Samsung, LG, and Mediatek are the heavy hitters on the list of leaked keys, along with with some smaller OEMs like Revoview and Szroco, which makes Walmart’s Onn tablets.

These companies somehow leaked your signing keys to outsiders, and now you can’t trust that apps claiming to be from these companies are really from them. To make matters worse, the “platform certificate keys” they lost have some serious permissions. To quote the AVPI publication:

A platform certificate is the application signing certificate used to sign the “android” application in the system image. The “android” application runs with a highly privileged user ID, android.uid.system, and has system permissions, including permissions to access user data. Any other application signed with the same certificate can declare that it wants to run with the same user ID, giving it the same level of access to the Android operating system.

Esper Senior Technical Editor Mishaal Rahmanas always, has been posting great information about this on Twitter. As he explains, making an app take on the same UID as the Android system isn’t root access, but it’s close and allows an app to get out of any limited sandboxing that exists for system apps. These apps can directly communicate with (or, in the case of malware, spy on) other apps on your phone. Imagine a more evil version of Google Play Services and you get the picture.

Leave a Reply

Your email address will not be published. Required fields are marked *