A major security leak has led to the creation of rogue “trusted” apps that can access the entire Android operating system on devices from Samsung, LG and others.
As shared by Googler Lukasz Siewierski (Going through Mishaal Rahman), Google’s Android Partner Vulnerability Initiative (APVI) publicly disclosed a new vulnerability that affected devices from Samsung, LG, Xiaomi and others.
The crux of the matter is that several Android OEMs have had their platform signing keys leaked outside of their respective companies. This key is used to ensure that the version of Android running on your device is legitimate, created by the manufacturer. This same key can also be used to sign individual applications.
By design, Android trusts any application signed with the same key used to sign the operating system itself. A malicious attacker with these app signing keys could use Android’s “shared user ID” system to give out malware full system level permissions on an affected device. Essentially, all data on an affected device could be available to an attacker.
Notably, this Android vulnerability does not only occur when installing a new or unknown application. Since these leaked platform keys are also used in some cases to sign common apps – including the Bixby app on at least some Samsung phones – an attacker could add malware to a trusted app, sign the malicious version with the same key, and Android would trust it as an “update”. This method would work regardless of whether an app originally came from the Play Store, Galaxy Store, or was sideloaded.
Google’s public disclosure does not indicate which devices or vendors were affected, but it does show the hash of examples of malicious files. Fortunately, each of the files was uploaded to VirusTotal, which also often reveals the name of the company involved. With this, we know that the following company keys have been leaked (although some keys have yet to be identified):
- Samsung
- LG
- Mediatek
- szroco (makers of Walmart’s Onn tablets)
- See again
According to Google’s brief explainer of the issue, the first step is for each affected company to swap (or “rotate”) their Android platform signing keys to no longer use the leaked ones. It’s good practice to do this regularly anyway, to minimize damage from potential future leaks.
Beyond that, Google has also urged all Android makers to drastically reduce the frequency of using the platform key to sign other apps. Only an application that Needs this highest permission level should be signed this way to avoid potential security issues.
Google says that since the issue was first reported in May 2022, Samsung and all other affected companies have already “taken corrective action to minimize the user impact” of these major security flaws. It’s unclear exactly what this means, as some of the vulnerable keys have been used in Samsung’s Android apps in recent days, according to APKMirror.
It’s unknown which, if any, current Android devices are still vulnerable to this security exploit. We contacted Google for more details, but the company wasn’t immediately available for comment.
Notably, while Google’s disclosure states that the exploit was reported in May 2022, some of the malware samples were first analyzed by VirusTotal as early as 2016. It’s not yet clear whether this means the leak and related exploits have been actively used against some devices in this context. time.
In a statement, Google clarified that user devices are protected against this particular vulnerability in several ways, including through Google Play Protect, device manufacturer “mitigations,” and more. Beyond that, this exploit has not made its way into apps distributed through the Google Play Store.
OEM partners quickly implemented mitigation measures as soon as we reported the key compromise. End users will be protected by user mitigations implemented by OEM partners. Google has implemented broad detections for malware in Build Test Suite, which scans system images. Google Play Protect also detects the malware. There is no indication that this malware is or was on the Google Play Store. As always, we advise users to ensure they are running the latest version of Android.
— Google spokesperson
As the details of this latest Android security leak are confirmed, there are a few simple steps you can take to ensure your device remains secure. For one thing, make sure that you are using the latest firmware available for your device. If your device is no longer receiving consistent Android security updates, we recommend upgrading to a newer device as soon as possible.
Beyond that, avoid downloading apps to your phone, even when updating an app already installed on your phone. If you need to sideload an app, make sure you fully trust the file you’re installing.
Dylan Roussel contributed to this article.
More on Android:
FTC: We use revenue-generating automatic affiliate links. After.
Check out 9to5Google on YouTube for more info:
#Major #Android #Security #Leak #Left #Samsung #Devices #Vulnerable #Dangerous #Malicious #Apps