Samsung’s Android app signing key has been leaked, and it’s used to sign malware

A developer’s cryptographic signing key is one of the most important pillars of Android security. Anytime Android updates an app, the signing key for the old app on your phone must match the key for the update you’re installing. Matching keys ensure that the update actually comes from the company that originally created your app and is not a malicious hijacking scheme. If a developer’s signing key is leaked, anyone can distribute malicious app updates and Android will be happy to install them, thinking they’re legitimate.

On Android, the app update process is not only limited to apps downloaded from the App Store, but also bundled system apps made by Google, your device manufacturer, and any other bundled apps. While downloaded apps have a strict set of permissions and controls, bundled Android apps have access to more powerful and invasive permissions and aren’t subject to the usual Play Store restrictions (which is why Facebook always pushes to be a bundled app). If a third party developer loses their signing key, that would be bad. if it was Android OEM I lost the system application signing key, it would be really bad.

Guess what happened! Łukasz Siewierski, a member of Google’s Android security team, has a post on the Android Partner Issue Tracker (AVPI) detailing Leaked platform certificate keys which are actively used to sign malware. The post is just a list of switches, but each one is turned on APKMirror or google VirusTotal The site will list the names of some of the compromised keys: SamsungAnd the LGAnd the mediatech They are the heavy hitters in the list of leaked switches, along with some smaller OEMs like revoview and Szroco, which makes Onn discs from Walmart.

See also  RIP Google Hangouts, the last and best chance for Google to compete with iMessage

The signing keys of these companies have been somehow leaked to strangers, and now you can’t trust that apps claiming to be from these companies are actually from them. To make matters worse, the “platform certificate keys” they lost contained some serious permissions. To quote from the AVPI post:

The platform certificate is the application signing certificate used to sign the “android” application to the system image. The “android” application runs with a highly privileged user ID — android.uid.system — and holds system permissions, including permissions to access user data. Any other application signed with the same certificate can declare that it wants to run with the same user ID, giving it the same level of access to the Android operating system.

Chief Technical Editor at Esper, Mishaal Rahmanas always, posted Great info About this on Twitter. As he explains, having an app grab the same Android unique identifier isn’t quite root access, but it’s close and allows the app to break out of whatever limited sandbox there is for system apps. These apps can communicate directly with (or, in the case of malware, spy on) other apps through your phone. Imagine a more sinister version of Google Play Services, and you get the idea.

Leave a Reply

Your email address will not be published. Required fields are marked *