Following a major security leak, devices from some of the world’s biggest Android smartphone manufacturers are vulnerable to malicious apps that operating systems are treating as trusted.
The news comes from Google’s Android Partner Vulnerability Initiative’s (APVI) Łukasz Siewierski, who publicly disclosed the vulnerability in November 2022.
As noted by 9to5Google (opens in new tab), Siewierski’s disclosure doesn’t directly reveal which major Android manufacturers have had their platform signing keys leaked, but virus scans of some affected files have confirmed that Samsung, LG, Xiaomi, Mediatech, szroco, and Revoview devices are affected, but this is a developing and incomplete list.
Abusing trusted apps
To quote Mishaal Rahman, Technical Editor for cloud platform Esper, “this is bad. Very, very bad.”
The vulnerability is allowing threat actors to create malicious apps with system-level privileges, and even integrate malicious code into pre-existing, non-malicious and trusted Android applications. And it’s because of platform signing keys.
A platform signing key is an element that the endpoint uses to make sure the operating system running is legitimate. They’re used to create platform-signed apps, those that a device manufacturer has verified as safe and free of malware.
Should a threat actor obtain these keys, they’d be able to use the Android’s “shared user ID” system to craft a malicious application with full system access.
To make matters even worse, it’s not just newly-built apps that can be abused like this. Already installed apps still need to be signed regularly, meaning threat actors could side-load malware into trusted apps in short order.
Following resigning, a simple app update, which Android then wouldn’t see as problematic, would be enough to infect a device.
The issue was first spotted by Google in May 2022, and the company claims that all affected manufacturers have taken “remediation measures to verify the user impact”, although no further details were given.
It’s still unclear if these measures have worked, as 9to5Google also claimed some of the vulnerable keys were used in Android apps from Samsung within the last few days at time of writing.
Still, Google said Android phones are safe in a number of ways, including through Google Play Protect, OEM mitigations, and more. Apps residing in the Play Store are safe, too, apparently.
“OEM partners promptly implemented mitigation measures as soon as we reported the key compromise. End users will be protected by user mitigations implemented by OEM partners,” a spokesperson for the company said.
“Google has implemented broad detections for the malware in Build Test Suite, which scans system images. Google Play Protect also detects the malware. There is no indication that this malware is or was on the Google Play Store. As always, we advise users to ensure they are running the latest version of Android.”
