A long-standing major vulnerability has left millions of Android handsets open to data theft

A long-standing major vulnerability has left millions of Android handsets open to data theft

According to a tweet from Google Lukasz Siewierski (Going through Mishaal Rahman, 9to5Google), hackers and “malicious insiders” were able to leak platform signing keys used by several Android manufacturers to sign system apps used on Android devices. These signing keys are used to ensure that the apps and even the version of the Android operating system running on your phone are legitimate.

Long-standing vulnerability affected LG, Samsung and other Android-related manufacturers

Baked into Android is a system that trusts applications signed by the same key that is used to authenticate the operating system itself. So you can see what the problem is here. A bad actor in control of these keys could cause Android to “trust” apps loaded with system-level malware. It’s like giving a thief the keys to your house and your car with your approval. All data on vulnerable devices could be at risk. And some of these keys are used to sign regular apps installed from Play Store or downloaded from other Android app stores.

Rahman tweets that leaked signing keys cannot be used to install over-the-air updates that are compromised. And he adds that the Play Store Protect system could flag apps signed by the leaked keys as potentially dangerous.

While not all sources of the leaked keys have yet been identified, the companies that have been named include:

  • Samsung
  • LG
  • Mediatek
  • Szroco (the company that produces Walmart’s Onn tablets)
  • See again

Google says the vulnerability was brought to its attention in May this year and that the companies involved have “taken corrective action to minimize the impact on users”. Not exactly the “all clear” sign, especially in light of news that APK Mirror very recently encountered some of the vulnerable signing keys in Samsung’s Android apps.

Google, in a statement, said Android users were protected by the Google Play Store Protect feature and measures taken by manufacturers. Google said this exploit has no impact on apps downloaded from the Play Store.

A Google spokesperson said, “OEM partners quickly implemented mitigations as soon as we reported the key compromise. End users will be protected by user mitigations implemented by OEM partners. Google has broad detections for malware in Build Test Suite, which scans system images. Google Play Protect also detects the malware. There is no indication that this malware is or was on the Google Play Store As always, we advise users to ensure they are running the latest version of Android.

What you should do to limit your exposure

Google recommends that affected companies exchange currently used signing keys and stop using leaked ones. He also suggests that each company open an investigation to understand how the keys were leaked. Hopefully this would prevent something like this from happening again in the future. Google also recommends that companies use voice keys for the minimum number of apps to reduce the number of potential leaks in the future.

So what can you do as the owner of a possibly affected Android phone? Make sure your handset is running the latest version of Android and install any security updates as they arrive. It doesn’t matter if these updates don’t bring exciting new features, because their job is to make sure your device isn’t compromised. And Android users should refrain from downloading apps. This is when you install an app from a third-party app store.

The scary thing is that this vulnerability has apparently been around for years. Samsung even talks about it in its statement to Android Police stating, “Samsung takes the security of Galaxy devices seriously. We have released security patches since 2016 after being made aware of the issue, and there have been no known security incidents regarding this potential vulnerability. We always recommend that users keep their devices up to date with the latest software updates.”

#longstanding #major #vulnerability #left #millions #Android #handsets #open #data #theft

Leave a Comment

Your email address will not be published. Required fields are marked *