Long-standing vulnerability affected LG, Samsung and other Android-related manufacturers
Baked into Android is a system that trusts applications signed by the same key that is used to authenticate the operating system itself. So you can see what the problem is here. A bad actor in control of these keys could cause Android to “trust” apps loaded with system-level malware. It’s like giving a thief the keys to your house and your car with your approval. All data on vulnerable devices could be at risk. And some of these keys are used to sign regular apps installed from Play Store or downloaded from other Android app stores.
There is no beating around the bush when it comes to this vulnerability.
Rahman tweets that leaked signing keys cannot be used to install over-the-air updates that are compromised. And he adds that the Play Store Protect system could flag apps signed by the leaked keys as potentially dangerous.
While not all sources of the leaked keys have yet been identified, the companies that have been named include:
- Samsung
- LG
- Mediatek
- Szroco (the company that produces Walmart’s Onn tablets)
- See again
Google says the vulnerability was brought to its attention in May this year and that the companies involved have “taken corrective action to minimize the impact on users”. Not exactly the “all clear” sign, especially in light of news that APK Mirror very recently encountered some of the vulnerable signing keys in Samsung’s Android apps.
A Google spokesperson said, “OEM partners quickly implemented mitigations as soon as we reported the key compromise. End users will be protected by user mitigations implemented by OEM partners. Google has broad detections for malware in Build Test Suite, which scans system images. Google Play Protect also detects the malware. There is no indication that this malware is or was on the Google Play Store As always, we advise users to ensure they are running the latest version of Android.
What you should do to limit your exposure
Google recommends that affected companies exchange currently used signing keys and stop using leaked ones. He also suggests that each company open an investigation to understand how the keys were leaked. Hopefully this would prevent something like this from happening again in the future. Google also recommends that companies use voice keys for the minimum number of apps to reduce the number of potential leaks in the future.
So what can you do as the owner of a possibly affected Android phone? Make sure your handset is running the latest version of Android and install any security updates as they arrive. It doesn’t matter if these updates don’t bring exciting new features, because their job is to make sure your device isn’t compromised. And Android users should refrain from downloading apps. This is when you install an app from a third-party app store.
#longstanding #major #vulnerability #left #millions #Android #handsets #open #data #theft