Samsung, LG Phones Are at Risk Due to Leaked Certificates
Google’s Android Partner Vulnerability Initiative, in a major security leak, has revealed new vulnerabilities that have affected Android smartphones from major brands such as Samsung and LG, among others. Due to the leaking of signing keys used by Android OEMs, rogue apps or malware can masquerade as “trusted” apps. This issue was reported in May this year, after which many companies including Samsung took measures to control the risk.
The security flaw was revealed by Google employee Łukasz Siewierski (with Esper’s Mishaal Rahman). Sirwierski, through his tweets, revealed how platform certificates were used to sign non-computer friendly applications on Android.
Folks, this is bad. Very, very bad. Hackers and/or malicious insiders have leaked the platform certificates of several vendors. These are used to sign system apps to the Android developer, including the “android” app itself. These certificates are used to sign malicious Android applications! https://t.co/lhqZxuxVR9
– Mishaal Rahman (@MishaalRahman) December 1, 2022
At the heart of the problem is a key Android platform vulnerability that can be exploited by malicious attackers. By design, Android trusts any app that uses a valid platform signing key, which is used to sign system apps, with Android’s shared user ID system.
However, Android original equipment manufacturers (OEMs) have had their platform signing keys leaked, allowing malware creators to gain system-level permissions on a target device. This will make all user data on a particular device available to an attacker, such as another system application from the manufacturer signed with the same certificate.
Another shocking part about the vulnerability is that it does not require the user to install a new or “known” program. Leaked platform keys can also be used to sign trusted apps like the Bixby app on a Samsung device. A user who downloaded such a program from a third-party website will not see a warning when installing it on his smartphone, since the certificate will be the same as the one on his system.
Google, however, did not publicly mention the list of devices or OEMs so far affected by the critical vulnerability in public disclosure, however, the disclosure includes a sample list of malware files. The platform has gone from there it is reported that confirmed the list of affected smartphones, which includes devices from Samsung, LG, Mediatek, Xiaomi and Revoview.
The search giant also suggested ways for the affected companies to mitigate this issue. The first step involves removing the Android platform signing keys marked as leaked and replacing them with new signing keys. The company also urged all Android manufacturers to drastically reduce the general use of the field key for the app to sign other apps.
According to Google, this issue was first reported in May. Since then, Samsung and all other affected companies have already taken steps to fix and mitigate the risks. However, according to Android Police, some of the vulnerable keys listed in the disclosure were recent used for applications for Samsung and LG phones uploaded to APK Mirror.
“OEM partners quickly implemented mitigations immediately after we reported the primary compromise. End users will be protected from user mitigations implemented by OEM partners,” Google said in a statement to BleepingComputer.
Android users are advised to update their firmware versions to the latest available updates to stay protected from potential security flaws like those disclosed by Google, and to be cautious while downloading applications from third-party sources.
