A major Android leak has left millions of devices worldwide vulnerable to malware. While the leak does not affect most Android devices on the planet, it does pose a problem for users of Samsung and LG smartphones and devices powered by MediaTek chips.
For the unversed, an important part of how the Android OS protects a smartphone is the application signing process. This process ensures that whatever software updates are being delivered to users’ smartphones, they are coming from legitimate developers. To add another layer of security, this process requires a special sign-in key that is unique to the app developer and is always kept private.
Now, Google employee and malware reverse engineer, Łukasz Siewierski (via Michal Rahman) has said that several Android OEM’s certificates were leaked online. These keys can be used by malicious actors to inject malware into users’ smartphones. Which could be used to inject malware into the smartphone. Relatedly, this sign-in key has the highest level of OS privileges, meaning a malicious actor could inject malware without Google, the device manufacturer, or the app developer knowing. In theory, a malicious actor could present malware as a legitimate app update if users download the update from a third-party website.
People, this is bad. very very bad. Hackers and/or malicious insiders have leaked the platform certificates of several vendors. These are used to sign system apps on Android builds, including the “Android” app. These certificates are being used to sign malicious Android apps! https://t.co/lhqZxuxVR9
— Mishaal Rahman (@Mishaal Rahman) December 1, 2022
“The platform certificate is the application signing certificate used to sign the “Android” application on the system image. The “Android” application runs with the most privileged user ID – android.uid.system – and holds system permissions This includes permissions to access user data. “Any other application signed with the same certificate can declare that it wants to run with the same user ID, allowing it to run on Android,” Google wrote in a blog post. Same level of access to the operating system.
Thankfully, all hope is not lost yet. The Android security team has already notified affected companies about the issue. The tech giant has also advised affected companies to ‘rotate the platform certificate by replacing it with a new set of public and private keys’.
“Additionally, they should conduct an internal investigation to find out the root cause of the problem and take steps to prevent such incidents in the future,” the company said.
Furthermore, a report by XDA Developers states that Samsung has been aware of the issue for a long time and has fixed the vulnerability long ago. “We have issued security patches since 2016 when we became aware of this issue, and there have been no known security incidents related to this potential vulnerability,” the company said in a statement to the publication.
The post Millions of Samsung, LG phones vulnerable to malware after Android certificate leak appeared first on BGR India.