Major security leak left Samsung & Android phones vulnerable

/in


A major security leak has led to the creation of “trusted” malware apps that can gain access to the entire Android operating system on devices from Samsung, LG, and others.

As shared by Googler Łukasz Siewierski (via Mishaal Rahman), Google’s Android Partner Vulnerability Initiative (APVI) has publicly disclosed a new vulnerability that affected devices from Samsung, LG, Xiaomi, and others.

The core of the issue is that multiple Android OEMs have had their platform signing keys leaked outside of their respective companies. This key is used to ensure that the version of Android that’s running on your device is legitimate, created by the manufacturer. That same key can also be used to sign individual apps.

By design, Android trusts any app signed with the same key used to sign the operating system itself. A malicious attacker with those app signing keys would be able to use Android’s “shared user ID” system to give malware full, system-level permissions on an affected device. In essence, all data on an affected device could be available to an attacker.

Notably, this Android vulnerability doesn’t solely happen when installing a new or unknown app. Since these leaked platform keys are also in some cases used to sign common apps — including the Bixby app on at least some Samsung phones — an attacker could add malware to a trusted app, sign the malicious version with the same key, and Android would trust it as an “update.” This method would work regardless of if an app originally came from the Play Store, Galaxy Store, or was sideloaded.

Google’s public disclosure doesn’t lay out which devices or OEMs were affected, but it does display the hash of example malware files. Helpfully, each of the files has been uploaded to VirusTotal, which also often reveals the name of the affected company. With that, we know the following companies’ keys were leaked (though some keys have not yet been identified):

  • Samsung
  • LG
  • Mediatek
  • szroco (makers of Walmart’s Onn tablets)
  • Revoview

According to Google’s brief explainer of the issue, the first step is for each affected company to swap out (or “rotate”) its Android platform signing keys to no longer use the…

Source…