Samsung’s Android app signing key has been leaked, and it’s used to sign malware

A developer’s cryptographic signing key is one of the most important pillars of Android security. Anytime Android updates an app, the signing key for the old app on your phone must match the key for the update you’re installing. Matching keys ensure that the update actually comes from the company that originally created your app and is not a malicious hijacking scheme. If a developer’s signing key is leaked, anyone can distribute malicious app updates and Android will be happy to install them, thinking they’re legitimate.

On Android, the app update process is not only limited to apps downloaded from the App Store, but also bundled system apps made by Google, your device manufacturer, and any other bundled apps. While downloaded apps have a strict set of permissions and controls, bundled Android apps have access to more powerful and invasive permissions and aren’t subject to the usual Play Store restrictions (which is why Facebook always pushes to be a bundled app). If a third party developer loses their signing key, that would be bad. if it was Android OEM I lost the system application signing key, it would be really bad.

Guess what happened! Łukasz Siewierski, a member of Google’s Android security team, has a post on the Android Partner Problem Tracker (AVPI) detailing leaked platform certificate keys that are actively used to sign malware. The post is just a list of keys, but running each one through APKMirror or Google’s VirusTotal site will put up names for some of the hacked keys: Samsung, LG, and Mediatek are the heavy hitters on the list of leaked keys, along with some smaller OEMs like Revoview and Szroco, which Onn discs are made by Walmart.

The signing keys of these companies have been somehow leaked to strangers, and now you can’t trust that apps claiming to be from these companies are actually from them. To make matters worse, the “platform certificate keys” they lost contained some serious permissions. To quote from the AVPI post:

The platform certificate is the application signing certificate used to sign the “android” application to the system image. The “android” application runs with a highly privileged user ID — android.uid.system — and holds system permissions, including permissions to access user data. Any other application signed with the same certificate can declare that it wants to run with the same user ID, giving it the same level of access to the Android operating system.

Chief Technical Editor at Esper, Mishaal Rahmanas always, posted Great info About this on Twitter. As he explains, having an app grab the same Android unique identifier isn’t quite root access, but it’s close and allows the app to break out of whatever limited sandbox there is for system apps. These apps can communicate directly with (or, in the case of malware, spy on) other apps through your phone. Imagine a more sinister version of Google Play Services, and you get the idea.

#Samsungs #Android #app #signing #key #leaked #sign #malware

Leave a Reply

Your email address will not be published. Required fields are marked *