Due to a major security breach, devices from some of the world's largest Android smartphone manufacturers are vulnerable to malicious apps that the operating systems deem to be trustworthy.
The news comes from Łukasz Siewierski of Google's Android Partner Vulnerability Initiative (APVI), who publicly disclosed the vulnerability in November 2022.
As reported by 9to5Google(Opens in a new tab), Siewierski's disclosure doesn't directly reveal which major Android makers had their platform's signature keys leaked to, but virus scans of some affected files confirmed that Samsung , LG, Xiaomi, Mediatech, szroco, and Revoview devices are affected, but this is an incomplete and developing list.
Trusted application abuse
To quote Mishaal Rahman, technical writer for cloud platform Esper, “It's bad. Very very bad".
The vulnerability allows hackers to create malicious apps with system-level privileges and even embed malicious code into trusted, non-malicious, pre-existing Android apps. And that's because of the platform signing keys.
A platform signing key is something the endpoint uses to ensure that the running operating system is legitimate. They are used to create platform-signed applications, those that a device manufacturer has verified as safe and free of malware.
If a hacker were to obtain these keys, they could use Android's "shared user ID" system to create a malicious app with full system access.
To make matters worse, it's not just newly created apps that can be abused in this way. Apps already installed still need to be signed on a regular basis, meaning threat actors could load malware into trusted apps in no time.
After the resignation, a simple update of the application, which Android would not later see as problematic, would be enough to infect a device.
Google first detected the issue in May 2022, and the company says all affected manufacturers have taken "corrective action to verify user impact," though no further details have been announced.
It's unclear if these measures worked, as 9to5Google also claimed that some of the vulnerable keys had been used in Samsung's Android apps in recent days at the time of writing.
Still, Google said that Android phones are secure in a number of ways, including through Google Play Protect, OEM mitigations, and more. Apps residing on the Play Store are also apparently safe.
“OEM partners quickly implemented mitigations as soon as we reported the key compromise. End users will be protected by user mitigations implemented by OEM partners,” a trader told Word of Society.
“Google has implemented extensive detections for the malware in the Build Test Suite, which scans system images. Google Play Protect also detects malware. There is no indication that this malware is or has been in the Google Play Store. As always, we recommend users to ensure that they are using the latest version of Android.