"Major Android Security Leak: Manufacturer Signing Keys Used To Validate Malware Apps"
A security issue involving manufacturing keys from major device manufacturers such as LG and Samsung has opened the door for malware apps to infiltrate user devices as legitimate updates. These malware apps can grant an attacker complete system-level access to an Android device because the operating system trusts any app signed with this key. This attack would not necessarily need the end user to download a new app because it could be delivered as an update to an existing app on the device. Whether the app was installed through the Play Store, a manufacturer-specific outlet such as the Galaxy Store, or was sideloaded independently, makes no difference. Google disclosed the security leak but did not name the manufacturers involved. However, through subsequent listings on VirusTotal, independent researchers were able to learn the names of some of the companies that had keys stolen, which include Samsung, LG, Mediatek, RevoView, and SZROCO. Although Google only recently disclosed the security breach to the public, it claims that Samsung, LG, and all other known impacted companies had resolved the issue by May 2022. APKMirror, a third-party Android app archiving site, reports that malware apps using signed keys from Samsung were recently uploaded. VirusTotal reports exploits involving signed malware apps dating back to 2016. The manufacturers involved claim to have resolved the issue within their own environments, but it is impossible to know if other manufacturers were impacted and their current status. According to Ivan Wallis, Global Architect at Venafi, any manufacturer with these signing keys must act immediately. This situation illustrates the lack of proper security controls over code signing certificates, specifically signing keys for the Android platform. These certificate leaks are related to this, as these vendor certificates made their way into the wild, allowing for misuse and the potential to sign malicious Android applications masquerading as certain vendors. Bad actors can have access to the same permissions as the core service. Since there is a lack of information surrounding code signing, it is difficult to determine the impact of a breach because the private key could be anywhere. At this point, the code signing environment must be considered fully compromised, and key/certificate rotation must occur immediately. This article continues to discuss the potential impact of the Android security leak.