A recent post on Google’s Android Partner Vulnerability Initiative (APVI) website revealed a major Android security leak. The leak has left devices from Samsung, LG, Xiaomi and many other brands vulnerable to very, very dangerous malicious apps. These applications can obtain the same level of access to the affected devices as the operating system itself.
Millions of Android devices are vulnerable to dangerous malicious apps
The problem stems from leaked platform certificates. These certificates or signing keys determine the legitimacy of the version of Android on a device. Vendors also use these certificates to sign applications. While the Android operating system assigns a unique user identifier (UID) to each app upon installation, apps that share signing keys can also have a shared UID and have access to each other’s data. And thanks to this design, applications signed with the same certificate as the operating system itself also get the same privilege.
The problem here is that several companies have had their Android platform certificates leaked to the wrong people. Certificates are now being misused to sign malicious apps with the same privileges as the Android operating system. Apps can obtain system-level permissions on affected devices without user intervention. Thus, as soon as the malware-laden application is installed on a device, its creators can obtain all the data they want from the device without the victim noticing (via).
Companies that sign apps with platform certificates make this leak even more dangerous. Bad actors don’t even need to create new apps and trick potential victims into installing them. Instead, they can simply grab an app signed with the leaked keys, such as Samsung’s Bixby Routines and Galaxy Watch plugins, add malware to it, sign it with the same key, and push it as an update. Of course, they can distribute the app through the Play Store, but Android would consider it a legitimate update even if users sideload the malicious app.
Google hit manufacturers who took corrective action
According to Google, this Android security leak was first reported in May this year. All affected manufacturers have already “taken corrective action to minimize the impact of the leak on the user”. But users may still be vulnerable if they have already installed the malicious app on their device. Worse still, some of the malware examples may have been active since 2016. If you are using an older Android device, we advise you to upgrade to a newer model that is actively receiving security updates. You should also avoid downloading apps and always install apps from the Google Play Store.
Meanwhile, Google recommends Android vendors to replace compromised platform certificates and do so regularly to avoid similar issues in the future. Organizations should also avoid using platform certificates to sign applications to minimize risk. Let’s hope Android OEMs act on these recommendations and put user privacy and security above everything else.
