Samsung’s Android app signing key leaked and used to sign malware



A developer’s cryptographic signing key is one of the most important pillars of Android security. Every time Android updates an app, the signing key of the old app on your phone matches the key of the update you installed. Matching keys ensure that the update is actually from the company that originally developed your app and isn’t a malicious hijacking scheme. If a developer’s signing key is leaked, anyone can distribute malicious app updates and Android will happily install them, believing them to be legitimate.

On Android, the app update process is not only limited to apps downloaded from the App Store, but also for bundled system apps from Google, your device manufacturer, and any other bundled apps. While downloaded apps have stricter permissions and controls, bundled Android apps have access to stronger and more aggressive permissions and aren’t subject to the usual Play Store restrictions (which is why Facebook always pushes to be a bundled app). If a third-party developer loses their signing key, that’s bad. if it was Android-OEM I lost the system application signing key, that would be really bad.

Guess what happened! Łukasz Siewierski, a member of Google’s Android Security team, has a detailed post on the Android Partner Issue Tracker (AVPI). Key leak for platform certificate Actively used to sign malware. The post is just a list of switches, but all are on APK Mirror or google Virus Total The website lists the names of some of the compromised keys: SamsungAnd LGAnd Media technology They are the heavyweights of the leaky switch list, as are some of the smaller OEMs Rückblick And Szroco makes that On-Disc Von Walmart.

The signature keys of these companies have somehow been given to strangers, and now you can no longer trust apps that claim to be from these companies that actually come from them. To make matters worse, the missing “Platform Certificate Key” has some serious permissions To quote from the AVPI post:

The platform certificate is the application signing certificate used to sign “Android” applications to the system image. The “Android” application runs with a highly privileged user ID – android.uid.system – and has system privileges with access to user data. Any other application signed with the same certificate can declare that it wants to run under the same user ID, giving it the same level of access to the Android operating system.

Esper Technical Editor-in-Chief, Mishal RahmanAs always, well posted Great information About this on Twitter. As he explained, an app’s possession of the same unique Android ID isn’t quite root access, but it’s close and allows the app to break out of the limited sandbox that exists for system apps. These apps can talk to (or spy on) other apps directly through your phone. Imagine an even scarier version of Google Play Services and you get the idea.


Source link