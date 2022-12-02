After a major vulnerability, devices from some of the world’s largest Android smartphone manufacturers are vulnerable to malicious apps that operating systems consider trusted.

The news comes from Google’s Android Partner Vulnerability Initiative’s (APVI) Łukasz Siewierski, who made public the vulnerability in November 2022.

As noted by 9to5Google (opens in new tab)Siewierski’s disclosure doesn’t directly reveal which major Android manufacturers had their platform signing keys leaked, but virus scans of some affected files confirmed that Samsung, LG, Xiaomi, Mediatech, szroco, and Revoview devices were affected, but this is a developing and incomplete list.

Abuse trusted apps

To quote Mishaal Rahman, technical editor for cloud platform Esper, “this is bad. Very, very bad.”

The vulnerability allows attackers to create malicious apps with system-level privileges, and even embed malicious code into pre-existing non-malicious and trusted Android applications. And it’s because of platform signing keys.

A platform signing key is an element that the endpoint uses to ensure that the operating system is legitimate. They are used to create platform-signed apps, apps that have been verified by a device manufacturer as safe and malware-free.

If a threat actor were to get hold of these keys, they could use Android’s “shared user ID” system to create a malicious application with full system access.

To make matters worse, it’s not just newly built apps that can be exploited in this way. Already installed apps still need to be signed on a regular basis, which means threat actors can load malware into trusted apps within a short period of time.

After dismissal, a simple app update, which Android would then not consider problematic, would be enough to infect a device.

The issue was first spotted by Google in May 2022, and the company claims all affected manufacturers have “taken remedial action to verify the impact on the user”, though no further details were provided.

It is still unclear whether these measures have worked, as 9to5Google also claimed that some of the vulnerable keys had been used in Samsung’s Android apps over the past few days at the time of writing.

Still, Google said Android phones are safe in a number of ways, including through Google Play Protect, OEM restrictions, and more. Apps that are in the Play Store are also apparently safe.

“OEM partners immediately implemented mitigation measures as soon as we reported the key compromise. End users will be protected by user restrictions implemented by OEM partners,” said a company spokesperson.

“Google has implemented broad detections for the malware in Build Test Suite, which scans system images. Google Play Protect also detects the malware. There is no indication that this malware is or was on the Google Play Store. As always, we encourage users to take care make sure they are using the latest version of Android.”