As per the new information, Google Android Partner Vulnerability Initiative (APVI) has openly revealed a new exposure that affected various Android devices from OEMs like Samsung, LG, Xiaomi, and more (via Mishaal Rahman).
The security leak can help scammers flag malicious apps as trustable and genuine apps, even when they clearly aren't.
Hundreds of thousands of Android smartphones have been rendered vulnerable after a major security leak paved the way for a “trusted” malware programme to run amok, affecting devices from Samsung, LG, Xiaomi, and others. According to Google, the leak happened way back in May 2022 and the users are protected against the vulnerability through Google Play Protect and various “mitigation measures” that OEMs so far have implemented.
As these leaked platform keys are also used to sign normal apps in some cases, an attacker could add malware to a trusted app, with the same key as a malicious version. can sign it, and Android will trust it as an “update”.
The key’s design clears that Android trusts any app that is signed with the same key used to sign the operating system. With those app signing keys, a malicious attacker can easily use Android’s “shared user ID” system to grant malware full, system-level permissions on an affected device. In short, an attacker can get access to all the data available on any device.
Moreover, Google does not officially disclose which devices or OEMs were affected, but it does display hashes of example malware files. Helpfully, each file is uploaded to VirusTotal, which often also reveals the name of the company affected, which includes:
- szroco (makers of Walmart’s Onn tablets)
For example, the Samsung Bixby app, which comes pre-installed on Galaxy devices, can also direct to a security leak. This method will work whether an app originally came from Play Store, Galaxy Store, or was sideloaded.
The company has also shared the reason why this happened. According to the report, many Android OEMs have leaked the signing keys of their platforms outside their respective companies, which has led to a security leak.
It is worth mentioning that this Android security leak vulnerability not only appears when installing a new or unknown app, but already available system applications can also be affected by security.