Android security leaks and issues have become pretty common lately. We have just recently discussed about Android security flaws that affect all phones with Mali GPU. However, those issues affected only the phones with a Mali GPU. So, it might have gone under your radar. But things took a wild turn this time. The recent security leak is more about “trusted” apps with malware. And to make things worse, these “trusted” apps can access the entire OS of multiple OEM phones.
In other words, this security leak revolves around multiple Android OEMs, including LG, Samsung, and others. Platform signing keys of these OEMs just got leaked outside the respective companies. And that is not a good thing at all. But what are platform keys to begin with? Also, why should you know about this leak?
Signing Keys Are Crucial Checking Points of the Android Security
Android signing keys ensure that the Android version of the device is legitimate. Apps also use the same key to pass through the Android OS as a “safe” application. So, when a malicious attacker gets access to the signing keys, they can get complete access to the device.
The attackers can pass through “trusted” malware apps through the Android security and make them install like a legitimate app. And through the “shared user ID” system, the malware can get system-level permission. Eventually, all the data in the device could be available to the attacker.
Does This Android Security Leak Only Affect The Sideloaded Apps?
This Android vulnerability does not solely happen when you install a new app. And it’s not like the apps from unknown sources are the ones that can affect your device. Common apps also rely on the leaked platform keys, which include Bixby for Samsung devices.
In other words, an attacker with the leaked key can add malware to trusted apps. Additionally, the attacker can sign the malicious version of the app with the same key that Android security will trust. As a result, the app update will go through regardless of where the app came from.
Gizchina News of the week
Which Devices are at Risk?
The public disclosure from Google did not lay out much info. Instead of listing out the affected devices, the disclosure does offer a has of the example malware files. Thankfully, VirusTotal has each of the affected files. And it generally reveals the name of the company that is affected.
From that data, we got to know that the Android security key leak affected these OEMs:
- LG
- Mediatek
- Samsung
- Szroco
- Revoview
There are some keys that VirusTotal could not identify yet. So, there is a chance that other OEMs are also affected by this Android security leak.
Google’s Response To the Matter
The brief explainer from Google offered insight into the steps that it recommends. According to that explainer, the first step of the OEM companies would be to rotate (or swap out) their Android platform signing keys. By doing so, their devices will no longer trust the leaked keys.
It’s a good practice to rotate the keys regardless of whether there is a leak. This action minimizes the risk of being affected by future leaks.
In addition, Google urged all Android OEMs to drastically minimize the frequency of using platform keys for signing other apps. Google suggests signing only the applications that need the highest level of permission. This step will avoid a lot of potential security issues.
What Can You Do To Protect Yourself?
Details of the latest Android security leak are still being confirmed. However, you can protect yourself before effective patches land on your device. First, ensure you are in the latest firmware available for your device. If your phone is no longer getting Android security updates, check whether you are in the latest available version.
Additionally, do not sideload applications to your phone. Even if the sideload is for updating an app already installed on the phone, you should not do it. The update can contain malware. But if you have to sideload, make sure you completely trust the file.
