Discovered by a reverse engineer on Google’s Android Security team, ukasz Siewierski (via Mishaal Rahman), the issue has been shared in a now public report on the Android Partner Vulnerability Initiative (AVPI) issue tracker.
THE ANDROID SECURITY LEAK
Platform signing keys, or platform certificates, of multiple original equipment manufacturers (OEMs) of Android devices, have been leaked outside of their respective companies. These platform keys, which are meant to verify the authenticity of the “android” app, can also be used in order to sign into individual apps.
THE ANDROID SECURITY LEAKTHE ISSUE DUE TO THE LEAKGOOGLE’S RESPONSE TO THE LEAK
“A platform certificate is the application signing certificate used to sign the “android” application on the system image. The “android” application runs with a highly privileged user id – android.uid.system – and holds system permissions, including permissions to access user data,” the Google reporter explains. “Any other application signed with the same certificate can declare that it wants to run with the same user id, giving it the same level of access to the Android operating system.”
THE ISSUE DUE TO THE LEAK
Since the key of multiple Android OEMs is now available to malicious hackers, this means they could use those app-signing keys to easily install malware onto the smartphone and provide the malware programme highest level of access to the system, letting it have almost unrestricted access to user data. This Android vulnerability is caused not only by a new or unknown app but also system app, as these leaked platform keys allow people to sign common apps (like Bixby on Samsung) using the same key. Further, the hacker could add malware to a trusted app, and sign the malicious version with the same key to make it look authentic so that Android trusts it as an “update”. Since this is a trusted app, a user may see that an update is required, and they would click the update button without giving it a second thought.
GOOGLE’S RESPONSE TO THE LEAK
While Google has publicly disclosed this issue, it did not provide information on which devices or OEMs were affected the most by the leak. In order to make users aware of the same, the search giant has posted the hash of example malware files on VirusTotal. Based on some of the abused platform keys uploaded to VirusTotal reveal that they belong to Samsung, LG, MediaTek, Revoview, and szroco, which manufactures Walmart’s Onn tablets. All the affected vendors have been informed by Google to rotate the platform certificate by replacing it with a new set of public and private keys. They have also been advised to conduct an internal investigation to find the root cause of the problem and take measures to prevent future incidents. “We also strongly recommend minimizing the number of applications signed with the platform certificate, as it will significantly lower the cost of rotating platform keys should a similar incident occur in the future,” Google added. According to Google’s full disclosure, all OEMs were notified about the vulnerability back in May 2022, which has already been fixed and only the report has been published now. Therefore, Samsung and other smartphone brands have already “taken remediation measures to minimize the user impact”. However, according to APKMirror, some of the leaked platform keys were still being used to digitally sign Android apps by Samsung in the last few days. “OEM partners promptly implemented mitigation measures as soon as we reported the key compromise. End users will be protected by user mitigations implemented by OEM partners. Google has implemented broad detections for the malware in Build Test Suite, which scans system images,” a Google spokesperson said. “Google Play Protect also detects the malware. There is no indication that this malware is or was on the Google Play Store. As always, we advise users to ensure they are running the latest version of Android.”