Skip to content

Samsung’s Android app signing key has been leaked and is being used to sign malware

    Samsung's Android app signing key has been leaked and is being used to sign malware

    A developer’s cryptographic signing key is one of the most important pillars of Android security. Whenever Android updates an app, the signing key of the old app on your phone must match the key of the update you’re installing. The matching keys ensure that the update actually comes from the company that originally created your app and isn’t some malicious hijack scheme. If a developer’s signing key is leaked, anyone can spread malicious app updates and Android would happily install them, thinking they are legitimate.

    On Android, the app update process is not only for apps downloaded from an app store, you can also update bundled system apps made by Google, your device manufacturer, and other bundled apps. While downloaded apps have a strict set of permissions and controls, bundled Android system apps have access to much more powerful and invasive permissions and aren’t subject to the usual Play Store restrictions (which is why Facebook always pays to be a bundled app ). If a third-party developer ever lost their signing key, that would be bad. Like a Android OEM ever lost their system app signing key would be very, very bad.

    Guess what happened! Łukasz Siewierski, a member of Google’s Android security team, posted a post on the Android Partner Vulnerability Initiative (AVPI) issue tracker detailing leaked platform certificate keys that are actively used to sign malware. The message is just a list of keys, but running them all through APKMirror or Google’s VirusTotal site yields names for some of the compromised keys: Samsung, LG, and Mediatek are the heavyweights on the list of leaked keys , along with some smaller OEMs like Revoview and Szroco, who make Walmart’s Onn tablets.

    The signing keys of these companies have somehow been leaked to outsiders, and now you can’t trust that apps claiming to belong to these companies really belong to them. To make matters worse, the “platform certificate keys” they lost have some serious permissions. To quote the AVPI message:

    A platform certificate is the application signing certificate used to sign the “Android” application on the system image. The “android” application runs with a highly privileged user ID -android.uid.system – and has system permissions, including permissions to access user data. Any other application signed with the same certificate can indicate that it wants to run with the same user ID, giving it the same level of access to the Android operating system.

    Esper Senior Technical Editor Mishaal Rahmanas always, has been posted great information about it on Twitter. As he explains, having an app share the same UID as the Android system isn’t quite root access, but it comes close and allows an app to break out of the limited sandboxing that exists for system apps. These apps can communicate directly with (or, in the case of malware, spy on) other apps on your phone. Imagine a more evil version of Google Play Services and you get the idea.