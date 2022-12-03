A major Android leak has left millions of devices across the globe vulnerable to malware. While the leak does not affect most Android devices on the planet, it does pose a problem for users of Samsung and LG smartphones and the devices powered by MediaTek chips. Also Read - India is a part of me, says Google CEO Sundar Pichai receiving Padma Bhusan

For the unversed, an important part of how Android OS protect smartphones is the application signing process. This process ensures that all the software updates that are being delivered to users’ smartphones are coming from legitimate developers. To add another layer of security, this process requires a special sign-in key that is specific to the app developer and is always kept private. Also Read - Google starts rolling out end-to-end encryption to group chats in Messages

Now, Łukasz Siewierski (via Mishaal Rahman), a Google employee and malware reverse engineer, has said that the certificates of several Android OEMs were leaked online. These keys can be used by malicious actors for injecting malware in users’ smartphone. which could have been used to inject malware into smartphones. What’s concerning is that this sign-in key has the highest level of OS privileges, which means that the malicious actor can inject malware without Google, the device maker or the app developer ever knowing about it. In theory, the malicious actor can inject the malware posing as a legitimate app update if users download the update from a third-party website. Also Read - Samsung Galaxy M04 likely to arrive in India soon: Here's what we know so far

Folks, this is bad. Very, very bad. Hackers and/or malicious insiders have leaked the platform certificates of several vendors. These are used to sign system apps on Android builds, including the “android” app itself. These certs are being used to sign malicious Android apps! https://t.co/lhqZxuxVR9 — Mishaal Rahman (@MishaalRahman) December 1, 2022

“A platform certificate is the application signing certificate used to sign the “android” application on the system image. The “android” application runs with a highly privileged user id – android.uid.system – and holds system permissions, including permissions to access user data. Any other application signed with the same certificate can declare that it wants to run with the same user id, giving it the same level of access to the Android operating system,” Google wrote in a blog post.

Thankfully, all hope isn’t lost yet. The Android Security Team has already informed the affected companies about the issue. The tech giant has also advised the affected companies to ‘rotate the platform certificate by replacing it with a new set of public and private keys’.

“Additionally, they should conduct an internal investigation to find the root cause of the problem and take steps to prevent the incident from happening in the future,” the company added.

Furthermore, a report by XDA developers that Samsung has been aware of the issue for a long time and that it patched the vulnerability long ago. “We have issued security patches since 2016 upon being made aware of the issue, and there have been no known security incidents regarding this potential vulnerability,” the company said in a statement to the publication.