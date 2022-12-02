Hundreds of thousands of Android smartphones have been rendered vulnerable after a major security leak paved the way for a “trusted” malware programme to run amok, affecting devices from Samsung, LG, Xiaomi, and others. According to a malware reverse engineer at Google, citing a Google Android Partner Vulnerability Initiative (APVI) report, the new vulnerability could allow a malicious attacker to gain system-level permissions on an affected device, making it prone to attack. Also Read - Android users, delete these data-stealing apps from your smartphone now!

Łukasz Siewierski, the engineer, shared the findings of APVI on Twitter. The report has noted that platform signing keys of multiple Android OEMs have been leaked outside of respective companies. By design, Android trusts any app signed with the same key that is used to sign the operating system. This key ensures that the version of Android running on a device is legitimate and is created by the manufacturer. The same key is used to sign individual apps. Also Read - Stop using these Android apps right now! They may be harmful to your phone

Since the key of multiple Android OEMs is now available to miscreants, they could use those app-signing keys to access Android’s “shared user ID” system and give the malware programme full, system-level permissions on an affected device. In other words, attackers could gain access to all the data on an affected device because of the vulnerability. Also Read - Hackers are exploiting a popular NASA image to upload malware in your computer

The report further mentioned that this Android vulnerability is caused not only by a new or unknown app but also system app because the leaked keys could be used to sign common apps, such as the Bixby app on at least some Samsung phones. An attacker could add malware to a trusted app and sign it with the leaked key to make it look authentic so that Android trusts it as an update. As 9to5Google noted, this method would work no matter if an app came originally from the Play Store, Samsung’s Galaxy Store, or was sideloaded to the phone.

The APVI report does not list which OEMs were affected, but it contains the hash of example malware files. Uploading these samples to VirusTotal revealed that these keys could belong to companies such as Samsung, LG, MediaTek, Revoview, and szroco, which manufactures Walmart’s Onn tablets.

Google’s full disclosure mentions that all OEMs were intimated about the vulnerability since it was reported back in May 2022. These smartphone brands have already “taken remediation measures to minimise the user impact” of security leaks like this. But according to APKMirror, some of the vulnerable keys were used in Android apps by Samsung in the last few days.