Google announced that a major security leak occurred earlier that led to the creation of malicious “trusted” applications with the ability to access the entire Android operating system on devices from major smartphone makers.
Google’s Android Partner Vulnerability Initiative, led by security engineer Lukaz Siewirski, revealed the security vulnerability that affected devices from Samsung and LG, as well as other companies.
The problem is that the signature keys of Android phone makers have been leaked, indicating that these keys were designed to be used to ensure that the version of Android running on companies’ devices is legal, and is created by the companies themselves. The keys themselves can be used to sign or approve applications installed on devices.
Given that the Android system is designed to accept any app that has the same signing keys as the operating system on the phone, hackers who have those keys can use them to grant malware full system-level permissions on affected devices, meaning that all data on those devices becomes inaccessible. reach of the pirates.
Google explained that the Android vulnerability does not only occur when installing a new or unknown application. Given that these leaked keys can, in some cases, be used to sign common apps, hackers can add the malware to a trusted app, or sign the malicious version of those apps with the same key, so Android will trust the malicious app as an update. This method works regardless of whether the app was sourced from the Google Play Store, Samsung Galaxy Store, or manually installed from outside the Stores.
Google did not reveal the names of the companies affected by this vulnerability, but by looking at examples of malicious files, it was found that the list of affected companies includes: Samsung, LG, Mediatek, szroco, and Revoview.
Google advised affected companies to alter their signature keys in such a way that the leaked keys become unusable, and it is also advised that companies do so regularly to avoid damage from any future leaks.
The US tech giant urged all Android phone manufacturers to reduce the number of times signature keys are used to approve apps, and only approve apps that need the highest level of permissions to avoid any potential security issues.
Google said that Samsung and all affected companies have taken, since reporting the problem last May, remedial measures to minimize the impact of the vulnerability on users, but the Android apps site APKMirror stated that Samsung’s Android apps containing the leaked signature keys were available for download until a few days.
Google stated in a statement that users’ devices can be protected against this security vulnerability in several ways, including the protection feature in the Google Play Store, Google Play Protect, and manufacturers’ measures, in addition to other methods. Noting that the exploitation of this vulnerability was not detected in applications distributed through the Google Play Store.
For users who are keen to keep their devices safe, they are advised to make sure that they have the latest version of the operating system installed, and if the device does not accept the latest updates, it is advised to upgrade to another device as soon as possible. Moreover, it is advised to avoid installing apps from outside the app stores even just to update an existing app.
