Millions of Android devices are vulnerable to dangerous malware apps
The issue stems from leaked platform certificates. These certificates or signing keys determine the legitimacy of the Android version on a device. Vendors also use these certificates to sign apps. While the Android OS assigns a unique user ID (UID) to each app upon installation, apps that share the signing keys can have a shared UID as well and have access to each other’s data. And by this design, apps signed with the same certificate as the OS itself get the same privilege too. The problem here is that several companies have had their Android platform certificates leaked to the wrong people. The certificates are now being misused to sign malicious apps with the same privileges as the Android OS. The apps can gain system-level permissions on the affected devices without user input. So as soon as the malware-laden app is installed on a device, its makers can obtain any data they want from the device without the victim realizing anything (via). Companies signing apps with platform certificates makes this leak even more dangerous. The bad actors don’t even have to create new apps and trick potential victims to install those. Instead, they can simply pick up an app signed with the leaked keys, such as Samsung’s Bixby Routines and Galaxy Watch plugins, add malware to it, sign it with the same key, and push it as an update. Of course, they can distribute the app via the Play Store, but Android would trust it to be a legitimate update even if users sideload the malicious app.
Google has affected manufacturers have taken remediation measures
According to Google, this Android security leak was first reported in May this year. All affected manufacturers have already “taken remediation measures to minimize the user impact” of the leak. But users may still be vulnerable if they already have the malicious app installed on their device. Worst yet, some of the malware examples may have been active since 2016. If you’re using an older Android device, we advise you to upgrade to a newer model that is actively receiving security updates. You should also avoid sideloading apps and always install apps from the Google Play Store. Meanwhile, Google recommends Android vendors replace the compromised platform certificates and regularly do so to avoid similar issues in the future. Companies should also avoid using platform certificates to sign apps to minimize risks. Hopefully, Android OEMs act on these recommendations and put user privacy and security above everything else.