Major Android Security Leak Disclosed

Bad news for anyone who owns a Samsung, LG, Xiaomi among other Android phones. Apparently this phones have been left vulnerable to malicious apps with system-level privileges, following the leaking of their platform-signing keys:

As shared by Googler Łukasz Siewierski (via Mishaal Rahman), Google’s Android Partner Vulnerability Initiative (APVI) has publicly disclosed a new vulnerability that affected devices from Samsung, LG, and others.

The core of the issue is that multiple Android OEMs have had their platform signing keys leaked outside of their respective companies. This key is used to ensure that the version of Android that’s running on your device is legitimate, created by the manufacturer. That same key can also be used to sign individual apps.

By design, Android trusts any app signed with the same key used to sign the operating system itself. A malicious attacker with those app signing keys would be able to use Android’s “shared user ID” system to give malware full, system-level permissions on an affected device. In essence, all data on an affected device could be available to an attacker.

Notably, this Android vulnerability doesn’t solely happen when installing a new or unknown app. Since these leaked platform keys are also in some cases used to sign common apps — including the Bixby app on at least some Samsung phones — an attacker could add malware to a trusted app, sign the malicious version with the same key, and Android would trust it as an “update.” This method would work regardless of if an app originally came from the Play Store, Galaxy Store, or was sideloaded.

Google’s public disclosure doesn’t lay out which devices or OEMs were affected, but it does display the hash of example malware files. Helpfully, each of the files has been uploaded to VirusTotal, which also often reveals the name of the affected company. With that, we know the following companies’ keys were leaked (though some keys have not yet been identified):

  • Samsung
  • LG
  • Mediatek
  • szroco (makers of Walmart’s Onn tablets)
  • Revoview

Yikes! I have a pair of comments from Venafi on this:

Tony Hadfield, Sr. Director of Solutions Architects at Venafi“This is a great example of what happens when organizations sign code without a plan to manage code signing keys. If they keys fall into the hands of an attacker it can lead to catastrophic breaches. The only way to prevent this kind of problem is to have an auditable, ‘who/what/where’ solution: how do you control signing keys, where are they stored, who has access to them, and which kind of code gets signed? You need this information to protect your keys and also respond quickly to a breach by rotating your public and private keys.”

Ivan Wallis, Global Architect at Venafi: This is a great example that showcases the lack of proper security controls over code signing certificates, in particular the signing keys for the Android platform. These certificate leaks are exactly related to this, where these vendor certificates made it into the wild, allowing for the opportunity for misuse and the potential to sign malicious android applications masquerading as certain “vendors”, similar to Solarwinds. Bad actors can essentially gain the same permissions as of the core service. The lack of the who/what/where/when around code signing makes it difficult to know the impact of a breach, because that private key could be anywhere. At this point it must be considered a full compromise of the code signing environment and key/certificate rotation must happen immediately.”

The article that I linked to has some really good advice in terms of protecting yourself. Specifically”

While the details of this latest Android security leak are being confirmed, there are some simple steps you can take to make sure your device stays secure. For one, be sure that you’re on the newest firmware available for your device. If your device is no longer receiving consistent Android security updates, we recommend upgrading to a newer device as soon as possible.

Beyond that, avoid sideloading applications to your phone, even when updating an app that’s already on your phone. Should the need to sideload an app arise, be sure you completely trust the file you’re installing.

This is advice that you should be following anyway as it will keep you safe from exploits of any type.

Leave a Reply

%d bloggers like this: