Article 66RW4 Samsung's Android App-Signing Key Has Leaked, is Being Used to Sign Malware

Samsung's Android App-Signing Key Has Leaked, is Being Used to Sign Malware

by
janrinok
from SoylentNews on (#66RW4)

fliptop writes:

The cryptographic key proves an update is legit, assuming your OEM doesn't lose it:

A developer's cryptographic signing key is one of the major linchpins of Android security. Any time Android updates an app, the signing key of the old app on your phone needs to match the key of the update you're installing. The matching keys ensure the update actually comes from the company that originally made your app and isn't some malicious hijacking plot. If a developer's signing key got leaked, anyone could distribute malicious app updates and Android would happily install them, thinking they are legit.

On Android, the app-updating process isn't just for apps downloaded from an app store, you can also update bundled-in system apps made by Google, your device manufacturer, and any other bundled apps. While downloaded apps have a strict set of permissions and controls, bundled-in Android system apps have access to much more powerful and invasive permissions and aren't subject to the usual Play Store limitations (this is why Facebook always pays to be a bundled app). If a third-party developer ever lost their signing key, it would be bad. If an Android OEM ever lost their system app signing key, it would be really, really bad.

Guess what has happened! ukasz Siewierski, a member of Google's Android Security Team, has a post on the Android Partner Vulnerability Initiative (AVPI) issue tracker detailing leaked platform certificate keys that are actively being used to sign malware. The post is just a list of the keys, but running each one through APKMirror or Google's VirusTotal site will put names to some of the compromised keys: Samsung,LG, and Mediatek are the heavy hitters on the list of leaked keys, along with some smaller OEMs like Revoview and Szroco, which makes Walmart's Onn tablets.

Previously: Android Password-Stealing Malware Infects 100,000 Google Play Users

Originally spotted on Schneier on Security.

Original Submission

Read more of this story at SoylentNews.

External Content
Source RSS or Atom Feed
Feed Location https://soylentnews.org/index.rss
Feed Title SoylentNews
Feed Link https://soylentnews.org/
Feed Copyright Copyright 2014, SoylentNews
Reply 0 comments