Dec 03, 2022 14:00:00

Clearly that the application signature key was leaked from Android OEM such as Samsung and LG and was used for malware signature

Google Play, the official app store for Android, uses

Play App Signing to ensure the apps and updates it distributes are safe. This app signing key should originally be private, but it has become clear that a large number of app signing keys used by Android device OEM manufacturers have been leaked and used to sign malware.

100 - Platform certificates used to sign malware - apvi
https://bugs.chromium.org/p/apvi/issues/detail?id=100

Android OEM key leak means sideloaded 'updates' could be hiding serious malware
https://www.xda-developers.com/android-oem-key-leak-samsung-lg-mediatek/

Samsung's Android app-signing key has leaked, is being used to sign malware | Ars Technica
https://arstechnica.com/gadgets/2022/12/samsungs-android-app-signing-key-has-leaked-is-being-used-to-sign-malware/

On Android, when updating an app, the app signing key is used to prove that the old version of the app installed on the device and the data about to be updated came from the same app developer. will be This makes it possible to prevent devices from being hijacked by malicious apps, so this Play app signature is one of the important security features for Android. Therefore, if the application signing key owned by the developer is leaked, there is a risk that anyone can install a malicious application as an update on the terminal.

On Android, not only apps downloaded from Google Play, but also genuine Google apps and apps made by the manufacturer that manufactured the device are installed. Ars Technica says that users' own installed apps are subject to strict permissions and controls, but pre-installed apps have stronger permissions and are not subject to the usual Google Play restrictions. pointing out. Therefore, Ars Technica said, ``It is bad for developers of third-party apps that users need to install independently to lose the app signing key, but the device manufacturer that is pre-installed on the device has lost the app signing key. It's a very bad thing to do,' he said.

Łukasz Siewierski, a member of Google's Android security team, has posted to the Android Partner Vulnerability Initiative (APVI) that some app signing keys have been leaked and used to install malware. About. App signing keys allow apps to run under highly privileged user identities and gain access to the system, including permissions to access user data. Therefore, if malware is signed with the leaked application signature key, it will be possible to obtain advanced access privileges to the terminal by executing the same user ID.

By entering the leaked app signing key on sites such as APKMirror and VirusTotal , it is possible to check which manufacturer has been assigned it. According to this, it can be seen that OEM manufacturers such as Samsung, LG, MediaTek, Revoview, and Szroco leaked the application signing key.

Samsung was the one that leaked the most app signing keys. The app signing key leaked from Samsung is used by Samsung's own apps such asSamsung Pay and Bixby.According to the search results of APKMirror, the number of apps using this app signing key is quite huge.

In addition, APKMirror founder Artem Russakovskii pointed out that malware using the leaked app signing key from Samsung existed as of 2016, suggesting that the signing key may have been leaked for quite some time. pointing out gender.

Did... the Samsung leak, for example, happen 6 years ago!?????? https://t.co/iB0iSxHYUZ

Is this an isolated incident of some sort, or a false positive, or there are more cases? I can't figure out how to search @virustotal for all matches for a given signature - it only shows 1. pic.twitter.com/ Tf8g5T4ebo

— Artem Russakovskii ???????? (@ArtemR) December 1, 2022

In response, Samsung said, ``Samsung takes the security of its Galaxy devices seriously. There have been no security incidents, and we always recommend keeping your device up to date with the latest software updates,' a statement via XDA Developers said. In response, XDA Developers said, ``Samsung claims there are no known security incidents related to the vulnerability, and appears to have admitted that the company has been aware of this leaked app signing key since 2016. However, it's not clear how the vulnerability was addressed, and given that malware with a leaked app signing key was first submitted to VirusTotal in 2016, it's definitely been around somewhere. It seems that

It is unknown where Siewierski discovered the leaked app signing key, but Google commented, ``No malware using the confirmed leaked app signing key was detected on Google Play.'' I'm here.

In addition, Mr. Siewierski said, ``We have notified all affected parties of the findings and have taken remedial measures to minimize the impact on users,'' after taking appropriate measures. It is said that it announced about the leakage of the application signing key.

In addition, XDA Developers mentions, ``At the moment, it is not clear how these signing keys are distributed and whether any damage has occurred as a result.'' On top of that, the company cites adopting APK key rotation of APK signature scheme v3 as the best way to deal with it.