Google Discovers Samsung and LG Phones Are Vulnerable Due to Leaked Certificates.
- Ukasz Siewierski, a Google employee, discovered the vulnerability.
- It is said that Google has released a statement assuring consumers of their protection.
- The hash files for the virus samples have been published online.
In a significant security leak admission, Google's Android Partner Vulnerability Initiative has revealed a new important vulnerability that has impacted Android handsets from well-known manufacturers like Samsung and LG, among others.
Because the signing keys used by Android OEMs were made public, malicious software or fraudulent apps might pass for 'trusted' ones. Following an earlier discovery of the problem in May of this year, some businesses, including Samsung, took action to close the vulnerability.
Google employee ukasz Siewierski discovered the security hole (via Esper's Mishaal Rahman). Through his tweets, Sirwierski disclosed how Android Trojan apps had been signed using platform certificates. The issue is caused by a flaw in the crucial trusting mechanism of the Android platform, which might be exploited by malicious attackers.
The shared user ID system for Android automatically trusts any application that uses a platform signing key that is legitimate and is used to sign the core system applications. However, since the Android OEMs' platform signing keys have been made public, malware authors now have access to system-level rights on a target device.
The attacker would have access to all user data on that particular device, just like with another system app from the manufacturer approved with the same certificate. Another worrying element of the vulnerability is that it doesn't always require a user to install a brand-new or 'unknown' programme. Potentially, widely used, respected programmes like the Bixby app for Samsung smartphones might be signed using the platform keys that were hacked.
If a user downloaded such an app from a third-party website, they wouldn't get a warning throughout the installation process because the certificate would match the one on their machine. Google, however, has not made clear in its public statement which OEMs or devices are currently affected by the significant vulnerability. Nevertheless, a list of sample malware files is provided in the publication.