Major Android Security Leak: Is Your Phone Safe?

security leaks and issues have become pretty common lately. We have just recently discussed about Android security flaws that affect all phones with Mali GPU. However, those issues affected only the phones with a Mali GPU. So, it might have gone under your radar. But things took a wild turn this time. The recent security leak is more about “trusted” apps with malware. And to make things worse, these “trusted” apps can access the entire OS of multiple OEM phones.


security

In other words, this security leak revolves around multiple OEMs, including LG, Samsung, and others. Platform signing keys of these OEMs just got leaked outside the respective companies. And that is not a good thing at all. But what are platform keys to begin with? Also, why should you know about this leak?

Signing Keys Are Crucial Checking Points of the Security

signing keys ensure that the Android version of the device is legitimate. Apps also use the same key to pass through the Android OS as a “safe” application. So, when a malicious attacker gets access to the signing keys, they can get complete access to the device.

The attackers can pass through “trusted” malware apps through the security and make them install like a legitimate app. And through the “shared user ID” system, the malware can get system-level permission.  Eventually, all the data in the device could be available to the attacker.

Does This Security Leak Only Affect The Sideloaded Apps?

This vulnerability does not solely happen when you install a new app. And it’s not like the apps from unknown sources are the ones that can affect your device. Common apps also rely on the leaked platform keys, which include Bixby for Samsung devices.

apk mirror screenshot

In other words, an attacker with the leaked key can add malware to trusted apps. Additionally, the attacker can sign the malicious version of the app with the same key that security will trust. As a result, the app update will go through regardless of where the app came from.

Which Devices are at Risk?

The public disclosure from Google did not lay out much info. Instead of listing out the affected devices, the disclosure does offer a has of the example malware files. Thankfully, VirusTotal has each of the affected files. And it generally reveals the name of the company that is affected.

Gizchina News of the week

From that data, we got to know that the security key leak affected these OEMs:

  • LG
  • Mediatek
  • Samsung
  • Szroco
  • Revoview

There are some keys that VirusTotal could not identify yet. So, there is a chance that other OEMs are also affected by this security leak.

Google’s Response To the Matter

The brief explainer from Google offered insight into the steps that it recommends. According to that explainer, the first step of the OEM companies would be to rotate (or swap out) their Android platform signing keys. By doing so, their devices will no longer trust the leaked keys.

Android Security

It’s a good practice to rotate the keys regardless of whether there is a leak. This action minimizes the risk of being affected by future leaks.

In addition, Google urged all Android OEMs to drastically minimize the frequency of using platform keys for signing other apps. Google suggests signing only the applications that need the highest level of permission. This step will avoid a lot of potential security issues.

Android April security update

What Can You Do To Protect Yourself?

Details of the latest Android security leak are still being confirmed. However, you can protect yourself before effective patches land on your device. First, ensure you are in the latest firmware available for your device. If your phone is no longer getting Android security updates, check whether you are in the latest available version.

Additionally, do not sideload applications to your phone. Even if the sideload is for updating an app already installed on the phone, you should not do it. The update can contain malware. But if you have to sideload, make sure you completely trust the file.

Source/VIA :

Via: gizchina.com

Share with friends:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.