Android malware apps may be signed with manufacturer keys that leaked out from Samsung, LG, and other tech firms that often produce apps to go with their hardware. While there is minimal risk for apps and updates that are downloaded via official app stores, the security leak creates a serious threat that apps sideloaded from third party sites may be infected in a way that is difficult to detect.
Risk of malicious updates, infected apps being sideloaded onto devices
Manufacturer keys provided by Google to some hardware manufacturers allow for complete system access, the intention being to validate the installed version of Android and facilitate things like diagnostic and system update apps and device-specific app stores. The problem is that these keys need to be tightly guarded, as any app that is signed with them enjoys the same permissions.
That horse now appears to be out of the barn as security leaks at a number of different device manufacturers have made an array of these keys available to threat actors. If one of these malware apps is downloaded, the end user will only need to install it for it to be able to compromise the device, no phishing tricks or malware attachments required. A previously “safe” app could even be compromised via a malicious update that is automatically installed.
That’s all in theory; in practice, an attacker would have to breach a company in some other way to get the malicious update into the app. Google says that the Play Store is already scanning for malicious apps attempting to use these manufacturer keys, and the other involved manufacturers say they have mitigated their own systems similarly. The biggest risk lies in sideloading of apps outside of the app store framework, and one of the biggest of these source (APKMirror) says that it has detected the keys in at least several malware apps uploaded to the site.
Unfortunately, we do not know the full range of manufacturers impacted by this, as Google has opted to not share names. However, some have been revealed via listings posted to VirusTotal. In addition to Samsung and LG, keys have been made available from major chip manufacturer Mediatek and a number of smaller device and accessory manufacturers.
Source of security leak, total number of manufacturers impacted still not known
The good news is that all of the manufacturers known to be impacted say that they addressed the issue by May 2022, long before Google made the issue known to the public. The bad news is that some of the manufacturers that are impacted may not still be known, making it more difficult to implement defenses against potential malicious apps. And not only are the keys apparently in use in apps meant for sideloading, research by VirusTotal indicates some of these malware apps may have been available since 2016.
The primary remediation is simply for manufacturers to rotate the security keys that they use, but this is not always done often and the general public has no way to know if or when it has happened. Google has likely locked down the Play Store at this point, but users of apps bundled with devices from smaller manufacturers that update directly may have to wonder if the security leak has truly been addressed in full.