Android app signing keys leaked and used to sign malware

Luis Corrons 12 Dec 2022

Samsung, LG, MediaTek, and smaller OEMs are listed on the leaked keys list.

One of the most important pillars of Android security is the cryptographic signature key used by developers. Android app updates require that the sign key from the older app on your phone match the one you’re installing. Matching keys are required to ensure that the update comes from the original company and isn’t a malicious hijacking plot. Android would be happy to install app updates if the signing key of a developer was compromised.

Lukasz Siewierski, a member of Google’s Android Security Team, has posted a message on the Android Partner Vulnerability Incident (AVPI) issue tracker that details leaked platform cert keys being used to create malware. Although the post only lists the keys, running them through different services, such as Google's VirusTotal will identify the ones that have been compromised. Samsung, LG, MediaTek, and smaller OEMs are listed on the leaked keys list.

Android app updating is not limited to apps downloaded from an App Store. It also allows you to update bundled-in Android system apps created by Google, your device maker, or any other bundled app. Downloaded apps can only access certain permissions and controls. Bundled-in Android system apps have much more powerful permissions than downloaded apps and are not subject to Play Store restrictions.

Why OEMs should stop using the compromised keys for their apps security

In this scenario, it's difficult to figure out why Samsung, for example, is still using the leaked key. Android's Signature Scheme V3 lets developers change app keys by simply updating. This allows you to authenticate the app with both the old and the new key, and indicates that only the new key will be supported for future updates. It’s an essential requirement for Play Store apps — however, OEM system apps are not subjected to these Play Store rules.

There are, in fact, malware samples signed with the stolen keys from 2016. There is some good news: None of these malicious samples have made it to the Play Store. Also, the leaked keys only belong to apps — these aren’t the keys that are used to sign OS upgrades, which would have been a true nightmare scenario.

This piece of news serves as a reminder that it’s crucial for us to actively protect our devices, as they are exposed to all types of attacks, from malware to phishing, which has recently been targeting mobile phone users via SMS

--> -->