Samsung’s Android app-signing key has leaked, is being used to sign malware

One of the linchpins of security is a developer's signature. When you install an update on your phone, the signing key on the old app needs to match the one on the new one. The matching keys make sure the update comes from the company that made the app in the first place. If a developer's signing key is leaked, anyone can distribute malicious app updates and anyone can install them on their phone.

The app-updating process isn't just for apps downloaded from an app store, you can also update other bundled apps. Facebook always pays to be a bundled app because it's not subject to the usual Play Store limitations and has access to more powerful and intrusive permissions. It would be bad for a third-party developer to lose their signing key. Losing the system app signing key is really bad.


What has happened? ukasz Siewierski is a member of the Android Security Team and he wrote a post about the leaked platform certificate keys that are being used to sign malicious software. The post is just a list of the keys, but if you run each one through a third-party website, you will see the names of some of the compromised keys.

You can't trust apps that claim to be from these companies because their signing keys were leaked. The "platform certificate keys" that they lost have a lot of authority. The post was quoted by the AVPI.

A platform certificate is the application signing certificate used to sign the "android" application on the system image. The "android" application runs with a highly privileged user id—android.uid.system—and holds system permissions, including permissions to access user data. Any other application signed with the same certificate can declare that it wants to run with the same user id, giving it the same level of access to the Android operating system.

Esper Senior Technical Editor Mishaal Rahman, as always, has been posting great info about this on Twitter. As he explains, having an app grab the same UID as the Android system isn't quite root access, but it's close and allows an app to break out of whatever limited sandboxing exists for system apps. These apps can directly communicate with (or, in the case of malware, spy on) other apps across your phone. Imagine a more evil version of Google Play Services, and you get the idea.