Samsung's Android app-signing key has leaked, is being used to sign malware:
A developer's cryptographic signing key is one of the major linchpins of Android security. Any time Android updates an app, the signing key of the old app on your phone needs to match the key of the update you're installing. The matching keys ensure the update actually comes from the company that originally made your app and isn't some malicious hijacking plot. If a developer's signing key got leaked, anyone could distribute malicious app updates and Android would happily install them, thinking they are legit.
On Android, the app-updating process isn't just for apps downloaded from an app store, you can also update bundled-in system apps made by Google, your device manufacturer, and any other bundled apps. While downloaded apps have a strict set of permissions and controls, bundled-in Android system apps have access to much more powerful and invasive permissions and aren't subject to the usual Play Store limitations (this is why Facebook always pays to be a bundled app). If a third-party developer ever lost their signing key, it would be bad. If an Android OEM ever lost their system app signing key, it would be really, really bad.
Guess what has happened! Łukasz Siewierski, a member of Google's Android Security Team, has a post on the Android Partner Vulnerability Initiative (AVPI) issue tracker detailing leaked platform certificate keys that are actively being used to sign malware. The post is just a list of the keys, but running each one through APKMirror or Google's VirusTotal site will put names to some of the compromised keys: Samsung, LG, and Mediatek are the heavy hitters on the list of leaked keys, along with some smaller OEMs like Revoview and Szroco, which makes Walmart's Onn tablets.
[...] What OEMs really need to do is stop using the compromised keys to secure their apps. It's not clear why Samsung continues to use the key. Android's APK Signature Scheme V3 allows developers to change app keys with just an update—you authenticate an app with the new and old key and indicate that only the new key is supported for updates. This is a requirement for Play Store apps, but again, system apps from OEMs are not subject to any of the Play Store rules, so some OEMs are still using the old v2 signature scheme.
Thankfully, these leaked keys are only for apps and not the keys used to sign OS updates. So even if the v3 signature scheme is not in use, theoretically the affected companies could ship a still-secure OTA update that includes new system apps with new keys, and they could make new corresponding Play Store updates that are compatible with those new keys. That sounds like a lot of work, though.
(Score: 4, Funny) by Rosco P. Coltrane on Tuesday December 06, @08:08AM
When I'm done signing my app, I delete the private key file. Ah! Try to steal that one bitches!
(Score: 4, Informative) by driverless on Tuesday December 06, @09:28AM (1 child)
This key leaked in 2016, five years ago. In those entire five years, although it's been used to sign third-party malware, no other known security issue has come up because if it. In other words the thing it was supposedly protecting, but wasn't, suffered no attacks.
The only reason why it can't be labelled 100% pure security theatre is that it actually had a net negative effect as the key was useful for getting malware past security checks.
(Score: 3, Interesting) by DannyB on Tuesday December 06, @07:07PM
If you had this capability to sign apps and escape detection for years, that could be useful to some governments who might want to target specific individuals for tweeting things that are not Right.
Once you launch some massive attack, you only draw attention to the problem, and you soon lose this particular attack vector.
How often should I have my memory checked? I used to know but...
(Score: 4, Insightful) by ledow on Tuesday December 06, @01:09PM
So you re-sign your apps, revoke the key, and carry on.
I mean, if you manage THAT many apps, I'd expect you to already be doing this on a regular basis, e.g. whenever a particular developer leaves or annually. There should be a script that can just do it for you.
But, no, I bet that key will be left in the wild for years because "the guy who knows how" has gone, or they can't recompile something because they didn't keep the source, or because they just can't be bothered to spend time re-signing a 10 year old app, etc. etc.