CIO News Hubb
Advertisement
  • Home
  • News
  • Operations CIO
  • Visionary CIO
  • IT Management
  • Information Security
  • Contact
No Result
View All Result
  • Home
  • News
  • Operations CIO
  • Visionary CIO
  • IT Management
  • Information Security
  • Contact
No Result
View All Result
CIO News Hubb
No Result
View All Result
Home Information Security

Android app signing keys leaked and used to sign malware

admin by admin
December 12, 2022
in Information Security


Samsung, LG, MediaTek, and smaller OEMs are listed on the leaked keys list.

One of the most important pillars of Android security is the cryptographic signature key used by developers. Android app updates require that the sign key from the older app on your phone match the one you’re installing. Matching keys are required to ensure that the update comes from the original company and isn’t a malicious hijacking plot. Android would be happy to install app updates if the signing key of a developer was compromised.

Lukasz Siewierski, a member of Google’s Android Security Team, has posted a message on the Android Partner Vulnerability Incident (AVPI) issue tracker that details leaked platform cert keys being used to create malware. Although the post only lists the keys, running them through different services, such as Google’s VirusTotal will identify the ones that have been compromised. Samsung, LG, MediaTek, and smaller OEMs are listed on the leaked keys list.

Android app updating is not limited to apps downloaded from an App Store. It also allows you to update bundled-in Android system apps created by Google, your device maker, or any other bundled app. Downloaded apps can only access certain permissions and controls. Bundled-in Android system apps have much more powerful permissions than downloaded apps and are not subject to Play Store restrictions.

Why OEMs should stop using the compromised keys for their apps security

In this scenario, it’s difficult to figure out why Samsung, for example, is still using the leaked key. Android’s Signature Scheme V3 lets developers change app keys by simply updating. This allows you to authenticate the app with both the old and the new key, and indicates that only the new key will be supported for future updates. It’s an essential requirement for Play Store apps — however, OEM system apps are not subjected to these Play Store rules.

There are, in fact, malware samples signed with the stolen keys from 2016. There is some good news: None of these malicious samples have made it to the Play Store. Also, the leaked keys only belong to apps — these aren’t the keys that are used to sign OS upgrades, which would have been a true nightmare scenario.

This piece of news serves as a reminder that it’s crucial for us to actively protect our devices, as they are exposed to all types of attacks, from malware to phishing, which has recently been targeting mobile phone users via SMS. 



Source link

Previous Post

How to Innovate by Introducing Product Management in SMB and Non-Tech Companies

Next Post

How to use Amazon Verified Permissions for authorization

Related Posts

Information Security

New Russian-Backed Gamaredon’s Spyware Variants Targeting Ukrainian Authorities

by admin
February 2, 2023
Information Security

AWS achieves ISO 20000-1:2018 certification for 109 services

by admin
February 2, 2023
Information Security

Everything you need to know

by admin
February 2, 2023
Information Security

Researchers Uncover New Bugs in Popular ImageMagick Image Processing Utility

by admin
February 1, 2023
Information Security

How to set up ongoing replication from your third-party secrets manager to AWS Secrets Manager

by admin
February 1, 2023
Next Post

How to use Amazon Verified Permissions for authorization

Recommended

Initiatetogoapproach

February 2, 2023

New Russian-Backed Gamaredon’s Spyware Variants Targeting Ukrainian Authorities

February 2, 2023

AWS achieves ISO 20000-1:2018 certification for 109 services

February 2, 2023

Everything you need to know

February 2, 2023

Influentialleadership ~ Future of CIO

February 1, 2023

Researchers Uncover New Bugs in Popular ImageMagick Image Processing Utility

February 1, 2023

© 2022 CIO News Hubb All rights reserved.

Use of these names, logos, and brands does not imply endorsement unless specified. By using this site, you agree to the Privacy Policy and Terms & Conditions.

Navigate Site

  • Home
  • News
  • Operations CIO
  • Visionary CIO
  • IT Management
  • Information Security
  • Contact

Newsletter Sign Up

No Result
View All Result
  • Home
  • News
  • Operations CIO
  • Visionary CIO
  • IT Management
  • Information Security
  • Contact

© 2022 CIO News Hubb All rights reserved.