Your Samsung or Xiaomi smartphone may be at serious risk due to a leaked security certificate.
APVI (Android Partner Vulnerability Initiative) is a division of Google responsible for detecting security vulnerabilities in the operating system and related services and reporting them to Google for correction.
Recently, one of the members informed about the presence of a serious vulnerability that exists on the platform and seriously endangers the devices of brands such as Xiaomi, Samsung or LG, as well as devices with MediaTek processors.
The vulnerability stems from the leak of certificates used by these companies to sign system software, and threats have been identified that use this leak to sign malware and perform various types of attacks.
Why are these certifications so important?
Android, like other operating systems, uses security certificates that are used to sign applications. These signatures are used, for example, to guarantee that the version of Android used by the device is legitimate, or that the applications pre-installed on the system are purchased from the device manufacturer.
Thanks to these signatures, Android can save itself from performing other security checks when installing an application. So if the system detects that a manufacturer’s signature is being used, Android allows it to be installed and gives the app full system-level permission. Essentially, a malware signed with one of these certificates will have the same access to the system as the process responsible for running everything in the Android operating system (this process is identified as android.iud.system).
Smartphones with Samsung, Xiaomi, LG or MediaTek processors are vulnerable to the threat
To date, various types of malware have already been discovered that use this type of certificate to infect Android devices. And although the full list of manufacturers whose certificates have been leaked is currently not shared, it has been possible to discover that brands such as Samsung, LG, MediaTek or Xiaomi are among those affected.
Google, for its part, has already warned manufacturers to change the certificates used to perform signatures and not to reuse leaked certificates. They are advised not to use certificates to sign third-party applications whenever possible. In addition, it released a statement informing about the existence of various security measures designed not to affect victims’ devices:
OEM partners were quick to implement mitigation measures as soon as they reported the compromised key. End users will be protected by mitigation measures implemented by OEM partners. Google has implemented enhanced detections for malware in a build test suite that scans system images. Google Play Protect also detects malware. There is no indication that this malware is or has ever been on the Google Play Store. As always, we recommend users to run the latest version of Android.
The first hints of the threat were detected in May 2022. However, since 2016, active threats using this vulnerability have been detected.
As far as the users are concerned, there is nothing to do except to always update the Android version with the latest version available and also install the available security patches. Also, it is recommended to avoid installing apps from sources outside of Google Play as much as possible.