A new post on Google’s Android Partner Vulnerability Initiative (APVI) website has exposed a security vulnerability that affects millions of Android devices. Hackers using the vulnerability would be able to plant malware in many OEM-branded phones from Samsung, LG, Xiaomi and others. And this malware can gain the highest privileges at the system level.
The key to this security flaw is the platform certificate. Google employee and malware reverse engineer Łukasz Siewierski, who was the first to discover the certificate issue, said these certificates or signing keys determine the legitimacy of the Android version on a device. Vendors also use these certificates to sign apps.
While Android assigns a unique user ID (UID) to each application at install time, applications that share a signing key can also have a shared UID and access to each other’s data. And with this design, apps signed with the same certificate as the OS itself get the same privileges.
And the crux of the problem is that some OEMs’ Android platform certificates were leaked to the wrong people. These certificates are now being misused to sign malicious apps with the same privileges as Android. These apps can be able to gain system-level privileges directly on the affected device without interacting with the user. So once an Android device is infected, it can access all the data without the user’s knowledge.
