365NEWSX
365NEWSX
Subscribe

Welcome

Samsung’s Android app-signing key has leaked, is being used to sign malware - Ars Technica

Samsung’s Android app-signing key has leaked, is being used to sign malware - Ars Technica

Samsung’s Android app-signing key has leaked, is being used to sign malware - Ars Technica
Dec 02, 2022 45 secs

If a developer's signing key got leaked, anyone could distribute malicious app updates and Android would happily install them, thinking they are legit.

Łukasz Siewierski, a member of Google's Android Security Team, has a post on the Android Partner Vulnerability Initiative (AVPI) issue tracker detailing leaked platform certificate keys that are actively being used to sign malware.

These companies somehow had their signing keys leaked to outsiders, and now you can't trust that apps that claim to be from these companies are really from them.

To make matters worse, the "platform certificate keys" that they lost have some serious permissions.

A platform certificate is the application signing certificate used to sign the "android" application on the system image.

Any other application signed with the same certificate can declare that it wants to run with the same user id, giving it the same level of access to the Android operating system.

Summarized by 365NEWSX ROBOTS

RECENT NEWS

SUBSCRIBE

Get monthly updates and free resources.

CONNECT WITH US

© Copyright 2024 365NEWSX - All RIGHTS RESERVED