Jump to content
  • Sign Up
×
×
  • Create New...
New feature: 1 Vote = 0.10€ for server Owner!

Samsung, LG Phones Vulnerable Due to Leaked Certificates, Google Finds

Pelican Press

By Pelican Press,
in World News

 Share

Recommended Posts

  • Diamond Member
Pelican Press Warlord

Pelican Press 0

Posted
  • Diamond Member
Posted



Samsung, LG Phones Vulnerable Due to Leaked Certificates,
This is the hidden content, please
Finds

This is the hidden content, please
’s Android Partner Vulnerability Initiative, in a major security ***** admission, has disclosed a new key vulnerability that has affected Android smartphones from major brands such as Samsung and LG, among others. Due to the leaking of the signing keys used by Android OEMs, imposter apps or malware could disguise themselves as “trusted” apps. The issue was earlier reported in May this year, following which several companies including Samsung took actions to control the vulnerability.

The security flaw was brought to light by

This is the hidden content, please
employee Łukasz Siewierski (
This is the hidden content, please
Esper’s Mishaal Rahman). Sirwierski, through his tweets, revealed how the platform certificates have been used to sign malware apps on Android.

At the heart of the issue ***** an Android platform key trusting mechanism vulnerability that could be exploited by malicious attackers. By design, Android trusts any application that uses a legitimate platform signing key, which is used to sign core system applications, through Android’s shared user ID system.

However, the Android original equipment manufacturers (OEMs) have had their platform signing keys leaked, allowing malware creators to gain system-level permissions on a target device. This would make all user data on the particular device available to the attacker, just like another system app from the manufacturer signed with the same certificate.

Another alarming part about the vulnerability is that it doesn’t necessarily require a user to install a new or an “unknown” application. The leaked platform keys could also be used to sign common trusted apps such as Bixby app on a Samsung device. A user who downloaded such an application from a third-party website would not see a warning when installing it on their smartphone, as the certificate would match the one on their system.

This is the hidden content, please
, however, has not explicitly mentioned the list of devices or OEMs that have so far been affected by the critical vulnerability in its
This is the hidden content, please
. Nevertheless, the disclosure includes a list of sample malware files. The platform has since
This is the hidden content, please
confirmed the list of affected smartphones, which include devices from Samsung, LG, Mediatek, Xiaomi and Revoview.

The search giant has also suggested ways for the affected companies to mitigate the issue at hand. The first step involves churning out Android platform signing keys that have been flagged to have been leaked and replacing them with new signing keys. The company has also urged all Android manufactures to drastically minimise the frequent use of platform key for an app to sign other apps.

According to

This is the hidden content, please
, the issue was first reported in May. Since then, Samsung and all other affected companies have already taken remedial actions to mitigate and minimise the vulnerabilities that were at hand. However, according to Android Police, some of the vulnerable keys that were listed in the disclosure were recently
This is the hidden content, please
for Samsung and LG phones uploaded to APK Mirror.

“OEM partners promptly implemented mitigation measures as soon as we reported the key compromise. End users will be protected by user mitigations implemented by OEM partners,”

This is the hidden content, please
said in a statement to BleepingComputer.

Users on Android are advised to update their firmware versions to the latest available updates in order to remain protected from potential security flaws such as the one disclosed by

This is the hidden content, please
, and to be vigilant while downloading apps from third-party sources.

Affiliate links may be automatically generated – see our ethics statement for details.







This is the hidden content, please

samsung lg

This is the hidden content, please
android certificate ***** vulnerability apvi breach
This is the hidden content, please
,android,android partner vulnerability initiative,apvi,samsung,lg,xiaomi
#Samsung #Phones #Vulnerable #Due #Leaked #Certificates #
This is the hidden content, please
#Finds

This is the hidden content, please

0

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Vote for the server

    To vote for this server you must login.

    Jim Carrey Flirting GIF

  • Recently Browsing   0 members

    • No registered users viewing this page.

Important Information

Privacy Notice: We utilize cookies to optimize your browsing experience and analyze website traffic. By consenting, you acknowledge and agree to our Cookie Policy, ensuring your privacy preferences are respected.

  I accept