Samsung, LG Phones Vulnerable Due to Leaked Certificates, Google Finds

Google’s Android Partner Vulnerability Initiative revealed several vulnerabilities in Android's platform signing keys trust mechanism.

Advertisement
Written by Anees Hussain, Edited by David Delima, Richa Sharma | Updated: 2 December 2022 20:43 IST
Highlights
  • The vulnerability was identified by Google employee Łukasz Siewierski
  • Google has reportedly issued a statement assuring users of protection
  • The virus sample hash files have been uploaded online

Users on Android are advised to update their firmware to the latest available version

Photo Credit: Google

Google's Android Partner Vulnerability Initiative, in a major security leak admission, has disclosed a new key vulnerability that has affected Android smartphones from major brands such as Samsung and LG, among others. Due to the leaking of the signing keys used by Android OEMs, imposter apps or malware could disguise themselves as "trusted" apps. The issue was earlier reported in May this year, following which several companies including Samsung took actions to control the vulnerability.

The security flaw was brought to light by Google employee Łukasz Siewierski (via Esper's Mishaal Rahman). Sirwierski, through his tweets, revealed how the platform certificates have been used to sign malware apps on Android.

Advertisement

At the heart of the issue lies an Android platform key trusting mechanism vulnerability that could be exploited by malicious attackers. By design, Android trusts any application that uses a legitimate platform signing key, which is used to sign core system applications, through Android's shared user ID system.

However, the Android original equipment manufacturers (OEMs) have had their platform signing keys leaked, allowing malware creators to gain system-level permissions on a target device. This would make all user data on the particular device available to the attacker, just like another system app from the manufacturer signed with the same certificate.

Advertisement

Another alarming part about the vulnerability is that it doesn't necessarily require a user to install a new or an "unknown" application. The leaked platform keys could also be used to sign common trusted apps such as Bixby app on a Samsung device. A user who downloaded such an application from a third-party website would not see a warning when installing it on their smartphone, as the certificate would match the one on their system.

Google, however, has not explicitly mentioned the list of devices or OEMs that have so far been affected by the critical vulnerability in its public disclosure. Nevertheless, the disclosure includes a list of sample malware files. The platform has since reportedly confirmed the list of affected smartphones, which include devices from Samsung, LG, Mediatek, Xiaomi and Revoview.

The search giant has also suggested ways for the affected companies to mitigate the issue at hand. The first step involves churning out Android platform signing keys that have been flagged to have been leaked and replacing them with new signing keys. The company has also urged all Android manufactures to drastically minimise the frequent use of platform key for an app to sign other apps.

Advertisement

According to Google, the issue was first reported in May. Since then, Samsung and all other affected companies have already taken remedial actions to mitigate and minimise the vulnerabilities that were at hand. However, according to Android Police, some of the vulnerable keys that were listed in the disclosure were recently used for apps for Samsung and LG phones uploaded to APK Mirror.

"OEM partners promptly implemented mitigation measures as soon as we reported the key compromise. End users will be protected by user mitigations implemented by OEM partners," Google said in a statement to BleepingComputer.

Advertisement

Users on Android are advised to update their firmware versions to the latest available updates in order to remain protected from potential security flaws such as the one disclosed by Google, and to be vigilant while downloading apps from third-party sources.


Are the gaming-centric Asus ROG Phone 6 and 6 Pro worth the price jump? We discuss this on Orbital, the Gadgets 360 podcast. Orbital is available on Spotify, Gaana, JioSaavn, Google Podcasts, Apple Podcasts, Amazon Music and wherever you get your podcasts.
Affiliate links may be automatically generated - see our ethics statement for details.
 

Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.

Advertisement

Related Stories

Popular Mobile Brands
  1. Airtel Confirms Mobile Hotspot Restriction on the Unlimited 5G Data Offer
  2. Airtel Revises Postpaid Portfolio, Removes Rs. 549 Individual Plan
  3. OnePlus Exits US, Europe, Continues Operations in India: 5 Things to Know
  4. Oppo K15 Launch Date Confirmed; Key Specifications Revealed Ahead of Debut
  5. iPhone 18 Pro Max Could Get a New Sony Sensor With Variable Aperture Tech
  6. Insomniac Games Shares New Trailer for Marvel's Wolverine
  7. Here's How Much the iQOO Z11 Lite Could Cost in India
  1. Airtel Unlimited 5G Data Subscribers Cannot Share 5G Data via Mobile Hotspot, Company Confirms
  2. Lenovo Legion C700 Teased as a Cloud Gaming Handheld Ahead of August Launch
  3. Marvel's Wolverine Gets New Trailer That Will Play Ahead of Christopher Nolan's The Odyssey in Select Theatres
  4. Airtel Quietly Removes Rs. 549 Individual Postpaid Plan in India; Rs. 699 Plan Becomes Next Upgrade
  5. Poco M8 Power, Poco X8 India Launch Timeline Tipped; Could Arrive as Rebranded Redmi Note 17 Series
  6. Samsung Galaxy S25 Series Could Get Galaxy S26’s Horizontal Lock Camera Feature With One UI 9 Update
  7. Asus Pad India Launch Date Announced as Company Reveals Key Specifications
  8. iPhone 18 Pro Max Diagnostics Log Reportedly Reveals Variable Aperture Camera, Sony Sensor Upgrade
  9. Vivo X500 Ultra Leak Suggests Three 200-Megapixel Telephoto Sensors Under Testing
  10. iQOO Z11 Lite Price Range in India, Key Specifications Revealed Ahead of Official Launch
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2026. All rights reserved.