A developer’s cryptographic signing key is one of the most important lynchpins of Android security. Every time Android updates an app, the old app’s signing key on your phone must match the key of the update you’re installing. The matching keys ensure that the update is indeed from the company that originally built your app and is not a malicious hijack. If a developer’s signing key were leaked, anyone could distribute malicious app updates and Android would happily install them believing they are legitimate.
On Android, the app update process not only applies to apps downloaded from an app store, you can also update bundled system apps from Google, your device manufacturer, and any other bundled apps. While downloaded apps have a strict set of permissions and controls, bundled Android system apps have access to much more powerful and invasive permissions and aren’t subject to the usual Play Store restrictions (that’s why Facebook always pays to be a bundled app). If a third party developer ever lost their signing key, that would be bad. When a Android OEM ever lost their system app signing key, that would be really, really bad.
Guess what happened! Łukasz Siewierski, a member of Google’s Android security team, published a post on the Android Partner Vulnerability Initiative (AVPI) issue tracker listing leaked keys of platform certificates actively used to sign malware. The post is just a list of the keys, but running each one via APKMirror or Google’s VirusTotal website names some of the leaked keys: Samsung, LG, and Mediatek are the heavyweights on the list of leaked keys, alongside some smaller OEMs like Revoview and Szroco, which make Walmart’s Onn tablets.
These companies somehow gave away their signing keys to outsiders, and now you can no longer trust that apps claiming to be from these companies are really from them. To make matters worse, the “platform certificate keys” they lost have some serious permissions. To quote the AVPI post:
A platform certificate is the application signing certificate used to sign the “Android” application on the system image. The “Android” application runs with a highly privileged user ID – android.uid.system – and has system privileges, including privileges to access user data. Any other application signed with the same certificate can declare that it wants to run under the same user ID, giving it the same level of access to the Android operating system.