Millions of Android devices, including Samsung, appear to have been left vulnerable by a major security leak. This isn’t as much a vulnerability as it is an actual leak of a critical component used by device manufacturers who rely on Android OS.
More specifically, Android OEMs, including LG, Samsung, and others, have had their platform signing keys leaked. A signing key ensures that the version of Android on a device is legitimate. In addition, the signing key can be used by individual apps, meaning that Android will trust any app that shares the same signing key as the operating system. (via @maldr0id / 9to5Google)
In theory, this can allow a malicious party to attach malware to a trusted app and go unnoticed. It wouldn’t matter if a new app version contains malware. As long as the app is signed using the same key as the OS, it would be considered a trusted update, regardless of whether it came from the Galaxy Store, the Play Store, or other sources. That is, in theory. Google claims that no such vulnerable apps have made it onto the Play Store, which is good news.
Samsung already took measures to minimize risks
Aside from Samsung, other mobile brands affected by this security leak are LG, MediaTek, szroco, Revoview, and there may be others.
The issue was originally reported in May 2022, and thankfully, Google says that Samsung (and other manufacturers) have “taken remediation measures to minimize the user impact.” The statement is a bit fuzzy, and it’s unclear which apps are still vulnerable to this security issue or to what extent. But measures were set in place to minimize the risk of getting malware. And thankfully, Google also said that the exploit hasn’t been found in any apps available through the Play Store, and ensured that Play Protect offers a layer of security against these vulnerabilities.
In any case, it seems like the best way to avoid problems caused by this security leak is to not sideload apps from third-party websites for a while.