New Alert: The UK’s Online Safety Bill Hurts Internet Privacy: Signal App Might Walk

Samsung Leaked Its Android App-Signing Key

3 MIN READ | Last updated: Jan 22, 2024 | By

Table of contents
What Is a Cryptographic App-Signing Key?
Samsung Knows About the Leak since 2016
How to Secure Your Android Device

Samsung leaked its cryptographic key out in the open. Outsiders now have access to the Android app-signing keys, which means you can’t know for sure if an app belongs to the company it says it belongs to. LG, MediaTek, and other Android companies have also lost their keys.

Whoever has the signing keys can now sign malware as genuine software that belongs to the affected companies. They can also release fake updates that can spy on your activity and steal data. What’s even worse is that Samsung hasn’t replaced its keys since discovering the leak, which may have actually been in 2016. But this isn’t the first time Samsung fails to notify its users of the possible dangers and risks surrounding a leak.

In March 2022, Samsung lost confidential company data and source codes to the Lapsus$ hackers. A few months later, in July, the company had a massive data breach that put millions of customers at risk. The breach was announced to the public only in August. With such a recent security history record, all Samsung users should be cautious and protect their data.

What Is a Cryptographic App-Signing Key? 

A cryptographic app-signing key is a critical part of online security. It is a digital signature that proves an app is verified by its owner. Whenever an Android app needs to be updated, the system checks if the original app and the update have matching keys. Cryptographic app-signing keys essentially verify the identity of the code provider, allowing you to trust who you’re downloading content from. In this way, app-signing keys can help protect you against any untrusted or unverifiable sources.

If someone else gets their hands on the app-signing key, they can insert malware into a fake update. Because the key matches the original key, the operating system will consider the update legitimate. It doesn’t matter where the update comes from because Android only looks for the app-signing key.

In the case of Samsung, the company lost the Android signing key, which signs any downloaded app as well as the native Samsung apps. This means the official system apps that come with Android devices are a potential security vulnerability.

Samsung Knows About the Leak since 2016

Among the leaked Samsung keys one appears to be from 2016. Malware from that year was signed with the key, so the danger still exists in the wild. Adam Conway from XDA-Developers contacted Samsung about the key and a company spokesperson confirmed that they were aware of the leak since 2016:

Samsung takes the security of Galaxy devices seriously. We have issued security patches since 2016 upon being made aware of the issue, and there have been no known security incidents regarding this potential vulnerability. We always recommend that users keep their devices up-to-date with the latest software updates.”

Samsung lost its Android app-signing keys 6 years ago and it never replaced them? All the new devices Samsung released since 2016 could’ve had new keys to minimize the risk of data theft.

The only good news so far is that Google stated that measures were taken to ensure there are no fake apps or updates that use the leaked Samsung keys on the Google Play Store.

Screenshot of statement from Google spokesperson

How to Secure Your Android Device

The best security measure would be Samsung changing the Android app-signing keys. But until then, you’ll have to protect your device and data on your own.

  1. Reset your Android to the default factory settings. This will wipe your device clean and ensure nothing suspicious is running in the background.
  2. Update your apps using Google’s Play Store. So far, the Play Store seems to be the safest place for Samsung apps since Google is actively looking for malware using the leaked keys.
  3. Install a VPN. A VPN won’t protect you from malware, but it will encrypt your connection and hide your real IP. Use CyberGhost VPN to protect your data with 256-bit military-grade encryption.
  4. Stay vigilant. Pay attention to apps with similar names, icons, web domains, and grammar mistakes. You can avoid a lot of malware by simply being mindful.

As a result of the leak, any malicious app could have been snuck under the radar. That’s a pretty big deal, and it’s likely that Samsung will be addressing the issue at some point now that its out there In the meantime, be extra careful about what you download.

Author Nicolae Bochis

Nicolae has a soft spot for computers and everything tech-related. Growing up in the Wild West days of the internet, Nicolae believes in complete online freedom and unrestricted access to information. That’s why he enjoys being with CyberGhost, teaching others how to stay anonymous and secure on the web. When he doesn’t write about tech, he still dreams about tech when working on his Sci Fi novels. Hopefully, he gets to finish and publish them before the robots take over.

Follow me

Leave a comment

Write a comment

Your email address will not be published. Required fields are marked*