Google says that the vulnerability was reported to it in May of this year and that the companies involved have “taken remediation measures to minimize the user impact.” Not exactly the “all clear” sign, especially in light of the news that APK Mirror has very recently come across some of the vulnerable signing keys in Android apps from Samsung.<\/p>\n
Google, in a statement, says that Android users were protected through the Google Play Store Protect feature, and through actions taken by manufacturers. Google stated that this exploit did not impact any apps downloaded from the Play Store.<\/div>\n
A Google spokesperson said, “OEM partners promptly implemented mitigation measures as soon as we reported the key compromise. End users will be protected by user mitigations implemented by OEM partners. Google has implemented broad detections for the malware in Build Test Suite, which scans system images. Google Play Protect also detects the malware. There is no indication that this malware is or was on the Google Play Store. As always, we advise users to ensure they are running the latest version of Android.”<\/p>\n
What you need to do to limit your exposure
<\/h2>\n<\/p>\n
Google is recommending that the companies involved swap the signing keys currently being used and to stop using the ones that leaked. It also suggests that each firm initiate an investigation to understand how the keys were leaked. Hopefully, this would prevent something like this from happening again in the future. Google is also recommending that companies use singing keys for the minimum number of apps to reduce the number of potential leaks in the future.<\/p>\n
So what can you do as the owner of a possibly affected Android phone? Make sure that your handset is running the latest version of Android and install all security updates as soon as they arrive. Who cares if these updates don’t bring exciting new features as their job is to make sure that your device doesn’t get compromised. And Android users should refrain from sideloading apps. That is when you install an app sourced from a third-party app storefront.<\/p>\n
The scary thing is that this vulnerability apparently has been around for years. Samsung even brings this up in its statement made to Android Police which says, “Samsung takes the security of Galaxy devices seriously. We have issued security patches since 2016 upon being made aware of the issue, and there have been no known security incidents regarding this potential vulnerability. We always recommend that users keep their devices up-to-date with the latest software updates.”<\/div>\n<\/div><\/div>\n