Samsung lost its Android app-signing key—and didn’t replace it

One red key in a sea of blue keys.

This post was written by Pete Membrey, chief engineer – VPN technologies, ExpressVPN

When you lose your house keys, it’s common practice to replace the lock on the door—especially if those keys had your name and address on them. Why take the risk that someone will use those keys to open your door or make a copy of them before they are returned? Not only is replacing the lock safer (it renders the missing keys useless), but it’s also great for your peace of mind. You don’t have to worry any more whether those keys will be misused.

It is the same in the world of software. When you want someone to trust your application, you need to demonstrate that it was actually you who released it. This is done with a signing key. You want to keep that key very safe because should someone else get their hands on it, they would be able to sign any software as you

That’s why as soon as you learn your key has been compromised, lost, or stolen, you want to revoke and replace it as soon as possible. That is simply best practice and not at all considered controversial.

So it might surprise you that Samsung’s approach to dealing with its compromised signing key was to simply do nothing. That is, the company did not replace its key (as reported by Arstechnica). 

That becomes even more worrying when you realize Samsung had known about it for years, and then downright disturbing when its official stance seems to be that the company doesn’t see it as a problem. Hard to believe? Here’s the Samsung’s reply to Adam Conway on the XDA developers forum (emphasis mine):

Samsung takes the security of Galaxy devices seriously. We have issued security patches since 2016 upon being made aware of the issue, and there have been no known security incidents regarding this potential vulnerability. We always recommend that users keep their devices up-to-date with the latest software updates.

That’s interesting because it appears, according to Artem Russakovski, that there is malware dating back to 2016 that has been signed with this key:

Tweet about Samsung lost keys.Let’s take a step back for a moment and ask some important questions.

What is an Android app-signing key?

An Android app-signing key is used by a publisher to sign its applications so that Android devices are able to verify that the application is legitimate and comes from the publisher it claims to come from. This is core to the platform’s security model, and therefore keeping that key safe is of utmost importance. If someone else has access to your key, they can sign any application and make the claim that it was you that published and approved it.

How does this relate to Samsung?

The key that has been leaked is Samsung’s Android app-signing key. This is the key that Samsung uses to sign all of its Android applications and is how Android is able to identify an official Samsung application for updates. This key is used for both downloaded applications (such as from the Play Store) but far more disturbingly is used to sign System Applications that come with the phone.

What’s a system app?

While applications from the Play Store have a number of significant restrictions in what they can and can’t do (as well as a powerful permissioning model), applications that are shipped by OEMs (known as system apps) have far greater access to the system and are therefore considered to have higher privileges. It’s therefore very important to make sure that these apps are kept up to date and are trustworthy, as the potential for damage if a malicious app is installed is far higher.

What about operating system updates?

The only good news here is that different keys are used for signing Samsung’s OS updates.

What can be done with the leaked key?

With this key, malicious actors can sign malware as official Samsung software. If they can find a way to get you to try and install the software, your phone will treat it as authentic Samsung software as it carries Samsung’s signature. This means it’s possible to install malware or spyware on your phone, even if your device isn’t rooted.

How can I tell malware from genuine software?

As both have valid signatures from Samsung’s key, there is no way for Android to determine that one is real and one is fake. This is where the real risk comes from. Normally to get malware installed, there are a number of security features that have to be worked around. With a valid signing key however, those security features won’t help you.

What can Samsung do?

Samsung can only do one thing: replace its signing key. The good news is that that should be entirely within the company’s control. They can make this happen.

Why hasn’t Samsung replaced its key?

That’s a good question, and it isn’t really clear yet why it would be using the same key, especially as Samsung appears to have known about the compromise for some time. There have been a number of updates and releases since the key was known to be compromised, so why didn’t they change the key at that point? Again, we don’t really know and can only speculate, but it is hard to come up with any justification for this. After all, it puts users at serious risk of a security breach.

O.K., but what can I do to protect myself?

For now, as there is already malware in the wild, your best bet to make sure that you’re safe is to reset the phone to factory defaults (so that you’re running a clean Samsung image) and then only install or update from the Play Store. Be mindful of what you’re installing, even from there, and keep an eye out for anything suspicious-looking, such as apps that have very similar names or icons to popular apps. We hope Samsung will issue new keys in the very near future, so this would only need to be done once rather than as a recurring measure.

Summary

Samsung’s Android app-signing key has been leaked, and it appears to have been leaked for many years. Even worse, Samsung seems to have known about this at least for a number of years and yet has still not revoked its key. Seemingly very laid back about the whole thing, Samsung has claimed that there are no known exploits, despite malware being in the wild that has been signed with their key since 2016. This lack of awareness and lack of basic security hygiene would always be a concern, but seeing it in a major OEM is extremely unsettling.

You can take basic steps to help ensure that your privacy is preserved and that you haven’t installed any malicious software by following the steps above. However, at the time of publishing, the leaked key is still in use and has not been revoked by Samsung.

Phone protected by ExpressVPN.
Protect your online privacy and security

30-day money-back guarantee

A phone with a padlock.
We take your privacy seriously. Try ExpressVPN risk-free.
What is a VPN?
ExpressVPN's Chief Engineer - VPN Technologies