Millions of Android devices, including Samsung, appear to have been left vulnerable due to a major security leak. This is not so much a vulnerability as an actual leak of a critical component used by manufacturers of devices that rely on the Android operating system.
Specifically, the Android OEMs’ signing keys, including LG, Samsung, and others, have been leaked. The signing key ensures that the version of Android on the device is legitimate. Also, the signing key can be used by individual apps, which means that Android will trust any app that shares the same operating system signing key. (over it @maldr0id/9to5Google)
In theory, this could allow a malicious party to attach malware to a trusted application and go unnoticed. It doesn’t matter if the new version of the app contains malware. As long as the app is signed with the same operating system key, it will be considered a trusted update, regardless of whether it comes from the Galaxy Store, Play Store, or other sources. That is, in theory. Google claims that none of these vulnerable apps made it to the Play Store, which is good news.
Samsung has already taken steps to reduce the risk
Apart from Samsung, other phone brands affected by this security leak are LG, MediaTek, szroco, Revoview and there may be others.
The issue was originally reported in May 2022, and thankfully, Google says that Samsung (and other manufacturers) “have taken corrective measures to minimize the impact on users.” The statement is a bit confusing and it’s not clear which apps are still vulnerable to this security issue or to what extent. But steps have been taken to reduce the risk of malware infection. And thankfully, Google also said that the exploit was not found in any app available on the Play Store and assures that Play Protect provides a layer of security against these vulnerabilities.
In any case, the best way to avoid problems caused by this security leak seems to be to not download apps from third-party websites for a while.