The developer signing cryptographic key is one of the main security pillars of Android. Every time Android updates an app, the old app’s signing key on your phone must match the update key you’re installing. Matching keys ensure that the update really comes from the company that originally built your app, and isn’t some malicious takeover plot. If the developer’s signing key is leaked, anyone can distribute malicious app updates, and Android will happily install them, thinking they’re legitimate.
On Android, the app update process is not only for apps downloaded from the app store, you can also update built-in system apps created by Google, your device’s manufacturer, and any other related apps. While downloaded apps have a strict set of permissions and controls, Android’s built-in system apps have access to much more powerful and invasive permissions and are not subject to the usual Play Store restrictions (which is why Facebook always pays for a bundled app). If a third party developer ever loses their signing key, that would be bad. If an Android OEM ever loses their system app signing key, that would be very, very bad.
Guess what happened! Lukasz Severski, a member of Google’s Android security team, published a post on the Android Partner Vulnerability Initiative (AVPI) issue tracker detailing leaks of platform certificate keys that are heavily used to sign malware. The post is just a list of keys, but running each one through APKMirror or Google’s VirusTotal site will result in naming some compromised keys: Samsung, LG, and Mediatek are big players in the list of leaked keys, along with some smaller OEMs such as Reviewand Szroco, which make Onn tablets for Walmart.
These companies somehow leaked their signing keys to outsiders, and now you cannot trust that applications that claim to be from these companies are really from them. To make matters worse, the “platform certificate keys”they lost have serious permissions. To quote the AVPI post:
A platform certificate is an application signing certificate used to sign an Android application in a system image. The Android app runs with a highly privileged user ID, android.uid.system, and contains system permissions, including permissions to access user data. Any other application signed with the same certificate can announce that it wants to work with the same user ID, giving it the same level of access to the Android operating system.