Recent searches
Search options
Administered by:
Folks, this is bad news. Very, very bad. Hackers and/or malicious insiders have leaked the platform certificates of several vendors. These are used to sign system apps on Android builds, including the "android" app itself. These certs are being used to sign malicious Android apps!
@MishaalRahman I only have one question. I am not in tech what does this mean to me? Answer like I am a little child with fork in one hand and outlet in reach. Should I worry? OK that's 2 I can't count.
@Dandydandy @MishaalRahman I tried reading & looking at the links, and I know nothing. 
All I got was heightened anxiety.
@Dandydandy @MishaalRahman the answer to your question is heavily depended on many factors. But assuming that you are getting your apps from the Google play store exclusively, you are probably fine and will be fine.
More details:
In essence, these signatures are supposed to prove to your device that the author of the app is that company/person.
Android has special signature for vendors, e.g. Samsung. Because Samsung wants to write apps for it's phone that has more permissions as the average application. That is good and normal. E.g. Samsung might need to have an app that inspects the content of other apps for safety or house keeping, you don't want your average app to be able to have that access. You don't want that your funny joke app to be able to read and copy your WhatsApp message.
Now apps were found in the internet which are malicious (they do bad stuff to you), these apps were signed by one of those special signatures. That means those apps could e.g. read all your WhatsApp message, your online banking app login, etc. So these apps are very very dangerous.
How they got signed is unclear right now.
You are probably very worried right now but i have good news. Google knows now that these signatures are no longer safe and the vendors know that these signatures are no longer safe. So they will probably update your phone soon to change the special signatures that it accepts and they will probably block any and all apps in the Google play (or other vendor stores) that use the signature without confirmation from the vendor that it is their app.
In other words, most likely you are not in danger if you don't download app from the internet but from the app stores. Within a week, the issue is probably fixed. Honestly probably today.
The only issue is that if we look at older software and products, these might be forever exposed to this threat. Assuming you are the average consumer, i don't think there is much to worry about that though.
@tartas1995 @MishaalRahman thank you, thank you.
@Dandydandy @MishaalRahman no problem! Sharing information is the point of this site
@Dandydandy @MishaalRahman What that means to you: Don't trust apps if you are not sure where it comes from. Some apps may even seem legitimate (even to a computer, as there is a digital sign on it that tells them so). Unfortunately, these signs are like keys to enter a save box for the data of an app. That makes sense, as some apps should be able to share data. These malicious apps can access these private boxes. So, no need to worry more, just follow the general safety measures.