Google informed all affected vendors about the abuse and advised them to rotate their platform certificates, investigate the leak to find out how it happened, and keep the number of apps signed with their Android platform certs at a minimum to prevent future incidents.
"All affected parties should rotate the platform certificate by replacing it with a new set of public and private keys. Additionally, they should conduct an internal investigation to find the root cause of the problem and take steps to prevent the incident from happening in the future," the Google reporter added.
"We also strongly recommend minimizing the number of applications signed with the platform certificate, as it will significantly lower the cost of rotating platform keys should a similar incident occur in the future."
An easy way to get an overview of all Android apps signed with these potentially compromised certificates is to use APKMirror to search for them (a list of apps
signed with Samsung's cert and one of
the LG-signed apps).
However, based on the results, even though Google said that "all affected parties were informed of the findings and have taken remediation measures to minimize the user impact," it looks like not all the vendors have followed Google's recommendations since, at least in Samsung's case, the leaked platform certificates are still being used to digitally sign apps.
When we reached out to Google about these compromised keys, Google told BleepingComputer that they had added detections for the compromised keys to the Android Build Test Suite (BTS) and malware detections to Google Play Protect.
