Google’s Android Partner Vulnerability Initiative (APVI) has publicly disclosed a new vulnerability affecting devices from Samsung, LG, Xiaomi and other manufacturers.

The crux of the problem is that several Android OEMs have leaked their platform “signature” keys outside of their own companies. This key is used to ensure that the Android version installed on your device is a legitimate manufacturer-created version. The same key can be used to sign individual programs.

Android, by its nature, trusts any app signed with the same key used to sign the operating system. An attacker in possession of such app signing keys could use Android’s “universal user identity” system to grant full system-level access rights to the malware on an affected device. Basically, all data on the affected device can be accessed by an attacker.

According to Google’s brief statement, the first step for each affected company is to change (or rotate) the keys so that they no longer use the merged ones.

Also, Google urged all Android manufacturers to radically reduce the frequency of using the platform key to sign other apps. Only apps that require the highest permissions should be signed this way to avoid potential security issues.

Since the issue was reported by Google in May 2022, Samsung and all other affected companies have already “Remedial measures were taken to minimize the impact on users”. It is unknown which existing Android devices, if any, are vulnerable to this exploit.