An Android certificate was reportedly leaked online, putting millions of devices at risk of malware attack. One advantage is that not all Android users are affected by the leak, but Samsung and LG users are not too happy with this news. Samsung and LG users, as well as all smartphones using MediaTek chipsets, are at risk of being infected by this malware.

Currently, Lukasz Siewirski, a Google employee and reverse engineer, reports that certificates from various Android OEMs have been released into the public domain. Attackers can use these keys to install malware on consumers’ smartphones. This can be used to infect phones with malware. This access key has the highest operating system privileges; This is important because it means an attacker could add malware without the knowledge of Google, the device manufacturer, or the app developer. Theoretically, if customers download an update from a third-party website, an attacker could inject malware masquerading as a legitimate app update.

The application signing certificate used to sign the “android” application in the system image is known as the platform certificate. The “android” app runs with the highly privileged user ID “android.uid.system” and can access user data, among other system permissions. According to a Google blog post, the same level of access to the Android operating system is available for all other apps certified with the same certificate.

Fortunately, there is still hope. The Android security team has already notified the affected companies about the issue. The tech giant also recommended that affected companies “return the platform certificate and replace it with a new set of public and private keys.” Additionally, according to XDA Developers’ statement, Samsung has been aware of the issue for a while and has patched the vulnerability. “After becoming aware of the issue, we have deployed a security patch since 2016 and there have been no known security incidents related to this potential vulnerability,” the company said in a statement to the publication.

The act of signing an app is an important component of how Android protects phones for starters. This procedure ensures that only verified developers provide software updates to customers’ phones. This procedure requires a unique login key from the app developer and is always kept secret to add an extra layer of security.