A security flaw affecting millions of Android devices has been exposed in a new post on the Google Android Partner Vulnerability Program (APVI) website. By exploiting the flaw, hackers were able to implant malware into phones from many Oems, including Samsung, LG and Xiaomi. And the malware can gain the highest level of access at the system level.

The key to the security breach, IT House has learned, is the platform certificate. The certificates, or signature keys, determine the legitimacy of the version of Android on the device, said Lukasz Siewierski, a Google employee and malware reverse engineer who first identified the problem. Vendors also use these certificates to sign applications.

While Android assigns each application a unique user ID (UID) at installation, applications that share a signing key can also have a shared UID and have access to each other's data. With this design, applications signed with the same certificate as the operating system itself are granted the same privileges.

The problem is that some Oems have leaked their Android credentials to the wrong people. These certificates are now being misused to sign malicious apps that have the same permissions as Android. These applications can gain system-level permissions on the affected device without interacting with the user. So if an Android device is infected, it can access all the data without the user knowing.