All Topics
All Topics
Technology
Technology
AI
AI
Business
Business
Entertainment
Entertainment
News
News
Programming
Programming
Security
Security
Science
Science
Design
Design
Environment
Environment
Finance
Finance
Crypto
Crypto
Politics
Politics
Sports
Sports
Education
Education
Gaming
Gaming
Art
Art
Music
Music
Health
Health
Books
Books
Food
Food
Travel
Travel
Personal
Personal
Bluesky
Twitter

Study finds 5,673 compromised Android signing keys on GitHub affecting over 10 billion users

By

[Submitted on 19 Jun 2026]

4d ago· 2 min readenInsight

Summary

This paper presents a longitudinal study on Android app signing key protection, revealing systemic risks from developer-managed credentials. Researchers mined public repositories and found 5,673 compromised keystores on GitHub, with 26 unique certificates linked to 278 real-world apps (26 third-party apps in public stores and 252 preinstalled apps from seven manufacturers), collectively affecting over 10 billion users. The study demonstrates practical exploitability through a proof-of-concept app replacement attack and identifies spillover risks in non-smartphone platforms, including automotive head-unit systems in over 1,100 vehicle models.

Source

bskyStudy finds 5,673 compromised Android signing keys on GitHub affecting over 10 billion usersarxiv.org

Key quotes

· 5 pulled
Our analysis identifies 5,673 compromised keystores on GitHub and 26 unique certificates linked to 278 real-world apps.
These include 26 third-party apps in public app stores and 252 preinstalled apps from seven manufacturers, collectively affecting over 10 billion users.
Our results reveal that signing-key mismanagement is a systemic risk, underscoring the need for a more rigorous key-management support in Android release engineering and distribution infrastructures.
A recent platform key leakage incident involving two major OEM manufacturers demonstrates that even robustly designed signing mechanisms can be compromised due to developers' oversight.
We demonstrate the practical exploitability of these leaks through a proof-of-concept app replacement attack and identify spillover risks in non-smartphone platforms, including a popular automotive head-unit platform installed in over 1,100 vehicle models.
Snippet from the RSS feed
Android app signing relies on developer-managed credentials, making secure key protection essential for the integrity of the software supply chain. A recent platform key leakage incident involving two major OEM manufacturers demonstrates that even robustl

You might also wanna read

Comments

Sign in to join the conversation.

No comments yet. Be the first.