Study finds 5,673 compromised Android signing keys on GitHub affecting over 10 billion users
By
[Submitted on 19 Jun 2026]
Summary
This paper presents a longitudinal study on Android app signing key protection, revealing systemic risks from developer-managed credentials. Researchers mined public repositories and found 5,673 compromised keystores on GitHub, with 26 unique certificates linked to 278 real-world apps (26 third-party apps in public stores and 252 preinstalled apps from seven manufacturers), collectively affecting over 10 billion users. The study demonstrates practical exploitability through a proof-of-concept app replacement attack and identifies spillover risks in non-smartphone platforms, including automotive head-unit systems in over 1,100 vehicle models.
Source
Key quotes
· 5 pulledOur analysis identifies 5,673 compromised keystores on GitHub and 26 unique certificates linked to 278 real-world apps.
These include 26 third-party apps in public app stores and 252 preinstalled apps from seven manufacturers, collectively affecting over 10 billion users.
Our results reveal that signing-key mismanagement is a systemic risk, underscoring the need for a more rigorous key-management support in Android release engineering and distribution infrastructures.
A recent platform key leakage incident involving two major OEM manufacturers demonstrates that even robustly designed signing mechanisms can be compromised due to developers' oversight.
We demonstrate the practical exploitability of these leaks through a proof-of-concept app replacement attack and identify spillover risks in non-smartphone platforms, including a popular automotive head-unit platform installed in over 1,100 vehicle models.
You might also wanna read
Android's new app signing policy: Can sideloading coexist with user security?
The article explores the tension between user freedom and security in the context of Android's new policy requiring apps to be digitally sig
Using SSH Certificates for Secure Git Commit Signing and Code Authorship Verification
The article discusses the importance of code authorship verification in software development, highlighting the limitations of traditional au
GitHub confirms breach of 3,800 repos via malicious VSCode extension
Security Researcher Finds 16 Vulnerabilities in Lovable-Hosted App Exposing 18,000 Users' Data
A security researcher discovered 16 vulnerabilities, including 6 critical ones, in a Lovable-hosted application that exposed data of over 18
Security Researcher Finds 17,000+ Live Secrets in 5.6 Million Public GitLab Repositories
A security researcher scanned 5.6 million public GitLab repositories using TruffleHog and discovered over 17,000 verified live secrets, earn
trufflesecurity.com·7mo ago
GitHub patches critical remote code execution vulnerability in under six hours after AI-assisted discovery
GitHub patched a critical remote code execution vulnerability in under six hours last month. The flaw, discovered by Wiz Research using AI m

Comments
Sign in to join the conversation.
No comments yet. Be the first.