The crux of the problem is that the platform signing keys of multiple Android OEMs have been leaked outside of their respective companies. This key is used to make sure that the Android version running on your device is legitimate, created by the manufacturer. The same key can also be used to sign individual applications.
Malware applications can gain access to the system without user interaction
By design, Android trusts any app signed with the same key used to sign the operating system itself. A malicious attacker with these app signing keys could use Android’s shared user identity system to grant system-level permissions to malware on an affected device. Basically, all data on an affected device can be used by an attacker.
According to Google’s brief statement on the subject, technology giants LG and Samsung are among the affected companies. In response to this situation, Google recommended that companies urgently change their Android platform signing keys so that they no longer use the leaked ones.