Platform certificates used by Android device vendors to digitally “sign” and verify mobile apps are being misused by malicious actors to sign apps that contain malware. Android original equipment manufacturers (OEMs) Samsung, LG and MediaTek are among the big wiggles involved, along with Revociew and Szoroco.
Łukasz Siewierski, a reverse engineer on Google’s Android security team, posted on the Android Partner Vulnerability Initiative (AVPI) issue tracker detailing the abuse of OEM platform certificates to smuggle both malicious and legitimate applications.
A platform certificate, also known as a platform key, “is the application signing certificate used to sign the ‘android’ application on the system image. The ‘android’ application runs with a highly privileged user ID – android.uid.system – and holds system permissions, including user data access permissions,” Siewierski reads. Publish on AVPI.
“Any other app signed with the same certificate can declare that it wants to run with the same user ID, giving it the same level of access to the Android operating system.”
Using malware signed with a legitimate platform certificate, hackers can essentially grant themselves the key to the entire device, allowing unrestricted access to stored data. Additionally, threat actors can also push obfuscated malware as an update for existing apps without the target user or the device’s built-in protections noticing, since the software malware would be digitally signed with the platform certificate.
Google has listed ten malware samples and their corresponding SHA256 hashes. However, it is not known exactly how the abused platform certificates were leaked or precisely where the malware/malicious apps were found or if they were ever distributed on Google Play Store, third-party stores or dating sites. distributing APKs.
Learn more: Google accuses a Spanish security firm of developing exploit tools for Chrome and Microsoft Defender
The ten malware-laden apps are listed below. These applications contained information stealers, malware droppers, Trojans (HiddenAd) and Metasploit.
- com.vantage.electronic.cornmuni
- com.russian.signato.renewis
- com.sledsdffsjkh.Search
- com.android.power
- com.management.propaganda
- com.sec.android.musicplayer
- com.houla.quicken
- com.attd.da
- com.arlo.fappx
- com.metasploit.stage
APKMirror’s Artem Russakovskii discovered that some of the malware samples legitimized by Samsung’s platform certificate dated back to 2016.
Did…the Samsung leak, for example, happen 6 years ago!??????https://t.co/iB0iSxHYUZ
Is this some isolated incident, or a false positive, or are there more cases? I don’t know how to search @virustotal for all matches for a given signature – it only shows 1. pic.twitter.com/Tf8g5T4ebo
— Artem Russakovski 🇺🇦 (@ArtemR) December 1, 2022
“Samsung takes the security of Galaxy devices seriously. We have released security patches since 2016 after being made aware of the issue, and there have been no known security incidents regarding this potential vulnerability. We always recommend users to keep their devices up to date with the latest software updates,” Samsung told XDA Developers.
However, Samsung’s statement raises more questions than it answers, such as whether the company waited for security incidents before fixing or how exactly the South Korean giant fixed the problem.
Nonetheless, Google said it notified all affected vendors and took the respective corrective actions. “All parties involved should pivot the platform certificate by replacing it with a new set of public and private keys. Additionally, they should conduct an internal investigation to find the root cause of the issue and take steps to prevent the incident from happening again in the future,” Google said.
“We also strongly recommend minimizing the number of applications signed with the platform certificate, as this will significantly reduce the cost of rotating platform keys if a similar incident occurs in the future.”
To get the list of malware signed with platform certificates from other vendors, replace the SHA256 hash in the search field on this APKMirror page with that of the seller.
Let us know if you enjoyed reading this news on LinkedIn, TwitterWhere Facebook. We would like to hear from you!
Image source: Shutterstock
LEARN MORE ABOUT CYBER THREATS
#Leaked #Samsung #MediaTek #certificates #hack #Android #devices