Platform certificates used by Android device vendors to digitally â€˜sign’ and verify mobile applications are being misused by malicious actors to sign apps containing malware. Android original equipment manufacturers (OEM) Samsung, LG, and MediaTek are some of the big wigs affected, along with Revociew and Szoroco.
Åukasz Siewierski, a reverse engineer at Google’s Android Security Team, posted on the Android Partner Vulnerability Initiative (AVPI) issue tracker detailing the abuse of OEM platform certificates to pass malicious apps as legitimate ones.
A platform certificate, also called platform key, â€œis the application signing certificate used to sign the â€˜android’ application on the system image. The â€˜android’ application runs with a highly privileged user id â€“ android.uid.system â€“ and holds system permissions, including permissions to access user data,â€ reads Siewierski’s postOpens a new window on AVPI.
â€œAny other application signed with the same certificate can declare that it wants to run with the same user id, giving it the same level of access to the Android operating system.â€
Through malware signed with a legitimate platform certificate, threat actors can essentially grant themselves the key to the entire device, thus allowing unrestricted access to stored data. Moreover, threat actors can also push malware obfuscated as an update for existing apps without the target user or the device’s built-in protections noticing, given the malware would be digitally signed with the platform certificate.
Google listed ten malware samples and their corresponding SHA256 hashes. However, it is unclear how exactly the abused platform certificates were leaked or precisely where the malware/malicious apps were found or if they were previously distributed on Google Play Store, any third-party stores or APK distribution sites.
The ten malware-laden apps are listed below. These apps contained info stealers, malware droppers, trojans (HiddenAd), and Metasploit.
APKMirror’s Artem Russakovskii found that some of the malware samples legitimized with Samsung’s platform certificateOpens a new window were from 2016.
Didâ€¦ the Samsung leak, for example, happen 6 years ago!??????
Is this an isolated incident of some sort, or a false positive, or there are more cases? I can’t figure out how to search @virustotalOpens a new window for all matches for a given signature â€“ it only shows 1. pic.twitter.com/Tf8g5T4eboOpens a new window
â€” Artem Russakovskii ðŸ‡ºðŸ‡¦ (@ArtemR) December 1, 2022Opens a new window
â€œSamsung takes the security of Galaxy devices seriously. We have issued security patches since 2016 upon being made aware of the issue, and there have been no known security incidents regarding this potential vulnerability. We always recommend that users keep their devices up-to-date with the latest software updates,â€ Samsung told XDA Developers.
However, Samsung’s statement raises more questions than it answers, like whether the company waited for any security incidents before patching or how exactly the South Korean giant patched the issue.
Nevertheless, Google said it informed all affected vendors and they have taken respective remediation measures. â€œAll affected parties should rotate the platform certificate by replacing it with a new set of public and private keys. Additionally, they should conduct an internal investigation to find the root cause of the problem and take steps to prevent the incident from happening in the future,â€ Google said.
â€œWe also strongly recommend minimizing the number of applications signed with the platform certificate, as it will significantly lower the cost of rotating platform keys should a similar incident occur in the future.â€
For the list of malware signed with platform certificates of other vendors, replace the SHA256 hash in the search field on this APKMirror pageOpens a new window with that of the vendor.
Image source: Shutterstock