Attackers are abusing multiple platform certificates used by Android OEM device vendors to digitally sign core system applications. The abuse allows them to sign malicious Android apps and gain system-level access to the device.
Abuse of platform certificates
Google's Android Security team member Łukasz Siewierski discovered multiple malware samples signed using 10 Android platform certificates in mid-November.
- The certificates allow applications to run on a user id android.uid.system. Any application running with this user id gains high privileges and holds system permissions, including permissions to access user data.
- The other high privileges include access to sensitive permissions, such as outgoing call management, package installation/deletion, and device information gathering. Those permissions are normally not granted to third-party apps.
Additional discovery
- BleepingComputer researchers found that some of the abused platform certificates belong to vendors, such as Samsung Electronics, LG Electronics, Revoview, and Mediatek.
- Attackers used apps signed with these companies’ certificates to distribute HiddenAd trojans, information stealers, Metasploit, and malware droppers to deliver additional malicious payloads on compromised devices.
Google’s actions
It is unknown how the platform certificates were compromised and whether the malware was found on the Google Play Store.
- Google has implemented detections for the compromised keys to the Android Build Test Suite (BTS) and malware detections to Google Play Protect.
- Google informed all affected vendors and advised them to rotate their platform certificates and investigate the leak to find the root cause of the problem.
- Google recommends vendors minimize the number of applications signed with the platform certificate to lower the cost of platform keys rotation and prevent such future incidents.
Security tips
Experts recommend using APKMirror to get an overview of all Android apps signed with these potentially compromised certificates. Moreover, the implementation of mitigation measures by the OEM partners can safeguard end users as well. Users are advised to update their device software and use the latest version of Android.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/540e_shutterstock_2177734931.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/01c6_shutterstock_2137840069.jpg)
