Platform certificates, used by Android device vendors to digitally “sign” and verify mobile applications, are misused by malicious actors to sign apps that contain malware. Android original equipment manufacturers (OEMs) Samsung, LG and MediaTek are some of the big wigs affected, along with Revociew and Szoroco.
Łukasz Siewierski, a reverse engineer in Google’s Android Security Team, posted in the Android Partner Vulnerability Initiative (AVPI) issue tracker the abuse of OEM platform certificates to pass off malicious apps as legitimate apps.
A platform certificate, also called a platform key, “is the application signing certificate used to sign the ‘Android’ application on the system image. The “Android” application runs with a highly privileged user ID – android.uid.system – and has system permissions, including permissions to access user data,” Siewierski said post on AVPI.
“Any other application signed with the same certificate can declare that it wants to run under the same user ID, giving it the same access to the Android OS.”
Essentially, malware signed with a legitimate platform certificate allows attackers to grant themselves the key to the entire device, allowing unrestricted access to stored data. Additionally, threat actors can also obfuscate malware disguised as an update to existing apps without the target user or the device’s built-in protections noticing, as the malware would be digitally signed with the platform certificate.
Google listed ten malware samples and their corresponding SHA256 hashes. However, it is unclear how exactly the abused platform certificates were leaked or where exactly the malware/malicious apps were found or if they were previously distributed on Google Play Store, third-party stores or APK distribution sites.
See more: Google accuses a Spanish security firm of developing exploit tools for Chrome and Microsoft Defender
The ten apps loaded with malware are listed below. These apps included info stealers, malware droppers, trojans (HiddenAd) and metasploit.
APKMirror’s Artem Russakovskii found that some of the Malware samples legitimized with Samsung’s platform certificate were from 2016.
For example, did the Samsung leak happen 6 years ago!??????https://t.co/iB0iSxHYUZ
Is this an isolated incident or a false alarm, or are there other cases? I can’t figure out how to search @virustotal for all matches for a given signature – only 1 is shown. pic.twitter.com/Tf8g5T4ebo
— Artem Russakovskii 🇺🇦 (@ArtemR) December 1, 2022
“Samsung takes the security of Galaxy devices very seriously. We have issued security patches since 2016 after the issue was brought to our attention and there have been no known security incidents related to this potential vulnerability. We always encourage users to keep their devices up-to-date with the latest software updates,” Samsung told XDA Developers.
However, Samsung’s statement raises more questions than it answers, such as whether the company waited for security incidents before patching or how exactly the South Korean giant patched the issue.
Still, Google said it informed all affected vendors and they took appropriate remedial action. “All affected parties should rotate the platform certificate by replacing it with a new set of public and private keys. In addition, they should conduct an internal investigation to find the root cause of the problem and take action to prevent the incident from happening in the future,” Google said.
“We also strongly recommend minimizing the number of applications signed with the platform certificate, as this will significantly reduce the cost of rotating platform keys should a similar incident occur in the future.”
For the list of malware signed with third-party platform certificates, replace the SHA256 hash in the search box this APKMirror page with that of the provider.
Let us know if you enjoyed reading this news LinkedIn, Twitteror Facebook. We’d love to hear from you!
Image source: Shutterstock