android, certificates, malware, mediatek, platform certificate, samsung, android

​Multiple platform certificates used by Android OEM device vendors to digitally sign core system applications were utilized by threat actors to sign apps containing malware.

OEM Android device manufacturers use platform certificates, or platform keys, to sign devices’ core ROM images containing the Android operating system and associated apps.

If apps, even malicious ones, are signed with the same platform certificate and assigned the highly privileged ‘android.uid.system’ user id, these apps will also gain system-level access to the Android device.

android, certificates, malware, mediatek, platform certificate, samsung, android

One of the Android malware apps assigned android.uid.system Source: BleepingComputer

These privileges provide access to sensitive permissions not normally granted to apps, such as managing ongoing calls, installing or deleting packages, gathering information about the device, and other highly sensitive actions.

As shared in a now public report on the Android Partner Vulnerability Initiative (AVPI) issue tracker, this abusive use of platform keys was discovered by Łukasz Siewierski, a Reverse Engineer on Google’s Android Security team.

“A platform certificate is the application signing certificate used to sign the “android” application on the system image. The “android” application runs with a highly privileged user id – android.uid.system – and holds system permissions, including permissions to access user data,” the Google reporter explains.

“Any other application signed with the same certificate can declare that it wants to run with the same user id, giving it the same level of access to the Android operating system.”

Siewierski spotted multiple malware samples signed using these ten Android platform certificates and provided the SHA256 hashes for each of the samples and the digitally signed certificates.

At the moment, there is no information on what led to these certificates being abused to sign malware — if one or more threat actors stole them or if an insider with authorized access signed the APKs with the vendor keys.

Also, there is no information on where these malware samples were found — if they were found on Google’s Play Store or if they’ve been distributed via third-party stores or in malicious attacks.

The package names for the ten listed malware samples signed with platform keys are listed below:

com.russian.signato.renewis  com.sledsdffsjkh.Search  com.android.power  com.management.propaganda  com.sec.android.musicplayer  com.houla.quicken  com.attd.da  com.arlo.fappx  com.metasploit.stage  com.vantage.ectronic.cornmuni

Leaked certs belong to Samsung, LG, Revoview, and MediaTek

A search on VirusTotal for these hashes allowed BleepingComputer to discover that some of the abused platform certificates belong to Samsung Electronics, LG Electronics, Revoview, and Mediatek.

For the other certificates, it was not possible to determine who they belonged to at this time.

Malware signed with their certificates includes those detected as HiddenAd trojans, information stealers, Metasploit, and malware droppers that threat actors can use to deliver additional malicious payloads on compromised devices.

Google informed all affected vendors about the abuse and advised them to rotate their platform certificates, investigate the leak to find out how it happened, and keep the number of apps signed with their Android platform certs at a minimum to prevent future incidents.

“All affected parties should rotate the platform certificate by replacing it with a new set of public and private keys. Additionally, they should conduct an internal investigation to find the root cause of the problem and take steps to prevent the incident from happening in the future,” the Google reporter added.

“We also strongly recommend minimizing the number of applications signed with the platform certificate, as it will significantly lower the cost of rotating platform keys should a similar incident occur in the future.”

An easy way to get an overview of all Android apps signed with these potentially compromised certificates is to use APKMirror to search for them (a list of apps signed with Samsung’s cert and one of the LG-signed apps).

However, based on the results, even though Google said that “all affected parties were informed of the findings and have taken remediation measures to minimize the user impact,” it looks like not all the vendors have followed Google’s recommendations since, at least in Samsung’s case, the leaked platform certificates are still being used to digitally sign apps.

When we reached out to Google about these compromised keys, Google told BleepingComputer that they had added detections for the compromised keys to the Android Build Test Suite (BTS) and malware detections to Google Play Protect.

“OEM partners promptly implemented mitigation measures as soon as we reported the key compromise. End users will be protected by user mitigations implemented by OEM partners,” Google said in a statement to BleepingComputer.

“Google has implemented broad detections for the malware in Build Test Suite, which scans system images. Google Play Protect also detects the malware.”

“There is no indication that this malware is or was on the Google Play Store. As always, we advise users to ensure they are running the latest version of Android.”

NEWS RELATED

Biden's notebooks among items seized by FBI in Delaware home search

Notebooks that President Joe Biden wrote in during his time as vice president are among the items the FBI took from one of his Delaware homes during a search there last week, according to a person familiar with the investigation. The notebooks were seized because Biden’s writings on some of the pages ...

View more: Biden's notebooks among items seized by FBI in Delaware home search

Man crushed to death by pop-up urinal outside ‘Harry Potter’ theater

A man has been crushed to death in central London while performing maintenance on a pop-up public urinal. Sky News; Shutterstock A man has died after being crushed by a pop-up urinal in London’s busy West End. The tragedy occurred shortly after 1 p.m. local time Friday outside the ...

View more: Man crushed to death by pop-up urinal outside ‘Harry Potter’ theater

Sundance Scarer ‘Infinity Pool, Oscar Nominated ‘Close’ & Deon Taylor’s Latest ‘Fear’- Specialty Preview

Brandon Cronenberg’s Infinity Pool. Neon Neon and Topic Studios present writer/director Brandon Cronenberg’s Infinity Pool at 1,835 theaters in a lively specialty weekend sandwiched between a new crop of Sundance films and noteworthy expansions in the glow of Oscar nominations. Infinity Pool, staring Alexander Skarsgard, Mia Goth, Cleopatra Coleman ...

View more: Sundance Scarer ‘Infinity Pool, Oscar Nominated ‘Close’ & Deon Taylor’s Latest ‘Fear’- Specialty Preview

Americans struggling to make car payments is highest since Great Recession

Car repossessions grow as Americans still struggle with high car prices and inflation

View more: Americans struggling to make car payments is highest since Great Recession

The XFL Season Opener is Feb 18 Why You Need to Be at the Game

HOUSTON – The Houston Roughnecks play an awesome game of football and you can help the team bring it to their 2023 season opener on February 18 by helping to pack the stands. To get an idea of how much fun the first game of the season is going ...

View more: The XFL Season Opener is Feb 18 Why You Need to Be at the Game

Colombiano Quiñones le da empate al Atlas ante Santos

Recent Newsletters El delantero colombiano Julián Quiñones marcó por tercer partido consecutivo y el Atlas rescató el jueves un empate en casa 2-2 ante Santos Laguna. Quiñones conquistó su tercer tanto del campeonato a los 78 minutos y está empatado con otros cuatro jugadores en el segundo puesto en la ...

View more: Colombiano Quiñones le da empate al Atlas ante Santos

Film academy to conduct ‘review’ after Andrea Riseborough’s surprise Oscar nod

Just days after nominations for this year’s Oscars were unveiled, the Academy of Motion Picture Arts and Sciences announced on Friday that it is “conducting a review” of this year’s nominees to make sure none of them violated the organization’s rules around campaigning. The announcement comes as questions swirl ...

View more: Film academy to conduct ‘review’ after Andrea Riseborough’s surprise Oscar nod

Policía de Brasil investiga a sobrino de Bolsonaro

Manifestantes, partidarios del expresidente de Brasil Jair Bolsonaro, atacan el edificio del Congreso Nacional en Brasilia, Brasil, el 8 de enero de 2023. (Eraldo Peres / Associated Press) La policía federal de Brasil allanó el viernes la casa de un sobrino del expresidente Jair Bolsonaro en relación con el ...

View more: Policía de Brasil investiga a sobrino de Bolsonaro

T.J. Holmes and Amy Robach depart ABC News following relationship scandal

Brooklyn man sentenced to 1-to-3 years in prison for trafficking teenage girls to NYC to sell for sex

‘Women Talking’s Sheila McCarthy Signs With Atlas Artists

Update Harga HP Samsung Galaxy S Series dan Z Series, HP Kelas Atas Dibandrol Mulai dari Rp 8 Jutaan

Alemania recibirá a Bélgica en duelo amistoso en marzo

Greenwich Entertainment Acquires Sundance Doc ‘Nam June Paik: Moon Is The Oldest TV’ On “Father Of Video Art”

Batterie, recharge… on en sait plus sur le Samsung Galaxy A54 5G

Usain Bolt fires business manager over Jamaica fraud case

Fitch ups Greece's rating to a notch below investment grade

The Ending Of Teen Wolf: The Movie Explained

Todd McShay Says Texans ‘Will Do Everything' for Bears' No.1 Pick

‘Love & Hip Hop’ star who sued Tory Lanez says he was coerced into a settlement

OTHER NEWS