Bad news! The platform certificates of many phone manufacturers have been hacked. These are used to sign trusted apps on Android phones. Now these certificates are being used to certify malicious Android applications

Bad news!  The platform certificates of many phone manufacturers have been hacked.  These are used to sign trusted apps on Android phones.  Now these certificates are being used to certify malicious Android applications

Platform certificates, also known as platform keys, are used by Android device OEMs to certify the core ROM images of their devices. These images include the Android operating system and any related applications.

The application signing certificate used to sign the “android” application stored on the system image is known as a platform certificate. The “Android” program runs with a highly privileged user ID called android.uid.system and retains system privileges, including permissions to access user data. This is because it has the ability to hold the android.uid.system user ID.

If applications, even malicious ones, are signed with the same platform certificate and assigned the highly privileged ‘android.uid.system’ user ID, those applications will also gain system-level access to the Android device. This access can be obtained by signing the application with the platform certificate.

An abuse of platform keys was discovered by Lukasz Siewierski, a reverse engineer in Google’s Android Security team. This information was published in a report that is currently publicly available on the Android Partner Vulnerability Initiative (AVPI) issue tracker.

Siewierski discovered many malware copies that were signed with these 10 Android platform certificates. He provided the SHA256 hashes for each of the samples, as well as the certificates that were digitally signed.

There is no evidence available at this time of the circumstances that led to these certificates being misused to sign malware. It is unknown if one or more threat actors stole the certificates, or if an authorized employee signed the APKs using the vendor keys.

In addition, there is no information about the location of these malicious samples, such as whether they were discovered in the Google Play Store, whether they were spread via third-party stores, or whether they were used in malicious activities.

See also  What is bluetooth hacking? How to prevent it?

Google notified all affected vendors of the abuse and advised them to avoid such problems by rotating their platform certificates, looking into the breach to determine how it occurred, and limiting the amount of applications signed with their Android platform certificates.

There is no evidence to suggest that this malicious code was ever distributed via the Google Play Store. Always and without fail, our standard advice to users is to check that they are on the latest version of Android.

Using APKMirror to search for apps signed with these certificates that may have been compromised is an easy way to get an overview of all Android apps signed with these certificates.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *