Hackers sign Android malware apps with compromised platform certificates

Hackers sign Android malware apps with compromised platform certificates

2 December 2022Ravie LakshmananMobile Security / Attack Vector

Android malware apps

Platform certificates used by Android smartphone vendors such as Samsung, LG and MediaTek have been found to be misused to sign malicious apps.

The findings were first detected and reported by Google reverse engineer Łukasz Siewierski on Thursday.

“A platform certificate is the application signing certificate used to sign the ‘android’ application on the system image,” says a report filed through the Android Partner Vulnerability Initiative (AVPI).

“The Android application runs with a highly privileged user ID – android.uid.system – and has system permissions, including permissions to access user data.”

In practice, this means that a rogue application signed with the same certificate can gain the highest level of privileges as the Android operating system, allowing it to retrieve all kinds of sensitive information from a compromised device.

The list of malicious Android app packages that have misused the certificates is below –

  • com.russian.signato.renewis
  • com.sledsdffsjkh.Search
  • com.android.power
  • com.management.propaganda
  • com.sec.android.musicplayer
  • com.houla.quicken
  • com.attd.da
  • com.arlo.fappx
  • com.metasploit.stage
  • com.vantage.electronic.cornmuni
Android malware apps

That said, it’s not immediately clear how and where these artifacts were found, and whether they were used as part of an active malware campaign.

A search on VirusTotal shows that the identified samples have been flagged by antivirus solutions such as HiddenAds adware, Metasploit, information stealers, downloaders and other hidden malware.

When reached for comment, Google said it informed all affected vendors to rotate the certificates and that there is no evidence that these apps were delivered through the Play Store.

“OEM partners immediately implemented mitigations as soon as we reported the main compromise,” the company told The Hacker News in a statement. “End users will be protected by user reductions implemented by OEM partners.”

See also  Urgent Alert sent to millions of Android users - act now or it could cost you

“Google has implemented broad malware detections in the Build Test Suite, which scans system images. Google Play Protect also detects malware. There is no indication that this malware is or was on the Google Play Store. As always, we advise users to ensure that they are running the latest version of Android.”

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *