Leaked Samsung, MediaTek and LG certificates used to hack Android devices
Platform certificates used by Android device vendors to digitally ‘sign’ and verify mobile applications are being misused by malicious actors to sign apps containing malware. Android original equipment manufacturers (OEMs) Samsung, LG and MediaTek are some of the big wigs affected, along with Revociew and Szoroco.
Łukasz Siewierski, a reverse engineer at Google’s Android Security Team, published on the Android Partner Vulnerability Initiative (AVPI) issue tracking detailing the misuse of OEM platform certificates to pass off malicious apps as legitimate.
A platform certificate, also called platform key, “is the application signing certificate used to sign the ‘android’ application on the system image. The ‘android’ application runs with a highly privileged user ID – android.uid.system – and has system permissions, including permissions to to gain access to user data,” says Siewierskis mail at AVPI.
“Any other application signed with the same certificate can declare that it wants to run with the same user ID, giving it the same level of access to the Android operating system.”
Through malware signed with a legitimate platform certificate, threat actors can essentially give themselves the key to the entire device, thereby allowing unrestricted access to stored data. Moreover, threat actors can also push malware disguised as an update for existing apps without the target user or the device’s built-in protections noticing, given the malware will be digitally signed with the platform certificate.
Google listed ten examples of malware and their corresponding SHA256 hashes. However, it is unclear exactly how the misused platform certificates were leaked or exactly where the malware/malicious apps were found or if they were previously distributed on the Google Play Store, any third-party stores or APK distribution sites.
See more: Google accuses Spanish security firm of developing exploit tools for Chrome and Microsoft Defender
The ten apps with malware are listed below. These apps contained information stealers, malware droppers, Trojans (HiddenAd) and Metasploit.
- com.vantage.electronic.cornmuni
- com.russian.signato.renewis
- com.sledsdffsjkh.Search
- com.android.power
- com.management.propaganda
- com.sec.android.musicplayer
- com.houla.quicken
- com.attd.da
- com.arlo.fappx
- com.metasploit.stage
APKMirror’s Artem Russakovskii found that some of the malware samples authenticated with Samsung’s platform certificate was from 2016.
Happened… The Samsung leak, for example, 6 years ago!??????
Is this an isolated incident of some kind, or a false positive, or are there multiple cases? I can’t figure out how to apply @virustotal for all matches for a given signature – it only shows 1. pic.twitter.com/Tf8g5T4ebo
— Artem Russakovskii 🇺🇦 (@ArtemR) 1 December 2022
“Samsung takes the security of Galaxy devices seriously. We have issued security updates since 2016 after being made aware of the issue, and there have been no known security incidents regarding this potential vulnerability. We always recommend that users keep their devices up to date with the latest software updates, Samsung told XDA Developers.
However, Samsung’s statement raises more questions than it answers, such as whether the company waited for security incidents before patching or how exactly the South Korean giant fixed the problem.
Nonetheless, Google said it informed all affected vendors and that they have taken respective remedial actions. “All affected parties should rotate the platform certificate by replacing it with a new set of public and private keys. In addition, they should conduct an internal investigation to determine the cause of the problem and take steps to prevent the incident from happening in the future,” Google said.
“We also strongly recommend minimizing the number of applications signed with the platform certificate, as it will significantly reduce the cost of rotating platform keys should a similar event occur in the future.”
For the list of malware signed with platform certificates from other vendors, replace the SHA256 hash in the search field at this APKMirror page with the supplier’s.
Let us know if you enjoyed reading this news LinkedIn, Twitteror Facebook. We would love to hear from you!
Image source: Shutterstock
MORE ABOUT CYBER THREATS
/cloudfront-us-east-1.images.arcpublishing.com/pmn/K75XDOYIFJG7TK32RZCJEJBYSU.jpg "Start time, channel, how to watch and stream the Big East tournament for the Wildcats’ last NCAA chance")
