Malware apps signed with compromised Android platform certificates
Google’s Android security team has reported that hackers signed malicious applications using several compromised Android platform certificates. This event also reminds us of what happened in march 2020 when threat actors were found to be dropping malicious software with fake security certificates.
What are Platform Certificates? For your information, platform certificates are digital keys, trusted and owned by specific original equipment manufacturers (OEMs). These are used to sign their core apps. Therefore, attackers misuse them to sign malicious apps to gain root access as legitimate apps, causing serious problems for unsuspecting users.
Each device OEM has a set of trusted certificates for signing the platform’s core apps. This is just like verifying documents with a signature to allow the signed apps to gain root privileges and allow the system to function optimally.
Threat actors misuse platform certificates used by well-known Android smartphone manufacturers, including LG Electronics, Samsung, Revoview and Media Tek, to sign apps infected with malware. This was first discovered by Google Android Security Team reverse engineer Łukasz Siewierski.
According to Siewierski, if a malicious app is signed with the same certificate to achieve the highest level of privilege as the Android OS, it is possible to extract sensitive data of all kinds from the compromised device. That’s because the Android app runs with a “highly privileged user ID” called android.uid.system. It has a number of system permissions, such as permission to access user data.
Google also published a list of malware samples signed using 10 platform certificates, which was also noted in the Android Partner Vulnerability Initiative (AVPI) issue tracker:
How did hackers obtain these certificates?
The biggest mystery surrounding this data collection campaign is how the threat actors gained access to these certificates. It could be possible that someone working with the company leaked them.
The apps signed with the above OEMs’ platform certificates contained HiddenAd trojans, Metasploit, info stealers and malware droppers, with the aim of delivering additional malware or collecting data from device users.
Google has informed affected manufacturers of its findings and encouraged them to rotate these certificates. The company confirmed that there is no evidence that the apps were delivered through it official Play Store.
“Google has implemented broad malware detections in the Build Test Suite, which scans system images. Google Play Protect also detects malware. There is no indication that this malware is or was on the Google Play Store. As always, we recommend users make sure they’re running the latest version of Android,” Google said.
- Bahamut uses fake VPN apps to steal Android user credentials
- Schoolyard Bully Malware that steals Facebook credentials on Android
- 42,000 phishing domains detected masquerading as popular brands
- Crooks Hack World Bank SSL Certificate Hosted PayPal Phishing Scam
- Fake Banking Rewards Apps Install RAT to Steal Information on Android Phones