Multiple platform certificates used by Android OEM device vendors to digitally sign core system applications were used by threat actors to sign apps containing malware.
OEM Android device manufacturers use platform certificates or platform keys to sign the core ROM images of devices that contain the Android operating system and associated apps.
If apps, even malicious apps, are signed with the same platform certificate and assigned the highly privileged user ID “android.uid.system”, those apps will also gain system-level access to the Android device.
These privileges provide access to sensitive permissions not normally granted to apps, such as managing ongoing calls, installing or uninstalling packages, collecting information about the device, and other highly sensitive actions.
As shared in one now public report on the Android Partner Vulnerability Initiative (AVPI) issue tracker, this misuse of platform keys had been discovered by Łukasz Siewierski, a reverse engineer on Google’s Android security team.
“A platform certificate is the application signing certificate used to sign the “android” application on the system image. The “android” application runs with a highly privileged user ID – android.uid.system – and has system permissions , including permissions to access user data,” the Google reporter explains.
“Any other application signed with the same certificate can declare that it wants to run with the same user ID, giving it the same level of access to the Android OS.”
Siewierski saw multiple malware samples signed using these ten Android platform certificates and provided the SHA256 hashes for each of the samples and the digitally signed certificates.
At this time, there is no information on what led to these certificates being misused to sign malware – if one or more threat actors stole them or if an insider with authorized access signed the APKs with the vendor keys.
There is also no information on where these malware samples were found – whether they were found in Google’s Play Store or whether they were distributed through third-party stores or in malicious attacks.
The package names for the ten displayed malware samples signed with platform keys are listed below:
com.russian.signato.renewis com.sledsdffsjkh.Search com.android.power com.management.propaganda com.sec.android.musicplayer com.houla.quicken com.attd.da com.arlo.fappx com.metasploit.stage com.vantage.ectronic.cornmuni
Leaked certificates are from Samsung, LG, Revoview and MediaTek
By searching VirusTotal for these hashes, BleepingComputer discovered that some of the compromised platform certificates belonged to Samsung Electronics, LG Electronics, Revoview, and Mediatek.
It was not possible at this time to determine who the other certificates belonged to.
Malware signed with their certificates includes those detected as HiddenAd trojans, information thieves, Metasploit, and malware droppers that threat actors can use to deliver additional malicious payloads to compromised devices.
Google informed all affected vendors about the abuse and advised them to rotate their platform certificates, investigate the leak to find out how it happened, and minimize the number of apps signed with their Android platform certificates to prevent future incidents. to prevent.
“All parties involved should rotate the platform certificate by replacing it with a new set of public and private keys. In addition, they should conduct an internal investigation to find the source of the problem and take steps to prevent the incident from happening in the future. ” the Google reporter added.
“We also strongly recommend minimizing the number of applications signed with the platform certificate, as this will significantly reduce the cost of platform key rotation should a similar incident occur in the future.”
An easy way to get an overview of all Android apps signed with these potentially compromised certificates is to use APKMirror to search for them (a list of apps signed with Samsung’s cert and one of the apps signed by LG).
However, based on the results, although Google said that “all parties involved have been made aware of the findings and have taken remedial action to minimize impact to the user,” it appears that not all vendors have since followed Google’s recommendations. have followed suit, at least in Samsung’s case, the leaked platform certificates are still used to digitally sign apps.
When we contacted Google about these compromised keys, Google told BleepingComputer that they had added detections for the compromised keys to the Android Build Test Suite (BTS) and malware detections to Google Play Protect.
“OEM partners immediately implemented mitigation measures once we reported the major breach. End users will be protected by user restrictions implemented by OEM partners,” Google said in a statement to BleepingComputer.
“Google has implemented broad detections for the malware in Build Test Suite, which scans system images. Google Play Protect also detects the malware.”
“There is no indication that this malware is or was on the Google Play Store. As always, we advise users to ensure they are running the latest version of Android.”