One of Android’s security mechanisms are app signatures, which certify that an app was created by a certain entity and has not been subsequently modified. Now, some android platform certificates leaked and malware writers wasted no time in taking advantage of it.
These certificates are used to sign system apps, including the “Android” app itself, so that it runs with elevated permissions and privileges, including access to user data. A malicious application signed with this same certificate can access the same system privilegesand in fact a few examples of such malware have already been found.
Oops, the certificate
Any Android application developer knows that they must keep their certificates safe because if they are lost, they will not be able to create a new version of the application that can be installed as an update. This is because Android verifies that app updates have been signed with the same certificate, and therefore They have not been modified by third parties
Of course, app mods still exist, like WhatsApp Plus, but they can’t be installed on them because their creators don’t have the original certificate (or their credentials) to sign the app. Leaking the certificate is a security disaster for any small developer, but it’s much worse when talking about the android platform certificate.
This certificate is used to sign some of the mobile’s pre-installed applications, including “android” itself, android.uid.systemand the problem is not only with modified updates, but also with the fact that malware signed with this certificate can use the shared user identification system and work with the same privileges as “android”. Android apps generally work independently of each other, but apps signed with the same certificate can share data with each other, such as Facebook and Messenger.
The leaked certificates have been used in Samsung, LG, MediaTek and other mobiles, and the only way to fix this issue is to rotate them with an OTA
This is not a theoretical risk, but malware has already been found exploiting this security certificate. According to the report, which was closed yesterday, ten signed malware samples were identified. In APKMirror we can find some of the applications signed with this certificate (which are not necessarily malicious, the certificate, as we said, was normally used by different manufacturers). If your mobile has one, technically it could be vulnerable to this problem.
The bone Leaked platform certificates belong to Samsung, LG, MediaTek, Revoview and the creators of the Walmart tablets, according to 9to5Google. Google’s solution is for manufacturers to change the platform certificate to a new one, invalidating the leaks, although the feasibility of this is unclear as it will need an OTA and affected manufacturers such as Samsung have a huge catalog of devices. LG, on the other hand, no longer has a mobile division.
We still need to know some details of this serious security issue, which Google claims to be aware of in May 2022, although some malware examples date back to 2016, so some of these certificates could will be in the hands of malicious agents for years. Google says it has worked closely with Samsung and other affected brands to “take immediate action and minimize the impact”, in addition to providing the following statement:
Those at OEM partners quickly implemented mitigation measures as soon as we reported the compromised key. End users will be protected by user mitigations implemented by partners. Google has implemented extended detections for malware in the build test suite, which scans system images. Google Play Protect also detects malware. There is no indication that this malware is or was in the Google Play Store. As always, we recommend users ensure they are running the latest version of Android.
As always, don’t panic. Google Play Protect should be able to find suspicious apps that include these certificates and prevent us from installing or maintaining them on our mobile, if we have already installed them. Going forward, Google also recommends manufacturers minimize applications signed with this certificate.
Through | Luke