Google warns stolen Android keys used to sign info-stealing malware
OEMs including Samsung, LG and Mediatek named and shamed
Compromised Android platform certificate keys from device makers including Samsung, LG and Mediatek are being used to sign malware and deploy spyware, among other software nasties.
Googler Łukasz Siewierski found and reported the security issue and it's a doozy that allows malicious applications signed with one of the compromised certificates to gain the same level of privileges as the Android operating system — essentially unfettered access to the victim's device.
As explained in a Android Partner Vulnerability Initiative (AVPI) security alert:
"A platform certificate is the application signing certificate used to sign the 'android' application on the system image. The 'android' application runs with a highly privileged user id — android.uid.system — and holds system permissions, including permissions to access user data. Any other application signed with the same certificate can declare that it wants to run with the same user id, giving it the same level of access to the Android operating system."
Also in the alert, Google listed 10 malware samples and related SHA256 hashes, and recommended all affected smart-device vendors rotate their platform certificates.
"We also strongly recommend minimizing the number of applications signed with the platform certificate, as it will significantly lower the cost of rotating platform keys should a similar incident occur in the future," the AVPI said.
Running the various malware samples through Google's VirusTotal shows that third-party security vendors have flagged the samples as info stealers, downloaders, backdoors, HiddenAds malware, Metasploit, dropper malware, and other Trojans.
"OEM partners promptly implemented mitigation measures as soon as we reported the key compromise," a Google spokesperson told The Register. "End users will be protected by user mitigations implemented by OEM partners."
Google's Build Test Suite, which scans system images, along with Google Play Protect can detect the malware, according to the spokesperson.
- Google warns about commercial Heliconia spyware hitting Chrome, Firefox and Microsoft Defender
- Almost 300 predatory loan apps found in Google and Apple stores
- Intruders gain access to user data in LastPass incident
- Android users in 12 US states cleared to sue Google Play
"There is no indication that this malware is or was on the Google Play Store," the spokesperson added. "As always, we advise users to ensure they are running the latest version of Android."
As of Dec. 1, however, some of the leaked certificates were still being used to sign apps, according to Android security maven Mishaal Rahman.
"You can't trust that an app has been signed by the legitimate vendor/OEM if their platform certificate was leaked," he cautioned. "Do not sideload those apps from third-party sites/outside of Google Play or trusted OEM store." ®