Posted on December 5, 2022 at 11:23 AM
Platform certificates that are used by Android smartphone vendors such as Samsung, LG, and MediaTek are being abused to sign malicious applications. A Google reverse engineer, Lukasz Siewierski, first detected this.
Platform certificates used by Android smartphone vendors abused
Android devices have been top targets for malicious actors because of their popularity of these devices. The latest exploit on platform certificates is the latest addition to the new antics that threat actors use to access these devices without authorization.
According to an Android Partner Vulnerability Initiative report, a platform certificate is an application signing certificate. It is used to sign the android application on the system image. It further adds that “the android application runs with a highly privileged user id – android.uid.system – and holds system permissions, including access to user data.”
This shows that the malicious application signed using the same certificate can gain a high level of privilege in the same way as the Android operating system. This allows the platform to access sensitive information from the affected device.
Malicious applications that have accessed these certificates can cause significant harm to the android device as they can infiltrate sensitive user data that can later be used to conduct other malicious attacks, such as phishing campaigns. Such campaigns can be detrimental to users and even organizations.
The report included a list of malicious android apps that have abused the certificates. These apps include com.russian.signato.renewis, com.sledsdffsjkh.Search, com.android.power, com.management.propaganda, com.sec.android.musicplayer, com.houla.quicken, com.attd.da, com.arlo.fappx, com.metasploit.stage and com.vantage.ectronic.cornmuni.
Despite the discovery outlined in this report, there is no evidence showing how these artifacts were detected. Moreover, no details indicate whether these artifacts were used as part of a malicious campaign. Therefore, there is no telling whether some android users have already fallen victim to these apps that have the privilege of collecting sensitive user data.
When the exploit is search on VirusTotal, it shows that the samples have already been flagged by antivirus software. Some of the antivirus solutions that have already detected and flagged these activities include adware, HiddenAds, information stealers and downloaders. They have also been detected by solutions detecting hidden malware, which could mean that the devices using these antivirus solutions have been protected.
However, given that the research scope is limited, no details show whether some users who did not implement antivirus solutions might have been affected by the malicious activities.
Google says it informed all affected vendors
While the researchers’ report has not mentioned whether any Android users have been affected by the malicious apps, Google has said there is no evidence that these apps were published on its app marketplace, Google Play Store.
When reached out for comment, Google also said it had notified all the affected vendors of the exploit. It said that it advised these vendors to rotate the certificates to reduce the possibility of a breach being conducted using these certificates and the possibility that these apps can harvest sensitive user credentials.
The company also added that some vendors had already changed their certificates to prevent any harm caused by the malicious apps. It said that the OEM partners had already adopted mitigation measures as soon as Google reported about the key compromise.
The company also added that the end users would be protected by the mitigation strategies that OEM partners had implemented. This means there is a reduced chance that any android users will be affected by this exploit. The mitigation measures will also reduce the chances of a similar exploit happening in the future.
Google also pointed to the different measures it had taken to identify malware on the platform and ensure that android users to not fall victim to malicious attacks. The company said that it uses its Build Test Suite to detect any malware on the system. It further added that there was no proof that the malicious apps were ever transmitted using Google Play Store, adding that users can best protect themselves through regular updates.
“Google has implemented broad detections for the malware in Build test Suite, which scams system images. Google Play Protect also detects the malware. There is no indication that this malware is or was on the Google Play Store. As always, we advise users to ensure they are running the latest version of Android,” Google added.