A report from Google’s Android security team revealed that several Android platform certificates were abused to sign malicious apps – that let them gain root privileges of the device.
Platform certificates are the trusted digital keys owned by respective device OEMs and used for signing their core apps. Thus, abusing them for signing malware-laced apps will grant them root access as legitimate apps, causing trouble to users.
Abusing the Android Platform Certificates
To the unknown, every device OEM out there will have certain trusted certificates to sign their core apps on the platform – similar to authenticating documents with a signature. These would allow the signed apps to gain root privileges to the system’s internals for better working.
Well, these are now abused by threat actors in the case of Android devices, where a reverse engineer at Google’s Android Security team spotted a few malware apps signed with trusted platform certificates of legitimate OEMs.
New APVI entry: platform certificates used to sign malware
Found by yours truly 🙂https://t.co/qiFMJW111A
— Łukasz (@[email protected]) (@maldr0id) November 30, 2022
As noted in the Android Partner Vulnerability Initiative (AVPI) issue tracker, the below malware samples were signed using ten Android platform certificates, with the unknown intention of why.
com.russian.signato.renewis
com.sledsdffsjkh.Search
com.android.power
com.management.propaganda
com.sec.android.musicplayer
com.houla.quicken
com.attd.da
com.arlo.fappx
com.metasploit.stage
com.vantage.ectronic.cornmuniThere’s no information on how the threat actors have obtained these certificates or leaked them by someone inside a company or other. Well, a search by BleepingComputer on VirusTotal revealed that some of the abused platform certificates belong to Samsung Electronics, LG Electronics, Revoview, and Mediatek.
Apps that were signed with these OEMs platform certificates have HiddenAd trojans, information stealers, Metasploit, and malware droppers – that can be used to suck the sensitive data of device users and even deliver additional malware.
While Google informed all affected vendors about this incident and asked them to rotate their platform certificates, Samsung may have ignored it – as its platform certificates are still being abused to digitally sign the apps.
