The certificates of Android smartphone manufacturers like Samsung and LG have been hijacked by hackers! These keys are used to digitally sign malware and give it access to the device’s operating system. Find out how to protect yourself from this threat…
To sign the ROM images that contain the Android operating system, the Smartphone manufacturers use certificates of platforms. This allows the application to be assigned to “Android”. the android.uid.system identifier and get access to the device system.
This permission grants access to Permissions that other applications cannot access. In particular, it allows the management of incoming calls, to collect data on the deviceinstall or remove packages and many other highly sensitive actions.
Nevertheless, every signed application With this certificate and the assignment of the identifier “android.uid.system” he gets access to the system and the permissions that should be reserved for the operating system.
Well, from several platform certificates have been hijacked and used to sign android applications that contain malware. This is revealed a report published on Android partner vulnerabilities by Lukasz Siewierski from Google’s Android security team.
New APVI entry: Platform certificates for signing malware
Sincerely found 🙂https://t.co/qiFMJW111A
— Lukasz (@[email protected]) (@maldr0id) November 30, 2022
The researcher discovered several malware samples signed with ten different Android platform certificates. For now, we don’t know how These certificates may have been misused.
It is possible that one or more cyber criminals managed to steal them, or that an employee has access to the keys Manufacturer has signed the APKs. Furthermore, the report does not reveal whether the malware samples were found on the Google Play Store or distributed on unofficial third-party platforms.
That ten sample package names of the malware signed with the platform keys were provided by Siewierski and are listed below:
- com.russian.signato.renewis
- com.sledsdffsjkh.Search
- com.android.power
- com.management.propaganda
- com.sec.android.musicplayer
- com.houla.quicken
- com.attd.da
- com.arlo.fappx
- com.metasploit.stage
- com.vantage.electronic.cornmuni
Leaked certificates from Samsung, LG, Revoview and MediaTek
Searching VirusTotal, we see that some of the hijacked certificates belong to it Samsung Electronics, LG Electronics, Revoview and Mediatek.
Examples of malware signed with these certificates are: Trojan horses, information stealing softwareor even droppers that can be used by hackers to deliver more malware onto compromised devices.
All Affected sellers have been notified by Google, and invited to change platform certificates. They are also asked to investigate how this incident happened and to minimize the number of applications signed with their keys to prevent the incident from repeating itself.
How do you protect your smartphone from signed malware?
To the an overview of all applications Androids signed with these compromised certificates can use APKMirror. Here you can easily find a list of the signed applications with Samsung certificateand another with Apps signed by LG.
We note that after this redirection of certificates, some manufacturers of Android smartphones unfortunately did not follow Google’s recommendations. In order to, Samsung’s key is still in use Sign applications digitally.
On his side, Google says it’s added a detection system of compromised certificates in the Android Build Test Suite used to scan system images. A malware detection feature has also been added to Google Play Protect.
In addition, the company assures that End users are protected by the damage control measures quickly implemented by the smartphone manufacturers after the reporting of this error.
Currently there is no indication that the malware was or is in the Google Play Store. In any case, Android smartphone users are advised to ensure this installed the latest version of the operating system.