Platform certificates that Android device vendors use to digitally “sign” and verify misuse of mobile apps by malicious parties to sign apps that contain malware. Android original equipment manufacturers (OEM) Samsung, LG, and MediaTek are some of the big wigs affected, along with Revociew and Szoroco.
Łukasz Siewierski, a reverse engineer on Google’s Android security team, posted on the Android Partner Issue Tracker (AVPI) detailing the misuse of OEM platform certificates to pass off malicious apps as legitimate.
A platform certificate, also called a platform key, “is the application signing certificate used to sign an ‘android’ application to the system image. An ‘android’ application runs with a privileged user ID – android.uid.system – and holds system permissions, including It permissions to access user data,” says Siewierski Mail on AVPI.
Any other app signed with the same certificate can declare that it wants to run with the same user ID, giving it the same level of access to the Android operating system.
With malware signed with a legitimate platform certificate, threat actors can essentially give themselves the key to the entire device, allowing unfettered access to stored data. Furthermore, threat actors can also push malware disguise as an update of existing applications without the target user or the device’s built-in protection noticing, since the malware will be digitally signed using the platform certificate.
Google has listed ten malware samples and their corresponding SHA256 hash. However, it is not clear exactly how the abused platform certificates were leaked, where the malware/malicious apps were found, or if they were previously distributed on the Google Play Store or any third-party stores or APK distribution sites.
The ten malware-laden apps are listed below. These applications contained information theft tools, malware droppers, Trojans (HiddenAd), and Metasploit.
- com. russian. signato. renewis
- com. sledsdffsjkh.Search
- com. android. power
- com. management. propaganda
- com. houla. quicken
- com. attd.da
- com. metasploit. stage
APKMirror Artem Russakovskii found that some The malware samples have been legitimized by Samsung’s platform certification It was from 2016.
Did the Samsung leak, for example, happen 6 years ago??????https://t.co/iB0iSxHYUZ
Is this an isolated incident of some kind, a false positive, or are there more cases? I can’t figure out how to search @tweet For all matches of a given signature – only 1 is shown. pic.twitter.com/Tf8g5T4ebo
– Artem Rusakovsky 🇺🇦 (@ArtemR) December 1, 2022
“Samsung takes the security of Galaxy devices very seriously. We have released security patches since 2016 after becoming aware of the issue, and there have been no known security incidents regarding this potential vulnerability. We always recommend that users keep their devices updated with the latest software updates.”
However, Samsung’s statement raises more questions than it answers, such as whether the company was waiting for any security incidents before patching or how exactly the South Korean giant fixed the issue.
However, Google said it has informed all affected sellers and has taken appropriate remedial measures. “All affected parties should rotate the platform certificate by replacing it with a new set of public and private keys. In addition, they should conduct an internal investigation to find the root cause of the problem and take steps to prevent the incident from occurring in the future,” Google said.
“We also strongly recommend reducing the number of applications signed with the platform certificate, as this will significantly reduce the cost of platform key rollover in the event of a similar incident in the future.”
To get a list of malware signed with other vendors’ platform certificates, replace the SHA256 hash in the search field in This page is APKMirror with the seller.
Image source: shutterstock
More about cyber threats
#Leaked #Samsung #MediaTek #certifications #hack #Android #devices