Compromised Android platform certificate keys from device makers including Samsung, LG and Mediatek are being used to sign malware and deploy spyware, among other software nasties.
Googler Łukasz Siewierski found and reported the security issue and it’s a doozy that allows malicious applications signed with one of the compromised certificates to gain the same level of privileges as the Android operating system — essentially unfettered access to the victim’s device.
As explained in a Android Partner Vulnerability Initiative (AVPI) security alert:
Also in the alert, Google listed 10 malware samples and related SHA256 hashes, and recommended all affected smart-device vendors rotate their platform certificates.
“We also strongly recommend minimizing the number of applications signed with the platform certificate, as it will significantly lower the cost of rotating platform keys should a similar incident occur in the future,” the AVPI said.
Running the various malware samples through Google’s VirusTotal shows that third-party security vendors have flagged the samples as info stealers, downloaders, backdoors, HiddenAds malware, Metasploit, dropper malware, and other Trojans.
“OEM partners promptly implemented mitigation measures as soon as we reported the key compromise,” a Google spokesperson told The Register. “End users will be protected by user mitigations implemented by OEM partners.”
Google’s Build Test Suite, which scans system images, along with Google Play Protect can detect the malware, according to the spokesperson.
“There is no indication that this malware is or was on the Google Play Store,” the spokesperson added. “As always, we advise users to ensure they are running the latest version of Android.”
As of Dec. 1, however, some of the leaked certificates were still being used to sign apps, according to Android security maven Mishaal Rahman.
“You can’t trust that an app has been signed by the legitimate vendor/OEM if their platform certificate was leaked,” he cautioned. “Do not sideload those apps from third-party sites/outside of Google Play or trusted OEM store.” ®