Read the update
- Updated with statement from Android Security Team
On Android, not all apps have the same privileges and levels of access to your favorite Android phone. The operating system assigns different levels of permissions using unique user IDs (UIDs). This entire system relies on certificates issued by app developers and device manufacturers, which helps to prove that the software and Android versions are legit. The problem starts when these certificates leak, and bad actors can sign their malware to look like legitimate system apps. This is exactly what seems to have happened to a number of vendor platform certificates, which are in circulation and used by bad actors.
Spotted by Google malware reverse engineering expert Łukasz Siewierski (via Mishaal Rahman), the certificates in question are platform certificates intended to verify the authenticity of the “Android” application that is part of each phone, but are also used to sign individual applications from manufacturers. The problem is that this main Android application has the highest level of access to the system, which allows it almost unlimited access to user data. Since the Android app is essentially what makes your phone work in the first place, that makes sense. That’s why it’s a big problem when malware gets their hands on the platform certificate used by the Android app. Bad actors can get the same extended permissions as this main service.
Malicious applications could access the system without user interaction
Malware using these certificates can gain elevated access to the system without any user interaction. Usually, Android malware has to go out of its way to ask users to grant them other permissions, like access to accessibility services, which they then use to extract data and information from other apps. When malware uses the same certificate as the root Android app, it doesn’t need to jump through those hoops. Malware can also pretend to be a trusted pre-installed app and appear as an update to users, making it even harder to spot a problem.
As reported in Google’s Android Partner Vulnerability Initiative, a handful of platform certificates have been leaked, including some from Samsung, LG, Xiaomi, Mediatek and other smaller vendors. Fortunately, it seems that most certificates are not actively used. Android Police founder and APK Mirror owner Artem Russakovskii searched his platform to see which of the affected certificates are used to sign apps uploaded to APK Mirror, and it appears that only two of the certificates have recently been used by vendors: Samsung and LG. , To be precise. For Samsung, this is a particularly big issue because the company appears to be using the signature to sign hundreds of apps, a problem compounded by the fact that the company is the largest Android maker. This is exactly why Google recommends that manufacturers limit the use of their platform certificate to as few apps as possible.
However, any of these apps uploaded to the platform are unlikely to be malware, as APK Mirror mostly receives uploads from long-term, loyal contributors. APK Mirror will also likely introduce measures to counter any potential issues resulting from this incident. Nevertheless, you should refrain from downloading Samsung and LG apps outside of the Play Store or other official sources for now, even if only out of caution.
quite interesting, a search on VirusTotal reveals that some of the LG and Samsung certificates were already used by proven malware since 2016. It is not known if the leak went undetected all this time or if there are other missing elements in the story. We asked Samsung about it, and the company told us the following without going into detail: “Samsung takes the security of Galaxy devices seriously. We have released security patches since 2016 after being made aware of the issue, and there have been no known security incidents regarding this potential vulnerability. We always recommend users to keep their devices updated with the latest software updates. »
The issue should be mostly resolved now.
Affected Android manufacturers have already fixed the issue, as the Android Security Team writes:
OEM partners quickly implemented mitigation measures as soon as we reported the key compromise. End users will be protected by user mitigations implemented by OEM partners. Google has implemented broad detections for malware in Build Test Suite, which scans system images. Google Play Protect also detects the malware. There is no indication that this malware is or was on the Google Play Store. As always, we advise users to ensure they are running the latest version of Android.
To combat such attacks in the future, manufacturers must regularly rotate their security keys. There are different versions of certificates that offer different feature sets, and only the latest version, V3, offers the ability to rotate keys on the fly. This means that security keys can be replaced with new ones as part of app updates. The old V2, which is also still in use, does not support it. To fix the problem with the keys on V2, manufacturers should release a security patch update to their devices to make them accept a new certificate, replacing the compromised one.
As this vulnerability was just revealed this week, there are still a lot of unknowns. It’s weird that Samsung and LG’s certificates seem to have leaked in 2016, six years ago. It’s also unclear exactly how the certificates were leaked. Security-critical assets like this should be given the highest level of protection, so it’s critical that affected companies know exactly how malicious actors were able to extract these certificates and what other details they may have gotten their hands on. .
For what it’s worth, most affected parties have already patched or are working on fixes for the issue. The report was filed in May 2022 and has only been released now, and is marked as fixed in Google’s issue tracker.
This is still a cautionary tale about downloading totally unknown apps and sideloading APKs. Even when a platform like APK Mirror takes every possible precaution to protect its users, using the same checksums available on the Play Store, there is still a small chance that an attack like this will be repeated. . Security on the Play Store itself isn’t paramount either. A small amount of malware still manages to slip through the cracks on Google’s platform, so at the end of the day it’s all about common sense and respecting your intuition.
UPDATED: 2022/12/02 11:24 EST BY MANUEL VONAU
Updated with statement from Android Security Team
The article has been updated with a statement from the Android Security Team.