Hackers have embedded leaked Samsung, MediaTek and LG certificates into Android devices

News Summary:

  • Such exploitation of platform certificates was discovered by his Łukasz Siewierski, an engineer in the Android security team, Reverse. Seversky found multiple samples of his malware signed with the aforementioned certificate at once and provided his SHA256 hash of each. At the same time, it is not yet clear what led to the abuse of the certificate, whether the certificate was stolen by the attacker, or whether an insider with the necessary access signed the malicious APK in this manner.

  • According to Google experts, Android device OEMs use a special certificate or key to sign the device’s main ROM image, which includes the operating system itself and related applications. When an application is signed with this certificate and assigned the highly privileged android.uid.system used identity, it is granted system-level access to the device. Such privileges provide access to sensitive permissions not normally granted to applications. Managing calls in progress, installing or removing packages, collecting device information, and other similar actions.

Also, there is no information on where these malware samples were found (Google Play Store, third-party stores, or where the malicious apps were distributed by other means). When a Bleeping Computer journalist examined his VirusTotal malware hash, he found that some of the certificates exploited belonged to Samsung Electronics, LG Electronics, Review, and Mediatek. Ownership of other certificates has not yet been determined. Malware signed in this manner includes the HiddenAd family of Trojans, his unnamed Infostealer, Metasploit, and Droppers, which attackers use to deliver additional payloads to compromised devices.

However, Bleeping Computer points out that not all providers follow Google’s recommendations. This is because, in Samsung’s case, the compromised certificate is still used to sign apps. Google has already added tools to detect compromised certificates in the Android Build Test Suite (BTS), assuring journalists that Google Play Protect will detect the malware.

Journalists say an easy way to get a list of all apps signed with compromised certificates is to use APKMirror (apps signed with Samsung certificates, apps signed with LG certificates). According to Google, it has already notified all affected manufacturers of the exploit and recommended that they change their certificates and investigate the leak in order to minimize the number of applications signed with the certificate. I’m here. According to the company, “all affected parties have already taken corrective action to minimize the impact on users.”