Information security specialists working as part of the Google Android Partner Vulnerability Initiative (APVI) have discovered cases of legitimate certificates being used to sign malicious applications for Android devices. Typically, such certificates or platform keys are used by device manufacturers to sign system applications.
Image Source: Bleeping Computer
“Platform certificate is an application signing certificate used to sign the android application in the system image. The android application runs with a highly privileged user ID – android.uid.system – and has system permissions, including permission to access user data. Any other application signed with the same certificate can work with the same user ID, which gives it the same level of access to the Android operating system,” said Lukasz Siewirski, one of the participants in the APVI initiative.
The researcher found several malware samples that were signed with ten certificates and provided the SHA256 hashes for each of them. Some of the certifications are reportedly held by Samsung, LG, and MediaTek. At the moment, there is no information on how certificates for signing system applications fell into the hands of attackers. There is also no information about where the malware samples were found, so it cannot be ruled out that the researcher found them in the Play Store digital content store.
Package names of 10 apps that were signed with compromised certificates
By searching the hashes published by the researcher in the VirusTotal database, it was possible to detect some malware signed by the certificates of the mentioned companies. Google has notified partners affected by this issue and recommended changing the certificates used to sign legitimate applications.
If you notice an error, select it with the mouse and press CTRL + ENTER.
