Threat actors exploited many platform certificates used by Android OEM device suppliers to sign core system applications to sign apps that contained malware. The core ROM images of Android devices containing the Android operating system and related apps are signed by OEM Android device makers using platform certificates or platform keys. Even malicious applications will be given system-level access to the Android device if signed with the same platform certificate and given the highly privileged “android.uid.system” user id.
These capabilities give access to sensitive operations, including handling ongoing calls, installing or removing packages, acquiring device information, and other highly sensitive actions often not given to applications. As stated in a recently released report on the Android Partner Vulnerability Initiative (AVPI) problem tracker, this inappropriate use of platform keys was found by Łukasz Siewierski, a Reverse Engineer in the team of Google’s Android Security.
“A platform certificate is the application signing certificate used to sign the “android” application on the system image. The “android” application runs with a highly privileged user id – android.uid.system – and holds system permissions, including permissions to access user data,” explains the Google reporter. “Any other application signed with the same certificate can declare that it wants to run with the same user id, giving it the same level of access to the Android operating system.”
In addition to providing the SHA256 hashes for each malware sample and the digitally signed certificates, Siewierski discovered several malware samples signed using these 10 Android platform certificates. There is currently no evidence on what caused these certificates to be exploited to sign malware, such as if one or more threat actors stole them or whether an employee with permission to do so used the vendor keys to sign the APKs. There is also no information on how these malware samples were disseminated, such as whether they were spread through malicious campaigns, third-party retailers, or Google’s Play Store.
The package titles for the 10 listed malware samples signed with platform keys are:
- com.russian.signato.renewis
- com.android.power
- com.sledsdffsjkh.Search
- com.houla.quicken
- com.management.propaganda
- com.sec.android.musicplayer
- com.arlo.fappx
- com.attd.da
- com.metasploit.stage
- com.vantage.ectronic.cornmuni
Some misused platform certificates were found to be from Samsung Electronics, LG Electronics, Revoview, and Mediatek through a VirusTotal search for these hashes. It was currently impossible to identify the owners of the other certificates. The malware identified as HiddenAd trojans, information thieves, Metasploit, and malware droppers that threat actors may employ to spread more malicious payloads on infected devices are all signed with their certificates. Google notified all impacted vendors about the misuse and advised them on how to stop it in the future, including rotating their platform certificates, looking into the source of the leak, and limiting the number of apps certified using their Android platform certs.
Use APKMirror to identify them (a list of applications signed with Samsung’s cert and one LG-signed app) and quickly gain an overview of all Android apps issued with these possibly compromised certificates. However, not all the vendors have complied with Google’s recommendations because the compromised platform certificates are still being used to digitally sign apps, despite Google’s claim that “all affected parties were informed of the findings and have taken remediation measures to minimize the user impact.” When questioned about these compromised keys, Google responded that they had added malware detections to Google Play Protect and the Android Build Test Suite (BTS) as well as detections for the compromised keys.