These certificates are used to sign system applications, including the “android” app itself, so it runs with elevated permissions and privileges, including access to user data. A malicious app signed with this same certificate can access the same system privilegesand in fact some examples of malware of this type have already been found.
Oops, the certificate
Any Android application developer knows that they must keep their certificates safe, because if they are lost, they will not be able to create a new version of the application that can be installed as an update. This is so because Android checks that app updates have been signed with the same certificate, and therefore They have not been modified by third parties.
Of course, app mods still exist, like WhatsApp Plus, but they can’t be installed on top of it, since their creators don’t have the original certificate (or their credentials) to sign the app. Having the certificate leaked is a security disaster for any small developer, but it is much worse when we are talking about the certificate of the Android platform.
This certificate is used to sign some of the mobile’s pre-installed apps, including “android” itself, android.uid.systemand the problem lies not only in the modified updates, but also in the fact that malware signed with this certificate can use the shared user identification system and work with the same privileges as “android”. Android apps typically work in isolation from each other, but apps signed with the same certificate can share data with each other, such as Facebook and Messenger.
It is not a theoretical risk, but malware has already been found exploiting this security certificate. According to the report, which was closed yesterday, ten signed malware samples have been identified. In APKMirror we can find some of the apps that are signed with this certificate (which are not necessarily malicious, the certificate, as we said, was of normal use for the different manufacturers). If your mobile has any of them, technically it could be vulnerable to this problem.
Examples of some apps that are signed with this certificate (and are not malicious, but malware with the same certificate can “inherit” their privileges)
The Leaked platform certificates belong to Samsung, LG, MediaTekRevoview and the creators of Walmart tablets, according to 9to5Google. Google’s solution is for manufacturers to change the platform certificate for a new one, invalidating the leaks, although it is not clear how feasible this is, since it will need an OTA and affected manufacturers such as Samsung have a huge catalog of devices. LG, on the other hand, no longer has a mobile division.
We still need to know some details of this serious security problem of which, Google claims, it was aware of in May 2022, although some malware examples date back to 2016so it could be the case that some of these certificates will be in the hands of malicious agents for years. Google claims to have worked closely with Samsung and other affected brands to “take immediate action and minimize the impact,” in addition to providing the following statement:
Those from OEM partners quickly implemented mitigation measures as soon as we reported the compromised key. End users will be protected by user mitigations implemented by partners. Google has implemented extensive detections for the malware in the Build Test Suite, which scans system images. Google Play Protect also detects malware. There is no indication that this malware is or has been in the Google Play Store. As always, we recommend users to make sure they are running the latest version of Android.
As always, don’t panic. Google Play Protect should be able to find suspicious apps that include these certificates and prevent us from installing or maintaining them on our mobile, if we already have them installed. For the future, Google also recommends that manufacturers minimize apps that are signed with this certificate.
Via | lukasz