Security News > 2022 > December > Compromised OEM Android platform certificates used to sign malware
Multiple platform certificates used by Android OEM device vendors to digitally sign core system applications were utilized by threat actors to sign apps containing malware.
OEM Android device manufacturers use platform certificates, or platform keys, to sign devices' core ROM images containing the Android operating system and associated apps.
"A platform certificate is the application signing certificate used to sign the"android" application on the system image.
Siewierski spotted multiple malware samples signed using these ten Android platform certificates and provided the SHA256 hashes for each of the samples and the digitally signed certificates.
Malware signed with their certificates includes those detected as HiddenAd trojans, information stealers, Metasploit, and malware droppers that threat actors can use to deliver additional malicious payloads on compromised devices.
Based on the results, even though Google said that "All affected parties were informed of the findings and have taken remediation measures to minimize the user impact," it looks like not all the vendors have followed Google's recommendations since, at least in Samsung's case, the leaked platform certificates are still being used to digitally sign apps.
News URL
Related news
- TrickMo malware steals Android PINs using fake lock screen (source)
- Researchers Uncover Hijack Loader Malware Using Stolen Code-Signing Certificates (source)
- Russia targets Ukrainian conscripts with Windows, Android malware (source)
- Android malware "FakeCall" now reroutes bank calls to attackers (source)
- New FakeCall Malware Variant Hijacks Android Devices for Fraudulent Banking Calls (source)
- New Android Banking Malware 'ToxicPanda' Targets Users with Fraudulent Money Transfers (source)
- Cyber crooks push Android malware via letter (source)