Security News > 2022 > December > Compromised OEM Android platform certificates used to sign malware

Multiple platform certificates used by Android OEM device vendors to digitally sign core system applications were utilized by threat actors to sign apps containing malware.

OEM Android device manufacturers use platform certificates, or platform keys, to sign devices' core ROM images containing the Android operating system and associated apps.

"A platform certificate is the application signing certificate used to sign the"android" application on the system image.

Siewierski spotted multiple malware samples signed using these ten Android platform certificates and provided the SHA256 hashes for each of the samples and the digitally signed certificates.

Malware signed with their certificates includes those detected as HiddenAd trojans, information stealers, Metasploit, and malware droppers that threat actors can use to deliver additional malicious payloads on compromised devices.

Based on the results, even though Google said that "All affected parties were informed of the findings and have taken remediation measures to minimize the user impact," it looks like not all the vendors have followed Google's recommendations since, at least in Samsung's case, the leaked platform certificates are still being used to digitally sign apps.

News URL

https://www.bleepingcomputer.com/news/security/compromised-oem-android-platform-certificates-used-to-sign-malware/