Security News > 2022 > December > Samsung, LG, Mediatek certificates compromised to sign Android malware

Multiple platform certificates used by Android OEM device vendors to digitally sign core system applications were utilized by threat actors to sign apps containing malware.

OEM Android device manufacturers use platform certificates, or platform keys, to sign devices' core ROM images containing the Android operating system and associated apps.

Siewierski spotted multiple malware samples signed using these ten Android platform certificates and provided the SHA256 hashes for each of the samples and the digitally signed certificates.

At the moment, there is no information on what led to these certificates being abused to sign malware - if one or more threat actors stole them or if an insider with authorized access signed the APKs with the vendor keys.

A search on VirusTotal for these hashes allowed BleepingComputer to discover that some of the abused platform certificates belong to Samsung Electronics, LG Electronics, Revoview, and Mediatek.

Malware signed with their certificates includes those detected as HiddenAd trojans, information stealers, Metasploit, and malware droppers that threat actors can use to deliver additional malicious payloads on compromised devices.

News URL

https://www.bleepingcomputer.com/news/security/samsung-lg-mediatek-certificates-compromised-to-sign-android-malware/