Security News > 2022 > December > Google warns stolen Android keys used to sign info-stealing malware
Compromised Android platform certificate keys from device makers including Samsung, LG and Mediatek are being used to sign malware and deploy spyware, among other software nasties.
Googler Łukasz Siewierski found and reported the security issue and it's a doozy that allows malicious applications signed with one of the compromised certificates to gain the same level of privileges as the Android operating system - essentially unfettered access to the victim's device.
"A platform certificate is the application signing certificate used to sign the 'android' application on the system image. The 'android' application runs with a highly privileged user id - android.uid.system - and holds system permissions, including permissions to access user data. Any other application signed with the same certificate can declare that it wants to run with the same user id, giving it the same level of access to the Android operating system."
"We also strongly recommend minimizing the number of applications signed with the platform certificate, as it will significantly lower the cost of rotating platform keys should a similar incident occur in the future," the AVPI said.
Running the various malware samples through Google's VirusTotal shows that third-party security vendors have flagged the samples as info stealers, downloaders, backdoors, HiddenAds malware, Metasploit, dropper malware, and other Trojans.
As of Dec. 1 some of the leaked certificates were still being used to sign apps, according to Android security maven Mishaal Rahman.
News URL
https://go.theregister.com/feed/www.theregister.com/2022/12/05/compromised_android_keys/
Related news
- Android malware 'Necro' infects 11 million devices via Google Play (source)
- New Octo Android malware version impersonates NordVPN, Google Chrome (source)
- Google: Gemini AI for Android processes sensitive data locally (source)
- Google says it's focusing on privacy with Gemini AI on Android (source)
- Azure domains and Google abused to spread disinformation and malware (source)
- Android malware uses NFC to steal money at ATMs (source)
- New NGate Android malware uses NFC chip to steal credit card data (source)
- Cybercriminals Deploy New Malware to Steal Data via Android’s Near Field Communication (NFC) (source)
- New Android Malware NGate Steals NFC Data to Clone Contactless Payment Cards (source)
- Cyberattackers Exploit Google Sheets for Malware Control in Likely Espionage Campaign (source)