Security News > 2022 > December > Google warns stolen Android keys used to sign info-stealing malware

Compromised Android platform certificate keys from device makers including Samsung, LG and Mediatek are being used to sign malware and deploy spyware, among other software nasties.

Googler Łukasz Siewierski found and reported the security issue and it's a doozy that allows malicious applications signed with one of the compromised certificates to gain the same level of privileges as the Android operating system - essentially unfettered access to the victim's device.

"A platform certificate is the application signing certificate used to sign the 'android' application on the system image. The 'android' application runs with a highly privileged user id - android.uid.system - and holds system permissions, including permissions to access user data. Any other application signed with the same certificate can declare that it wants to run with the same user id, giving it the same level of access to the Android operating system."

"We also strongly recommend minimizing the number of applications signed with the platform certificate, as it will significantly lower the cost of rotating platform keys should a similar incident occur in the future," the AVPI said.

Running the various malware samples through Google's VirusTotal shows that third-party security vendors have flagged the samples as info stealers, downloaders, backdoors, HiddenAds malware, Metasploit, dropper malware, and other Trojans.

As of Dec. 1 some of the leaked certificates were still being used to sign apps, according to Android security maven Mishaal Rahman.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/12/05/compromised_android_keys/