As many as ten leaked platform certificates from OEMs like Samsung, LG, Revoview and MediaTek are being used to sign malicious Android apps. The certificate signatures and those of the apps using them have been shared in a public report on the Android Partner Vulnerability Issue tracker website.
The abused certificates were discovered by Lukasz Siewierski, a reverse engineer working with the Android Security Team, after he found the following Android packages signed using these ten certificates:
The packages mentioned above include malware such as HiddenAd trojans, Metasploit payloads, info stealers and other malicious payloads. There’s also no information on where the samples were found or if they were hosted on the Google Play Store or distributed via third-party app stores and websites.
These platform certificates are usually used to sign core ROM images containing the Android OS and associated apps by device vendors. If an app is signed with these certificates, it gets privileged information, including the Android uid and system-level access to the device.
This means that when abused by malicious apps, said apps can manage ongoing calls, install or delete packages, gather information about the infected device among access other sensitive areas, essentially taking over the device.
In addition to the aforementioned OEMs, additional certificates were also found whose source couldn’t be determined at the time of writing. It’s also unclear how the certificates got out in the open. Possibilities include one or more threat actors stealing the certificates or the leak being an inside job, as someone with access to these keys could’ve signed the malicious APKs from the inside.
All known affected vendors have been informed of the breach by Google and have been advised to rotate their platform certificates in addition to investigating the leak. That said, not all vendors seem to be heeding Google’s advice, as at least Samsung is still using the leaked certificate to sign apps digitally.
For the time being, Google has impemented detection mechanisms for the compromised keys in the Android Build Test Suite (ABTS) and malware detections to Google Play Protect. The company further claims that there’s no indication that these maliciously signed apps were ever on the Google Play Store.