Malware Apps Signed with Compromised Android Platform Certificates

Malware Apps Signed with Compromised Android Platform Certificates

Hackers are using compromised platform certificates to sign Android malware apps.

Google’s Android security team has reported that hackers signed malicious applications using several compromised Android platform certificates. This incident also reminds us of what happened in March 2020 when threat actors were found dropping info-stealer malware with fake security certificate alerts.

What are Platform Certificates? For your information, platform certificates are digital keys, trusted and owned by specific device original equipment manufacturers (OEMs). These are used for signing their core apps. Therefore, attackers abuse them to sign malicious apps to obtain root access as legit apps, causing serious trouble for unsuspecting users.

Every device OEM has numerous trusted certificates for signing the platform’s core apps. This is just like verifying docs with a signature to allow the signed apps to gain root privileges and let the system function optimally.

Findings Details

Threat actors are abusing platform certificates used by reputed Android smartphone makers, including LG Electronics, Samsung, Revoview, and Media Tek, for signing malware-infected apps. This was discovered first by Google Android Security Team’s reverse engineer Łukasz Siewierski. 

As per Siewierski, if a malicious app is signed with the same certificate for gaining the highest privilege level as the Android OS, it is possible to extract sensitive data of all kinds from the compromised device. That’s because the Android app runs with a “highly privileged user ID” dubbed android.uid.system. It holds a variety of system permissions, such as permission to access user data.

Google also published a list of malware samples signed using 10 platform certificates, which were also noted in the Android Partner Vulnerability Initiative (AVPI) issue tracker:

com.attd.da
com.arlo.fappx
com.android.power
com.houla.quicken
com.metasploit.stage
com.sledsdffsjkh.Search
com.management.propaganda
com.sec.android.musicplayer
com.russian.signato.renewis
com.vantage.ectronic.cornmuni

How Hackers Obtained these Certificates?

The biggest mystery surrounding this data harvesting campaign is how the threat actors accessed these certificates. It could be possible that someone working with the company leaked them.

The apps signed with the abovementioned OEMs’ platform certificates contained HiddenAd trojans, Metasploit, info stealers, and malware droppers, with the objective of delivering additional malware or harvesting device users’ data.

Google has informed impacted manufacturers about its findings and urged them to rotate these certificates. The company confirmed that there’s no evidence that the apps were delivered via its official Play Store.

“Google has implemented broad detections for the malware in Build Test Suite, which scans system images. Google Play Protect also detects malware. There is no indication that this malware is or was on the Google Play Store. As always, we advise users to ensure they are running the latest version of Android,” Google stated.

  1. Bahamut Using Fake VPN Apps to Steal Android User Credentials
  2. Schoolyard Bully Malware Stealing Facebook Credentials on Android
  3. 42,000 phishing domains discovered masquerading as popular brands
  4. Crooks Hack World Bank SSL Certificate, Hosted PayPal Phishing Scam
  5. Fake Banking Rewards Apps Install Info-stealing RAT on Android Phones
Related Posts