Vendor certificate leak could give malware full control over Android phones

On Android, not all apps have the same privileges and levels of access toyour favorite Android phone. The operating system assigns different levels of permissions using unique user IDs (UIDs). This whole system is built on certificates that are given out by app developers and device manufacturers, helping prove that software and Android versions are legitimate. The trouble starts when these certificates leak out, and bad actors can sign their malware to look like legitimate system apps. That’s exactly what seems to have happened to a number of vendors’ platform certificates, which are in circulation and used by bad actors.

Spotted by Google malware reverse engineering expert Łukasz Siewierski (viaMishaal Rahman), the certificates in question are platform certificates meant to verify the authenticity of the “android” application that’s part of every phone, but are also used to sign individual apps from manufacturers. The problem is that this core android application has the highest level of access to the system, allowing it almost unrestricted access to user data. Since the android application is basically what makes your phone run in the first place, this makes sense for it. That’s why it’s a big issue when malware gets its hands on the platform certificate used by the android application. Bad actors can gain the same far-reaching permissions as this core service.

4

Malware apps could get system access without user interaction

Malware using these certificates can get elevated system access without any user interaction. Usually, Android malware has to go out of its way to ask users to grant it further permissions, like access to accessibility services, which it then uses to extract data and information from other apps. When malware uses the same certificate as the root android application, it doesn’t need to jump through these hoops. Malware could also pretend to be a trusted pre-installed app and appear as an update to users, making it even harder to spot that something is wrong.

Asdisclosed in Google’s Android Partner Vulnerability Initiative, a whole handful of platform certificates have leaked out, including some from Samsung, LG, Xiaomi, Mediatek, and more smaller vendors. Fortunately, it looks like most of the certificates aren’t in active use. Android Police founder and APK Mirror owner Artem Russakovskii ran a search on his platform to see which of the affected certificates are used to sign applications uploaded to APK Mirror, and it looks like only two of the certificates were recently used by vendors—Samsung and LG, to be specific. For Samsung, this is a particularly big problem as it looks like the companyuses the signature to sign hundreds of apps, an issue multiplied by the fact that the company is the single biggest Android manufacturer out there. That’s exactly why Google recommends manufacturers limit the usage of their platform certificate to as few apps as possible.

malware-alt-test-1

It’s unlikely that any of these apps uploaded to the platform are malware, though, since APK Mirror mostly receives uploads from loyal long-term contributors. APK Mirror will likely introduce measures to counter any potential problems arising from this incident, too. Still, you should hold off from downloading Samsung and LG apps from outside the Play Store or other official sources for the time being, even if only out of an abundance of caution.

Interestingly enough,a search on VirusTotal revealsthat some of the LG and Samsung certificates were already used by proven malware all the way back in 2016. It’s unclear whether the leak was undetected all this time or if there are some other, missing parts to the story. We asked Samsung about this, and the company told us the following without going into detail: “Samsung takes the security of Galaxy devices seriously. We have issued security patches since 2016 upon being made aware of the issue, and there have been no known security incidents regarding this potential vulnerability. We always recommend that users keep their devices up-to-date with the latest software updates.”

Samsung Notes logo in front of image containing S Pen and devices using Samsung Notes

The issue should be mostly fixed by now

Affected Android manufacturers have fixed the issue already, as the Android security team writes:

OEM partners promptly implemented mitigation measures as soon as we reported the key compromise. End users will be protected by user mitigations implemented by OEM partners. Google has implemented broad detections for the malware in Build Test Suite, which scans system images. Google Play Protect also detects the malware. There is no indication that this malware is or was on the Google Play Store. As always, we advise users to ensure they are running the latest version of Android.

Google Home icon with some gadgets around it.

To work against attacks like these in the future, manufacturers should regularly rotate their security keys. There are different versions of certificates that offer different feature sets, and only the latest version, V3, offers the option to rotate keys on the fly. This means that the security keys can be switched out for new ones as part of app updates. The older V2, which is also still in use, doesn’t support this. To fix the issue with keys on V2, manufacturers would have to release a security patch update to their devices to make them accept a new certificate, replacing the compromised one.

As this vulnerability was just disclosed this week, there are still a lot of unknowns. It’s weird that Samsung’s and LG’s certificates appear to have leaked in 2016, a whole six years ago. It’s also unclear how exactly the certificates leaked. Security critical resources like this should enjoy the highest level of protection, so it’s vital for affected companies to learn how exactly bad actors were able to extract these certificates, and which other details they might have gotten their hands on while at it.

The Google Play Store logo on a purple background

For what it’s worth, most affected parties have already fixed or are working on fixes for the problem. The report was filed in May 2022 and was only now published, and is marked as fixed in Google’s issue tracker.

This is still a cautionary tale on downloading fully unknown apps and sideloading APKs. Even when a platform like APK Mirror takes all possible precautions to protect its users, using the same checksums as the ones available on the Play Store, there is always still a small chance that an attack like this is repeated. Security on the Play Store itself isn’t paramount, either. A small amount of malware still manages to slip through the cracks on Google’s platform, so in the end, it’s all about common sense and sticking with your gut feeling.

UPDATE: 2022/12/02 11:24 EST BY MANUEL VONAU

Updated with Android Security Team statement

The article has been updated with a statement from the Android Security Team.

The note-taking app I should have used all along

Broader branding hints at wider paid-tier ambitions

Putting verified names to APKs

What’s new? A lot

No more excuses

It’s been an interesting journey