Read update
- Google responds
A crucial aspect of Android smartphone security is the application signing process. It's essentially a way to guarantee that any app updates are coming from the original developer, as the key used to sign applications should always be kept private. A number of these platform certificates from the likes of Samsung, MediaTek, LG, and Revoview appear to have leaked, and worse still, been used to sign malware. This was disclosed through the Android Partner Vulnerability Initiative (APVI) and only applies to app updates, not OTAs.
When signing keys leak, an attacker could, in theory, sign a malicious app with a signing key and distribute it as an "update" to an app on someone's phone. All a person would need to do was sideload an update from a third-party site, which for enthusiasts, is a fairly common experience. In that instance, the user would be unknowingly giving Android operating system-level of access to malware, as these malicious apps can make use of Android's shared UID and interface with the "android" system process.
"A platform certificate is the application signing certificate used to sign the "android" application on the system image. The "android" application runs with a highly privileged user id - android.uid.system - and holds system permissions, including permissions to access user data. Any other application signed with the same certificate can declare that it wants to run with the same user id, giving it the same level of access to the Android operating system," the reporter on the APVI explains. These certificates are vendor-specific, in that the certificate on a Samsung device will be different from the certificate on an LG device, even if they are used to sign the "android" application.
These malware samples were discovered by Łukasz Siewierski, a reverse engineer at Google. Siewierski shared SHA256 hashes of each of the malware samples and their signing certificates, and we were able to view those samples on VirusTotal. It isn't clear where those samples were found, and whether they were previously distributed on the Google Play Store, APK sharing sites such as APKMirror, or elsewhere. The list of package names of malware signed with these platform certificates is below. Update: Google says that this malware was not detected on the Google Play Store.
- com.vantage.ectronic.cornmuni
- com.russian.signato.renewis
- com.sledsdffsjkh.Search
- com.android.power
- com.management.propaganda
- com.sec.android.musicplayer
- com.houla.quicken
- com.attd.da
- com.arlo.fappx
- com.metasploit.stage
In the report, it states that "All affected parties were informed of the findings and have taken remediation measures to minimize the user impact." However, at least in the case of Samsung, it seems that these certificates are still in use. Searching on APKMirror for its leaked certificate shows updates from even today being distributed with these leaked signing keys.
Worryingly, one of the malware samples that was signed with Samsung's certificate was first submitted in 2016. It's unclear if Samsung's certificates have therefore been in malicious hands for six years. Even less clear at this point in time is how these certificates have been circulated in the wild and if there has already been any damage done as a result. People sideload app updates all the time and rely on the certificate signing system to ensure that those app updates are legitimate.
As for what companies can do, the best way forward is a key rotation. Android's APK Signing Scheme v3 supports key rotation natively, and developers can upgrade from Signing Scheme v2 to v3.
The suggested action given by the reporter on the APVI is that "All affected parties should rotate the platform certificate by replacing it with a new set of public and private keys. Additionally, they should conduct an internal investigation to find the root cause of the problem and take steps to prevent the incident from happening in the future."
"We also strongly recommend minimizing the number of applications signed with the platform certificate, as it will significantly lower the cost of rotating platform keys should a similar incident occur in the future," it concludes.
When we reached out to Samsung, we were given the following response by a company spokesperson.
Samsung takes the security of Galaxy devices seriously. We have issued security patches since 2016 upon being made aware of the issue, and there have been no known security incidents regarding this potential vulnerability. We always recommend that users keep their devices up-to-date with the latest software updates.
The above response seems to confirm that the company has known about this leaked certificate since 2016, though it claims there have been no known security incidents regarding the vulnerability. However, it's not clear what else it has done to close that vulnerability, and given that the malware was first submitted to VirusTotal in 2016, it would seem that it's definitely out in the wild somewhere.
We have reached out to MediaTek and Google for comment and will update you when we hear back.
UPDATE: 2022/12/02 12:45 EST BY ADAM CONWAY
Google responds
Google has given us the following statement.
OEM partners promptly implemented mitigation measures as soon as we reported the key compromise. End users will be protected by user mitigations implemented by OEM partners. Google has implemented broad detections for the malware in Build Test Suite, which scans system images. Google Play Protect also detects the malware. There is no indication that this malware is or was on the Google Play Store. As always, we advise users to ensure they are running the latest version of Android.