A certificate leak can give malware full control over Android phones | Daily News Byte

On Android, the same benefits and levels of access are not the same as your favorite Android phone. The operating system provides different levels of authorization using unique user IDs (UIDs). This entire system is built on certificates provided by app developers and device manufacturers, helping to ensure the integrity of Android apps and versions. The problem starts when these certificates are leaked, and criminals can register their malware as legitimate system programs. It is believed that some customer domain certificates are in circulation and used by malicious actors.

Discovered by Google malware reverse engineering expert Łukasz Siewierski (via Mishaal Rahman), the certificates in question are certificates intended to verify the authenticity of the “android” application that is part of each phone, but are also used to sign private programs from manufacturers . The problem is that this Android mobile app has the highest level of access to the system, which can allow unlimited access to user data. Since Android software is what your phone runs on in the first place, this is perfect for it. That’s why it’s a big problem when the malware gets its hands on the certificate used by the Android application. Malicious actors can have the same permissions as this critical service.

Malware programs can enter the system without user interaction

Malware can use these credentials to gain access to the system without user interaction. Typically, Android malware needs to ask users to grant it additional permissions, such as accessing usable services, which is then used to extract data and information from other programs. When malware uses the same authentication as the Android root application, it doesn’t need to jump through these hoops. Malware can pretend to be a trusted program that was previously installed and appear as something new to users, making it more difficult to recognize that something is wrong.

As reported in Google’s Android Partner Vulnerability Initiative, platform certifications have been released, including some from Samsung, LG, Xiaomi, Mediatek, and a few other vendors. Fortunately, most of the certificates are not used. The founder of Android Police and the owner of APK Mirror Artem Russakovskii ran a search on his site to find out which of the attached documents are used to sign the installed applications. APK Mirror, and it seems that only two of the vendors are using the app—Samsung and LG. , to be specific. For Samsung, this is a serious problem as the company uses the signature to register hundreds of thousands of devices, a problem that is exacerbated by the fact that the company is the largest Android manufacturer out there. That’s why Google encourages manufacturers to limit the use of their certificates to a small number of applications.

It’s possible that some of these apps uploaded to the platform are not malware, however, APK Mirror mostly receives downloads from long-term developers. APK Mirror may introduce measures to prevent problems arising from this phenomenon. However, you should refrain from downloading Samsung and LG apps from outside the Play Store or other sources for the time being, even if it’s out of an abundance of caution.

Interestingly, A search on VirusTotal shows up some of the LG and Samsung certificates were previously used by malware confirmed in 2016. It is not clear whether the leak is unknown now or if there are other parts to the story. We asked Samsung about this, and the company told us this without elaborating: “Samsung takes the security of Galaxy devices very seriously. We have issued security measures from It was 2016 when the issue was discovered, and there have been no known security incidents related to this issue. We always recommend users to keep their devices updated with the latest software.

The problem should be solved now

Affected Android devices have fixed the issue, as the Android security team writes:

OEM partners quickly implemented mitigation measures when we reported the critical change. End users will be protected by user mitigations implemented by OEM partners. Google has implemented extensive tests for malware in the Build Test Suite, looking at system images. Google Play Protect also detects malware. There is no indication that this software is available on the Google Play Store. As always, we advise users to make sure they are running the latest version of Android.

In order to deal with attacks like this in the future, users need to constantly change their security keys. There are different types of certificates that offer different sets of features, and the latest version, V3, offers the option to change keys on the fly. This means that security keys can be changed for new users as part of app updates. The older V2, which is still in use, is not supported. To fix the problem with the keys in V2, manufacturers must release a security update to their devices that will allow them to issue a new certificate, replacing the one that was locked.

As this vulnerability was revealed this week, there are still many unknowns. It is surprising that Samsung and LG’s certifications appeared in 2016, six years ago. It is not clear how the certificates flow. Security-critical resources like these require a high level of protection, so it’s important for affected businesses to learn how criminals were able to extract these credentials, and other details they have in their hands.

For what it’s worth, most pages have fixed or are working on fixes for the problem. The report was submitted in May 2022 and has now been published, and has been marked as fixed on Google’s issue tracker.

This is a reminder of downloading unknown apps and sideloading APK. Although a platform like APK Mirror takes care of everything it can to protect users, using the same statistics as those found in the Play Store, there is always a small chance an attack like this will be reloaded. There is not much security in the Play Store itself. Small amounts of malware continue to slip through the cracks on Google’s platform, so in the end, it’s about common sense and sticking to your heart.