Read Time:2 Minute, 3 Second
When someone other than the device manufacturer has a “platform certificate,” it can be used to verify an app’s authenticity, making it dangerous.
Although Google is the mastermind behind Android, “original equipment manufacturers” have a considerable say in how it will be used for their devices. These companies like Samsung take google’s open source and mould it to fit their own purposes.
But on Thursday, Google revealed a new finding: many digital certificates vendors used to confirm vital system applications were already compromised and abused to approve malicious Android apps.
Almost every computer system, including Google’s Android, is designed with a “privilege” model. In other words, different software running on your phone–from third-party apps to the operating system itself—are restricted access to parts of the system only necessary for their specific purposes.
Using digital certificates signed with cryptographic keys will keep the latest game you’re playing from being able to secretly collect all your passwords while still allowing access to your camera roll for photo editing apps. If an attacker gets ahold of your keys, they can give their software elevated permissions that it shouldn’t have.
On Thursday, Google revealed that Android device manufacturers had already pushed out fixes to users’ phones and rotated the keys to mitigating the threats.
Furthermore, the company has included detections for scanner any malware trying to take advantage of the infiltrated certificates. Google stated that it hadn’t found proof that the malware secretly entered the Google Play Store, meaning it was being circulated via external distribution. The Android Partner Vulnerability Initiative is a group that helps to both mediate and coordinate disclosure between companies.
Zack Newman, a researcher at the software supply-chain security firm Chainguard, analysed the incideCnt and said, “This was a serious attack, but we were lucky as OEMs can quickly change the affected keys by sending over-the-air device updates.”
By abusing the passwords of platform certificates, malicious individuals could create malware that wouldn’t need to trick users into permitting it. This would then allow the malware more freedom and capabilities.
The Google report published by Android reverse engineer Łukasz Siewierski provides malware samples that exploit stolen certificates. The report cites Samsung and LG as two manufacturers whose security certificates were compromised, among others.
Despite being contacted, LG did not provide a comment. However, Samsung issued a statement saying that “there have been no known security incidents regarding this potential vulnerability.”
Happy
0 %
Sad
0 %
Excited
0 %
Sleepy
0 %
Angry
0 %
Surprise
0 %
0
0
