Platform certificates are the trusted digital keys owned by respective device OEMs and used for signing their core apps. Thus, abusing them for signing malware-laced apps will grant them root access as legitimate apps, causing trouble to users.
Abusing the Android Platform Certificates
To the unknown, every device OEM out there will have certain trusted certificates to sign their core apps on the platform – similar to authenticating documents with a signature. These would allow the signed apps to gain root privileges to the system’s internals for better working. Well, these are now abused by threat actors in the case of Android devices, where a reverse engineer at Google’s Android Security team spotted a few malware apps signed with trusted platform certificates of legitimate OEMs.
Found by yours truly 🙂https://t.co/qiFMJW111A — Łukasz (@[email protected]) (@maldr0id) November 30, 2022 As noted in the Android Partner Vulnerability Initiative (AVPI) issue tracker, the below malware samples were signed using ten Android platform certificates, with the unknown intention of why. There’s no information on how the threat actors have obtained these certificates or leaked them by someone inside a company or other. Well, a search by BleepingComputer on VirusTotal revealed that some of the abused platform certificates belong to Samsung Electronics, LG Electronics, Revoview, and Mediatek. Apps that were signed with these OEMs platform certificates have HiddenAd trojans, information stealers, Metasploit, and malware droppers – that can be used to suck the sensitive data of device users and even deliver additional malware. While Google informed all affected vendors about this incident and asked them to rotate their platform certificates, Samsung may have ignored it – as its platform certificates are still being abused to digitally sign the apps.