According to Google, root Android certificates from Samsung, LF, Mediatek, Szroco and Revoview have leaked and are being actively exploited by hackers. These certificates are used to sign and lock the Android operating system, native apps, system apps, and official apps from third-party manufacturers. These keys attest to the authenticity of these official applications.
With these keys, hackers can thus pass applications under the radar of the security mechanisms of the Android system and allow malicious programs to carry out more actions such as theft of personal data, without triggering the slightest alarm. It’s a bit like a blank check for hackers. Apparently, the problem would exist “for years” but would have been discovered only now.
Root Android certificates from several manufacturers, actively exploited by hackers
Some manufacturers, however, claim that the extent of the problem should be extremely limited in their fleet of smartphones. Samsung, for example, explains that it has “pushed patches since 2016 after learning about the issue” and “no incident related to this potential vulnerability has since been reported”.
Google also confirms that measures have been taken by manufacturers: “our OEM partners were quick to take action when contacted. End users will be protected by measures implemented by OEM partners.” The firm now detects the certificates in question in Build Test Suite, and on the Google Play Store platform.
Google claims not to have detected any malicious program on the Play Store using these certificates. Even if Google is reassuring, the problem remains serious, especially on older smartphones that are no longer covered by security updates. According to our colleagues at PhoneArena, users who install apps from APK files found on sites like APKMirror or alternative app stores run an increased risk of installing malware that exploits one of these root certificates.
For its part, Google recommends that its partners no longer use the cryptographic keys in question, which must be replaced by new ones, as well as conducting an internal audit to understand how these keys could have leaked and prevent this from happening again. In addition, the firm advises manufacturers to use Android system keys only on a small selection of native applications, as additional protection.
New APVI entry: platform certificates used to sign malware
Found by yours truly 🙂https://t.co/qiFMJW111A
— Łukasz (@maldr0id@infosec.exchange) (@maldr0id) November 30, 2022
