Android system app signing certificates were used by attackers to sign malicious apps.
Android device OEMs use certificates or keys to sign master ROM images of Anfroid devices and related applications. If a malicious app is signed with the same certificate as a legitimate app and given a highly privileged user ID, that app will also gain system-level access to the Android device.
Such privileges grant access to sensitive permissions that are not normally granted to applications, such as:
- managing current calls;
- installing or removing packages;
- collecting information about the device, etc.
This misuse of platform keys was discovered by Google Android security reverse engineer Lukasz Seversky.
Seversky found several malware samples signed with 10 certificates and provided SHA256 hashes for each of the samples and digitally signed certificates. It is currently unknown who misused these certificates and how the malware samples were distributed.
A search of these hashes in VirusTotal showed that some of the certificates belong to Samsung Electronics, LG Electronics, Revoview and Mediatek. Malware signed with company certificates includes:
- Trojan HiddenAds - displays ads on the lock screen that takes up the entire screen of the device;
- Infostealer - steals confidential information about the user and his credentials;
- Metasploit is a pentest tool that can be used to develop and distribute exploits;
- Dropper - applications that contain additional payloads to infect a device.
To see all apps signed by these potentially compromised certificates, you can use APKMirror to search for them (list of apps signed with Samsung certificate and one app signed with LG certificate). Google has informed all affected vendors and advised them to change their platform certificates, investigate the leak, and minimize the number of apps signed with their certificates to prevent future incidents.