Hackers Sign Android Malware Apps with Compromised Platform Certificates

by admin 0 Comments

Cyber Security

Products You May Like

Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn

Platform certificates used by Android smartphone vendors like Samsung, LG, and MediaTek have been found to be abused to sign malicious apps.

The findings were first discovered and reported by Google reverse engineer Łukasz Siewierski on Thursday.

“A platform certificate is the application signing certificate used to sign the ‘android’ application on the system image,” a report filed through the Android Partner Vulnerability Initiative (AVPI) reads.

“The ‘android’ application runs with a highly privileged user id – android.uid.system – and holds system permissions, including permissions to access user data.”

CyberSecurity

This effectively means that a rogue application signed with the same certificate can gain the highest level of privileges as the Android operating system, permitting it to harvest all kinds of sensitive information from a compromised device.

The list of malicious Android app packages that have abused the certificates is below –

  • com.russian.signato.renewis
  • com.sledsdffsjkh.Search
  • com.android.power
  • com.management.propaganda
  • com.sec.android.musicplayer
  • com.houla.quicken
  • com.attd.da
  • com.arlo.fappx
  • com.metasploit.stage
  • com.vantage.ectronic.cornmuni
Android Malware Apps

That said, it’s not immediately clear how and where these artifacts were found, and if they were used as part of any active malware campaign.

A search on VirusTotal shows that the identified samples have been flagged by antivirus solutions as HiddenAds adware, Metasploit, information stealers, downloaders, and other obfuscated malware.

When reached for comment, Google said it informed all impacted vendors to rotate the certificates and that there’s no evidence these apps were delivered through the Play Store.

“OEM partners promptly implemented mitigation measures as soon as we reported the key compromise,” the company told The Hacker News in a statement. “End users will be protected by user mitigations implemented by OEM partners.”

“Google has implemented broad detections for the malware in Build Test Suite, which scans system images. Google Play Protect also detects the malware. There is no indication that this malware is or was on the Google Play Store. As always, we advise users to ensure they are running the latest version of Android.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
This article was originally published by Thehackernews.com. Read the original article here.
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn

Products You May Like

Articles You May Like

Chinese and N. Korean Hackers Target Global Infrastructure with Ransomware
Lava Blaze X India Launch Teased; Live Images of a Lava Blaze Model Leaked
Oppo Reno 12F 5G With MediaTek Dimensity 6300 SoC, 5,000mAh Battery Unveiled: Specifications
Revolut CEO confident on UK bank license approval as fintech firm hits record $545 million profit
Chinese smartphone maker Honor says AI’s power is ‘worthless’ without data privacy

Leave a Reply

Your email address will not be published. Required fields are marked *