Cybercriminals have found a method to sign their malware after they abuse the multiple platform certificates utilised by Android OEM device vendors. The exploit enables the attackers to sign compromised Android applications and gives them higher privileges to the infected device.
According to the investigation, several malware samples were signed by threat actors through 10 Android platform certificates in the early weeks of November.
The certificates enable apps to operate a user ID android[.]uid[.]system. Any app that runs with the user id obtains high-level system access and holds system permissions, including access to user information.
Furthermore, there are also multiple privileges that an actor could acquire since they could access sensitive permissions. The most notable ones are access to outgoing call management, device information harvesting, and package installation and deletion. These privileges differ from the usual permission granted to third-party applications, which is a primary concern for researchers.
The Android OEM vendors have a set of well-known companies.
Researchers discovered that some of the exploited certificates are owned by Android OEM vendors like Mediatek, LG Electronics, Review, and Samsung Electronics.
Malicious actors used applications signed with these firms’ certificates to spread Metasploit, trojans, infostealer, and malware droppers that could deliver additional payloads on infected devices.
It is currently unidentified how the platform certificates were infected and whether researchers first found the malware on Play Store. Fortunately, Google has implemented detections for the malicious keys to the Android Build Test Suite and malware identifiers to Google Play Protect.
Additionally, Google notified all impacted vendors and urged them to rotate their platform certificates and study the leak to find the cause of the issue. Google suggests that vendors should limit the number of apps signed with the platform certificate to lessen the cost of platform key rotation and prevent similar issues soon.
Cybersecurity experts also encourage users to use APKMirror to have an overview of all Android applications signed with these compromised certificates. The implementation of mitigation measures by OEM affiliates could also safeguard end users.
