Google has disclosed information about the use of certificates from a number of smartphone manufacturers to digitally sign malicious applications. To create digital signatures, platform certificates were used, with which manufacturers certify privileged applications that are part of the main composition of Android system images. Of the manufacturers whose certificates are associated with signatures of malicious applications, Samsung, LG and Mediatek can be traced. The source of the certificate leak has not yet been identified.
The platform certificate also signs the android system application, which runs under the user ID with the highest privileges (android.uid.system) and has system access rights, including to user data. Certification of a malicious application with the same certificate allows it to be executed with the same user ID and with the same level of access to the system, without receiving any confirmation from the user.
The identified malicious applications signed with platform certificates contained code for intercepting information and installing additional external malicious components into the system. According to Google, no traces of the publication of the malicious applications in question in the Google Play Store catalog have been identified. To further protect users, Google Play Protect and the Build Test Suite used to scan system images have already added the detection of such malicious applications.
To block the use of compromised certificates, the manufacturer proposed to change the platform certificates by generating new public and private keys for them. Manufacturers are also ordered to conduct an internal investigation to identify the source of the leak and take steps to prevent similar incidents in the future. It is also recommended that you minimize the number of system applications that use a platform certificate to sign, to make it easier to rotate certificates in case of repeated leaks in the future.
Source: opennet.ru