Samsung, LG and Mediatek Certificates Are Used to Sign Android Malware

Certificates of Samsung, LG and Mediatek
Written by Emma Davis

It was found that the certificates that Android OEM manufacturers Samsung, LG and Mediatek use to sign basic system applications were also used to sign malware.

Let me remind you that we also wrote that Hackers stole Mimecast certificate to attack Microsoft 365 users, and also that Critical vulnerabilities in HP Teradici PCoIP endanger 15 million endpoints.

Google experts say that Android device OEMs use special certificates or keys to sign the main ROM images of devices containing the OS itself and related applications. When applications are signed with this certificate and assigned the highly privileged used ID android.uid.system, they gain access to the device at the system level.

Such privileges provide access to sensitive permissions that are not normally granted to applications: manage ongoing calls, install or remove packages, collect device information, and other similar actions.

Łukasz Siewierski

Łukasz Siewierski

The misuse of such platform certificates was discovered by Łukasz Siewierski, a reverse engineer on the Android Security team.

A platform certificate is an application signing certificate used to sign an android application in a system image. The android application runs with a highly privileged user ID – android.uid.system – and contains system permissions, including permissions to access user data. Any other application signed with the same certificate can declare that it wants to work with the same identifier, which will give it the same level of access to the Android operating system.Google experts explain.

Seversky found several samples of malware at once signed using the mentioned certificates and provided the SHA256 hashes for each of them. At the same time, it is not yet clear what led to the abuse of certificates: whether they were stolen by attackers, or an insider with the necessary access signed malicious APKs in this way. The detected malicious packages are listed below.

  1. com.russian.signato.renewis
  2. com.sledsdffsjkh.Search
  6. com.houla.quicken
  7. com.attd.da
  8. com.arlo.fappx
  9. com.metasploit.stage
  10. com.vantage.ectronic.cornmuni

Also, there is no information yet on where these malware samples were found – in the Google Play Store, in third-party stores, or the malicious apps were distributed in some other way.

Bleeping Computer journalists checked the malware hashes through VirusTotal and found out that some of the abused certificates belong to Samsung Electronics, LG Electronics, Revoview and Mediatek. The ownership of other certificates has not yet been determined.

Certificates of Samsung, LG and Mediatek
Malware with android.uid.system

Malware signed in this way includes Trojans from the HiddenAd family, unnamed infostealers, Metasploit, and droppers that attackers use to deliver additional payloads to compromised devices.

Journalists write that an easy way to get a list of all apps signed with compromised certificates is to use APKMirror (apps signed with a Samsung certificate, apps signed with an LG certificate).

Google says it has already notified all affected manufacturers of the abuse and recommended that they change their certificates and investigate the leak to minimize the number of applications signed with their certificates. According to the company, “all affected parties have already taken remedial action to minimize the impact on users.”

That being said, Bleeping Computer notes that not all vendors seem to have followed Google’s recommendations, as in Samsung’s case, compromised certificates are still being used to sign apps. Google assured journalists that they have already added tools to detect compromised certificates in the Android Build Test Suite (BTS), and malware will be detected through Google Play Protect.

The media also reported that Porn and gambling apps are also exploiting Apple’s Enterprise Certificate.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply