Platform certificates from major Android vendors and software makers have leaked and were used to sign malware, the Android Security Team discovered last month.
Platform certificates are digital certificates used by Android OEMs and ODMs to sign versions of the Android OS they deploy on their devices, their firmware, and official vendor apps they might ship to consumers. Because of the crucial role they play, any Android app signed by a platform cert usually gets the highest level of trust and access to an Android device.
Last month, the Android Security Team found several malware samples in the wild that were signed by platform certificates used by major vendors like Samsung, LG, MediaTek, and Revoview.
Since discovering the incident, the Android Security Team said it worked with the affected companies to revoke and rotate the leaked platform certificates.
“OEM partners promptly implemented mitigation measures as soon as we reported the key compromise. End users will be protected by user mitigations implemented by OEM partners. Google has implemented broad detections for the malware in Build Test Suite, which scans system images. Google Play Protect also detects the malware.”
It’s unknown if the platform certificates were hacked from the vendors’ infrastructure or if they were leaked to a threat actor by malicious insiders. Google has asked vendors to launch internal investigations.
While malware signed using the leaked platform certs was spotted in the wild, Google said none was uploaded on the official Play Store.
In a blog post last week, security firm Rapid7 said that while the use of certificates to sign malware is usually the sign of a state-sponsored threat group, the malicious apps that were signed in this incident are run-of-the-mill adware.
“This finding suggests that these platform certificates may have been widely available, as state-sponsored actors tend to be more subtle in their approach to highly privileged malware,” said Rapid7’s Erick Galinkin.