Samsung's Android app signing key leaked and is being used to sign malware

Samsung Android app signing key leaked and used to sign malwareDsimic

A developer's cryptographic signing key is one of the main pillars of Android security. Whenever Android updates an app, the signing key of the old app on your phone must match the key of the update you are installing. Matching keys ensure that the update is from the company that originally created your app and is not a malicious hacking plot. If a developer's signing key were leaked, anyone could distribute malicious app updates and Android would happily install them, thinking they're legitimate.

On Android, the app update process is not only for apps downloaded from an app store, you can also update built-in system apps created by Google, your device manufacturer and any other built-in application. While downloaded apps have a strict set of permissions and controls, built-in Android system apps have access to much more powerful and invasive permissions and aren't subject to the usual Play Store limitations (which is why Facebook still pays to be a bundled application). If a third-party developer lost their signing key, that would be bad. If an Android OEM lost their system app signing key, that would be really, really bad.

Guess what happened! Łukasz Siewierski, a member of Google's Android security team, published an Android Partner Vulnerability Initiative (AVPI) issue tracker article detailing leaked platform certificate keys that are actively used to sign devices. malware. The message is just a list of the keys, but running each via APKMirror or Google's VirusTotal site will put names on some of the compromised keys: Samsung, LG and Mediatek are the heavy hitters on the list of leaked keys , as well as some of the smaller OEMs like Revoview and Szroco, which makes Walmart's Onn tablets.

These companies have somehow had their signing keys leaked to third parties, and now you can't believe apps claiming to be from these companies really are. To make matters worse, the "platform certificate keys" they lost have serious permissions. To quote AVPI's post:

A platform certificate is the application signing certificate used to sign the "android" application on the system image. The "android" app runs with a highly privileged user ID - android.uid.system - and holds system permissions, including permissions to access user data. Any other app signed with the same certificate can declare that it wants to run with the same user ID, giving it the same level of access to the Android operating system.

Esper's Senior Technical Writer Mishaal Rahman, as always, posted some great info on this on Twitter. As he explains, having an app grab the same UID as the Android system isn't quite root access, but it's close and allows an app to break out of any existing limited sandboxing for apps. system. These apps can communicate directly with (or, in the case of malware, spy on) other apps on your phone. Imagine a more evil version of Google Play Services, and you get the idea. Samsung: Actually our key was compromised years ago

Samsung is not only the biggest Android OEM to leak a signing key, it's also the biggest user of a leaked key. This earlier APKMirror link shows just how bad it is. Samsung's compromised key is used for everything: Samsung Pay, Bixby...

  Technology   Dec 3, 2022   0   97  Add to Reading List
Samsung's Android app signing key leaked and is being used to sign malware
Samsung Android app signing key leaked and used to sign malwareDsimic

A developer's cryptographic signing key is one of the main pillars of Android security. Whenever Android updates an app, the signing key of the old app on your phone must match the key of the update you are installing. Matching keys ensure that the update is from the company that originally created your app and is not a malicious hacking plot. If a developer's signing key were leaked, anyone could distribute malicious app updates and Android would happily install them, thinking they're legitimate.

On Android, the app update process is not only for apps downloaded from an app store, you can also update built-in system apps created by Google, your device manufacturer and any other built-in application. While downloaded apps have a strict set of permissions and controls, built-in Android system apps have access to much more powerful and invasive permissions and aren't subject to the usual Play Store limitations (which is why Facebook still pays to be a bundled application). If a third-party developer lost their signing key, that would be bad. If an Android OEM lost their system app signing key, that would be really, really bad.

Guess what happened! Łukasz Siewierski, a member of Google's Android security team, published an Android Partner Vulnerability Initiative (AVPI) issue tracker article detailing leaked platform certificate keys that are actively used to sign devices. malware. The message is just a list of the keys, but running each via APKMirror or Google's VirusTotal site will put names on some of the compromised keys: Samsung, LG and Mediatek are the heavy hitters on the list of leaked keys , as well as some of the smaller OEMs like Revoview and Szroco, which makes Walmart's Onn tablets.

These companies have somehow had their signing keys leaked to third parties, and now you can't believe apps claiming to be from these companies really are. To make matters worse, the "platform certificate keys" they lost have serious permissions. To quote AVPI's post:

A platform certificate is the application signing certificate used to sign the "android" application on the system image. The "android" app runs with a highly privileged user ID - android.uid.system - and holds system permissions, including permissions to access user data. Any other app signed with the same certificate can declare that it wants to run with the same user ID, giving it the same level of access to the Android operating system.

Esper's Senior Technical Writer Mishaal Rahman, as always, posted some great info on this on Twitter. As he explains, having an app grab the same UID as the Android system isn't quite root access, but it's close and allows an app to break out of any existing limited sandboxing for apps. system. These apps can communicate directly with (or, in the case of malware, spy on) other apps on your phone. Imagine a more evil version of Google Play Services, and you get the idea. Samsung: Actually our key was compromised years ago

Samsung is not only the biggest Android OEM to leak a signing key, it's also the biggest user of a leaked key. This earlier APKMirror link shows just how bad it is. Samsung's compromised key is used for everything: Samsung Pay, Bixby...

What's Your Reaction?

like

dislike

love

funny

angry

sad

wow