While Google is growing its open source Android mobile operating system, “original equipment manufacturers” who make Android mobile phones, such as Samsung, play a major role in maintaining and protecting the OS on their devices. But new information announced by Google on Thursday shows that several digital certificates used by vendors to verify system requirements were recently compromised and have already been abused to put a stamp of approval on malicious Android apps.
As with any computer system, Google’s Android is designed with “privilege”, so various programs running on your Android phone, from third-party programs to the operating system itself, are restricted as much as possible and are allowed to use the system. based on their needs. This prevents the new game you’re playing from silently collecting all your passwords and allowing your photo editing software to access your camera system, and all images are tracked with digital certificates signed with cryptographic keys. If the keys are compromised, attackers can give them access to software they shouldn’t have.
Google said on Thursday that Android device makers released shortcuts, keyboard shortcuts and pushed fixes to users’ phones. And the company has added checks for any malware trying to misuse a compromised certificate. Google said it has found no evidence that the malware has entered the Google Play Store, meaning it is making the rounds through third-party distribution. The disclosure and coordination to address this vulnerability was done through a partnership called the Android Partner Vulnerability Initiative.
“Although the attack is serious, we have an advantage this time, as OEMs can quickly reverse the affected keys by sending over-the-air updates,” said Zack Newman, a researcher at software security firm Chainguard, which he analyzed the situation.
Misuse of “platform certificates” could allow an attacker to create malware with a wide range of permissions without tricking users into providing them. The Google report, written by Android reverse engineer Łukasz Siewierski, provides examples of malware that takes advantage of stolen credentials. They point to Samsung and LG as two of the manufacturers whose certificates were tampered with, among others.
LG did not return a request from WIRED for comment. Samsung acknowledged the vulnerability in a statement and said “there have been no known security issues related to this vulnerability.”
Although Google seems to have caught this issue before it started, this incident proves that security measures can be ineffective if they are not designed as intelligently and transparently as possible. Google itself released a system last year called Google Binary Transparency that can act as a check if the version of Android running on the device is the desired, verified version. There are situations where attackers may have access to the target machine in order to defeat logging tools like this, but it’s worth deploying to minimize damage and flag suspicion as often as possible.
As always, the best protection for users is to keep apps on all their devices for continuity.
“The reality is, we’re going to see attackers continue to follow this strategy,” said Chainguard’s Newman. “But this problem is not unique to Android, and the good news is that security engineers and researchers have made great strides in developing methods that prevent, detect, and help recover from this.”
