Security certificates used by major smartphone and component manufacturers have also been used to sign at least 10 Android malware. Validators serve to ensure the authenticity of official software and operating system features, including access to restricted permissions that put users at high risk if misused.
The certificates of four companies were used irregularly: Samsung, LG, MediaTech and Revue. However, the total number of validators that raised the warning sign is higher, and the companies responsible for them cannot be identified; Similarly, it is not known exactly what led to the compromise of these elements, which could be obtained as a result of leaks, intrusions into internal systems, or even the actions of malicious employees.
Be that as it may, the following packages related to malicious applications have been found to be dangerous and use illegitimate certificates:
- com.russian.signato.renewis
- com.sledsdffsjkh.search
- com.android.power
- com.management.propaganda
- com.sec.android.musicplayer
- com.houla.quicken
- com.attd.da
- com.arlo.fappx
- com.metasploit.stage
- com.vantage.ectronic.cornmuni
According to the Android Vulnerability Partners Initiative (AVPI) report, the use of such certificates by applications can grant them privileged access to smartphone data, as well as block functions such as intercepting and making calls, collecting information, and downloading or deleting other applications. . Essentially, the validator gives the software the same level of control as the owner of the device itself, if not more, allowing it to launch targeted and destructive attacks.
Although no specific campaigns were identified, the certificates were present in software that contained Trojan horses, displayed inappropriate ads, stole data, or delivered viruses. However, according to Googlewhose researcher Lukasz Severski of the Android security team was responsible for the detection, there is no indication that the malicious apps were present in the Play Store, ultimately reducing the scale of the attack.
The report was only released now, after the manufacturers were notified so that the certificates could be updated and the versions used by the attackers are no longer valid. Meanwhile, Google indicates that it has recommended that all affected companies immediately investigate the causes of the incident, as well as reduce the number of signed applications and resources in order to deter this type of misuse.
End users are also protected from further exploits even if they have downloaded malicious apps on their smartphones. Since the certificates that would guarantee fraud no longer work, they cannot work, with the usual recommendation to only download software from official sources, accompanying a warning, as a way to minimize future risks.
Source: APVI, Beeping Computer
