Hackers Sign Android Malware using Hacked Platform Signing Certificates

A reverse engineer from Google found that the hackers used multiple platform signing certificates to sign the Android malware apps.

The compromised platform signing certificates belong to some of the well-known vendors, such as Samsung Electronics, LG Electronics, Revoview, and Mediatek.

Platform certificates also known as application signing certificates, are mainly used by OEM(original equipment manufacturer) vendors to sign Android Applications.

The Platform signing certificate used to sign the Android application obtains the highest privilege to run on the platform, in fact, it also has permission to access user data.

So if the same certificate is used to sign the other application is potentially dangerous and lets attackers gain the highest privilege on the device by installing a malicious app that was signed by the compromised platform signing certificate.

Once the attackers sign the malware using the same platform certificate leads to gaining complete access to the device when it has the ability to gain the same level of privilege.

According to the Google report “A platform certificate is the application signing certificate used to sign the “android” application on the system image.

The “android” application runs with a highly privileged user id – android.uid.system – and holds system permissions, including permissions to access user data.

Any other application signed with the same certificate can declare that it wants to run with the same user id, giving it the same level of access to the Android operating system.”

Here is the list of malicious package name that was signed by platform singing certificates.

com.russian.signato.renewis
com.sledsdffsjkh.Search
com.android.power
com.management.propaganda
com.sec.android.musicplayer
com.houla.quicken
com.attd.da
com.arlo.fappx
com.metasploit.stage
com.vantage.ectronic.cornmuni

Incident Reported:

Google immediately reported to the affected vendors (Samsung Electronics, LG Electronics, Revoview, and Mediatek)

Also suggested that “Applications signed with the platform certificate may declare that they want to share uid with the “android” application, giving them the same set of permissions without user input.”

In order to mitigate further risk, Google suggests rotating the platform certificate by replacing it with a new set of public and private keys.

“Additionally, they should conduct an internal investigation to find the root cause of the problem and take steps to prevent the incident from happening in the future.”

IOC

There are multiple samples were found to be used by attackers. here is the list of a few samples researchers publicly shared.

“Listed below are the SHA256 hashes of the platform signing certificates and the SHA256 hashes of correctly signed malware using the platform certificate. In some cases, when multiple samples of malware were found, only one representative sample is listed.”Google said.

Certificate SHA256: 2464ddfefa071f268ea7667123df05ead2293272ff2a64d9cee021c38b46c6af
Malware sample SHA256: e4e28de8ad3f826fe50a456217d11e9e6a80563b35871ac37845357628b95f6a

Certificate SHA256: 2bfa22964760a25d99ab9a14910e44fe2063b51d5b4ac2e4282573ce94996aa3
Malware sample SHA256: 5c173df9e86e959c2eadcc3ef9897c8e1438b7a154c7c692d0fe054837530458

Certificate SHA256: 34df0e7a9f1cf1892e45c056b4973cd81ccf148a4050d11aea4ac5a65f900a42
Malware sample SHA256: b1f191b1ee463679c7c2fa7db5a224b6759c5474b73a59be3e133a6825b2a284

Certificate SHA256: 369c38b18401ea16785f11720e37d7a2bc5a4d209e76955c0858ea469ad62fdf
Malware sample SHA256: 19c84a2386abde0c0dae8661b394e53bf246f6f0f9a12d84cfc7864e4a809697

Certificate SHA256: 4274243d7a954ac6482866f0cc67ca1843ca94d68a0ee53f837d6740a8134421
Malware sample SHA256: 0251bececeffbf4bf90eaaad27c147bb023388817d9fbec1054fac1324c6f8bf

Certificate SHA256: 5304915c4bb7baca28776231993996fde1baffcbbe6500fb0fc7f2d3a2888cb7
Malware sample SHA256: c612917d68803efbd2f0e960ade1662be9751096afe0fd81cee283c5a35e7618

Certificate SHA256: 9200c550f2374706eff37e3a8674bc03aeba8b25c052de638972ab94365af0a2
Malware sample SHA256: 6792324c1095458d6b78e92d5ae003a317fe3991d187447020d680e99d9b6129

Certificate SHA256: 9fc510e167d8d312e758273285414e77edac9fed944741f5682be92501f095d4
Malware sample SHA256: 091733658c7a32f4673415b11733ae729b87e2a2540c87d08ba9adf7bc62d7ed

Certificate SHA256: a7a0e10a61a5af93624376df60e9def9436358f50aa6174e5423633b856e2be1
Malware sample SHA256: 5aaefc5b4fb1e1973832f44ba2d82a70106d3e8999680df6deed3570cd30fb97

Certificate SHA256: b01dcea669eefdd991fc6a24678a8b6e6a6d0ad8986950328c69d0eea1dec0d5
Malware sample SHA256: 32b9a33ad3d5a063cd4f08e0739a6ce1e11130532fd0b7e13a3a37edaf9893eb

Google recommends minimizing the number of applications signed with the platform certificate, as it will significantly lower the cost of rotating platform keys should a similar incident occur in the future.

Secure Web Gateway – Web Filter Rules, Activity Tracking & Malware Protection – Download Free E-Book

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.