Android phone makers’ encryption keys stolen and used in malware
As Google develops its open source Android mobile operating system, the “original equipment manufacturers” who make Android smartphones, such as Samsung, play an important role in adapting and securing the operating system of their devices. But a new discovery that Google released Thursday reveals that a number of digital certificates used by vendors to validate vital system apps have recently been compromised and have been abused to put a seal of approval on malicious Android apps.
As with almost all computer operating systems, Google’s Android is designed with a “privileged” model, so different software running on your Android phone, from third-party apps to the operating system itself, is restricted as much as possible and only allow access to the system. according to their needs. This prevents the last game you play from stealthily collecting all your passwords while allowing your photo-editing app to access your camera roll, and the whole structure is enforced with digital certificates signed with cryptographic keys. If the keys are compromised, attackers can grant their own software permissions that they shouldn’t have.
Google said in a statement Thursday that Android device makers have rolled out mitigations, rotated keys and automatically pushed patches to users’ phones. And the company has added scanner detections for any malware attempting to abuse compromised certificates. Google said it found no evidence the malware made its way into the Google Play Store, meaning it was doing the rounds via a third-party distribution. Disclosure and coordination to deal with the threat happened through a consortium known as the Android Partner Vulnerability Initiative.
“While this attack was pretty bad, we were lucky this time because OEMs can quickly rotate affected keys by sending over-the-air device updates,” says Zack Newman, a researcher at the company. software supply chain security Chainguard, which has done some analysis of the incident.
Abuse of compromised “platform certificates” would allow an attacker to create malware that is anointed and has extended permissions without the need to trick users into granting them. Google’s report, by Android reverse engineer Łukasz Siewierski, provides examples of malware that took advantage of stolen certificates. They name Samsung and LG as two of the manufacturers whose certificates have been compromised, among others.
LG did not return a request for comment from WIRED. Samsung acknowledged the compromise in a statement and said “there have been no known security incidents regarding this potential vulnerability.”
Although Google appears to have caught the problem before it escalated, the incident underscores the reality that security measures can become single points of failure if not designed thoughtfully and with as much transparency as possible. . Google itself made its debut a mechanism last year called Google Binary Transparency that can be used to check whether the version of Android running on a device is the intended checked version. There are scenarios where attackers might have so much access to a target’s system that they could defeat these logging tools, but they’re worth deploying to minimize damage and flag suspicious behavior in so many situations. as possible.
As always, the best defense for users is to keep the software of all their devices up to date.
“The reality is that we will see attackers continue to seek this type of access,” Chainguard’s Newman says. “But this challenge is not unique to Android, and the good news is that engineers and security researchers have made significant progress in creating solutions that prevent, detect, and enable recovery from these attacks.”