Facepalm: Like any other modern operating system, Android's design employs a "privilege" based model. Such model is enforced by digital certificates, and it can become quite troublesome when the certificates are compromised somehow.
An undefined number of Platform digital certificates for Android were compromised by cyber-criminals and have been used to sign malware. First disclosed in November, the issue seems to be resolved now thanks to the aforementioned certificates' revocation, but the risk still persists as attackers will continue to go after this type of access.
As originally explained on Chromium's bug tracking platform, a Platform certificate is the application signing certificate used to sign the "android" application on the OS system image. The "android" application runs with the highest system privileges, which grant it "system" permissions to access and modify user data. Any other application signed with this kind of certificate, the researchers warned, can run with the same level of access to the Android operating system, data and apps.
The issue report warned that multiple platform certificates were used to sign malicious apps, with several malware samples (and compromised certificates) listed with their related SHA256 hashes. At least four OEM manufacturers were involved in the incident, two of them being LG and Samsung.
Google informed all the affected parties about the stolen/compromised certificates. According to a Samsung statement about the issue, there have been no known security incidents regarding this potential vulnerability – so far. The manufacturers were quick to react, promptly releasing security updates for their custom Android editions as soon as Google reported the key compromise.
The stolen certificates are now invalid, and they cannot be used to sign powerful malware apps anymore. Ensuring mobile devices are running the latest version of Android is indeed the best security practice users can perform to avoid this kind of risk, Google advised.
The Mountain View giant also suggested the best course of action for smartphone manufacturers, which should minimize the number of applications signed with their Platform certificate. This way, the cost of rotating platform cryptographic keys will be significantly lower. Furthermore, they should conduct an internal investigation to find the root cause of the problem and take steps to prevent the same incident from happening in the future.
According to Zack Newman, a researcher at the software supply-chain security firm Chainguard, the challenge posed by stolen digital certificates isn't unique to Android. "The good news," Newman said, is that security engineers and researchers "have made significant progress in building solutions that prevent, detect, and enable recovery from these attacks."