Android security defeated with stolen Platform certificates

Alfonso Maruccia

Posts: 193   +92
Staff
Facepalm: Like any other modern operating system, Android's design employs a "privilege" based model. Such model is enforced by digital certificates, and it can become quite troublesome when the certificates are compromised somehow.

An undefined number of Platform digital certificates for Android were compromised by cyber-criminals and have been used to sign malware. First disclosed in November, the issue seems to be resolved now thanks to the aforementioned certificates' revocation, but the risk still persists as attackers will continue to go after this type of access.

As originally explained on Chromium's bug tracking platform, a Platform certificate is the application signing certificate used to sign the "android" application on the OS system image. The "android" application runs with the highest system privileges, which grant it "system" permissions to access and modify user data. Any other application signed with this kind of certificate, the researchers warned, can run with the same level of access to the Android operating system, data and apps.

The issue report warned that multiple platform certificates were used to sign malicious apps, with several malware samples (and compromised certificates) listed with their related SHA256 hashes. At least four OEM manufacturers were involved in the incident, two of them being LG and Samsung.

Google informed all the affected parties about the stolen/compromised certificates. According to a Samsung statement about the issue, there have been no known security incidents regarding this potential vulnerability – so far. The manufacturers were quick to react, promptly releasing security updates for their custom Android editions as soon as Google reported the key compromise.

The stolen certificates are now invalid, and they cannot be used to sign powerful malware apps anymore. Ensuring mobile devices are running the latest version of Android is indeed the best security practice users can perform to avoid this kind of risk, Google advised.

The Mountain View giant also suggested the best course of action for smartphone manufacturers, which should minimize the number of applications signed with their Platform certificate. This way, the cost of rotating platform cryptographic keys will be significantly lower. Furthermore, they should conduct an internal investigation to find the root cause of the problem and take steps to prevent the same incident from happening in the future.

According to Zack Newman, a researcher at the software supply-chain security firm Chainguard, the challenge posed by stolen digital certificates isn't unique to Android. "The good news," Newman said, is that security engineers and researchers "have made significant progress in building solutions that prevent, detect, and enable recovery from these attacks."

Permalink to story.

 

Uncle Al

Posts: 9,363   +8,581
"have made significant progress in building solutions that prevent, detect, and enable recovery from these attacks."

Better news would be if they also included features that would identify, report, and request prosecution of the offenders without the user having to do anything, then follow up by permanently blocking their IP address and reporting it to other IP's so they could do the same.
 

bviktor

Posts: 1,158   +1,690
"have made significant progress in building solutions that prevent, detect, and enable recovery from these attacks."

Better news would be if they also included features that would identify, report, and request prosecution of the offenders without the user having to do anything, then follow up by permanently blocking their IP address and reporting it to other IP's so they could do the same.
Oh yeah, IP blocking is totally the solution. Geez, these security "experts" lol
 

error1984

Posts: 30   +44
I wonder why nobody complain about this mess called android. I have 8 gb pc rig. I can play aaa games on it with no problems and other pc related stuff. That rubbish android require at least 6gb to have sttuter free experience....pathetic
 

trparky

Posts: 1,159   +1,320
I wonder why nobody complain about this mess called android. I have 8 gb pc rig. I can play aaa games on it with no problems and other pc related stuff. That rubbish android require at least 6gb to have sttuter free experience....pathetic
Because Android is a horribly hacked together piece of crap. People may hate on Apple because they don’t put the latest and greatest high core-count CPUs and lots of RAM in their iPhones but iOS has consistently proven that it doesn’t need it to run great unlike Android.
 

Hexic

Posts: 1,284   +2,037
TechSpot Elite
Because Android is a horribly hacked together piece of crap. People may hate on Apple because they don’t put the latest and greatest high core-count CPUs and lots of RAM but iOS has consistently proven that it doesn’t need it to run great unlike Android.

Android is furthest from hacked together - gross exaggeration. As for your last point - nobody hates on Apple because they don't have high specs... that's irrelevant. People hate on Apple because they are lazy, non-innovative, and sell incredibly basic phones for insane prices.

The biggest difference in this situation is Apple owning all aspects of software and hardware; there's your answer. Much easier to optimize when you own the entire process.

However, the biggest problem with owning the entire process is you fail to innovate over time. That is Apple right now, and has been for a long time. Samsung is blowing them away (as usual) implementing new technologies now that will inevitably be in the next iPhone series in a handful of years.

Do iPhones work very well? Absolutely. Are they overpriced phones with limited functionality, that have been copied/pasted since the iPhone X? Also yes.
 

Theinsanegamer

Posts: 3,957   +7,003
I wonder why nobody complain about this mess called android. I have 8 gb pc rig. I can play aaa games on it with no problems and other pc related stuff. That rubbish android require at least 6gb to have sttuter free experience....pathetic
so the last time you used an android phone was....never?

Here's a pro tip: stop buying $100 samsungs and assuming they represent the whole market. Android has no issue running smoothly on 2-3 GB of ram, same as iOS, so long as you dont have one of those garbage ones with the awful UI eating up resources (samsung).