EletiofeAndroid Phone Makers’ Encryption Keys Stolen and Used in...

Android Phone Makers’ Encryption Keys Stolen and Used in Malware


- Advertisment -

While Google develops its open source Android mobile operating system, the “original equipment manufacturers” who make Android smartphones, like Samsung, play a large role in tailoring and securing the OS for their devices. But a new finding that Google made public on Thursday​ reveals that a number of digital certificates used by vendors to validate vital system applications were recently compromised and have already been abused to put a stamp of approval on malicious Android apps.

As with almost any computer operating system, Google’s Android is designed with a “privilege” model, so different software running on your Android phone, from third-party apps to the operating system itself, are restricted as much as possible and only allowed system access based on their needs. This keeps the latest game you’re playing from quietly collecting all your passwords while allowing your photo editing app to access your camera roll, and the whole structure is enforced by digital certificates signed with cryptographic keys. If the keys are compromised, attackers can grant their own software permissions it shouldn’t have. 

Google said in a statement on Thursday that Android device manufacturers had rolled out mitigations, rotating keys and pushing out the fixes to users’ phones automatically. And the company has added scanner detections for any malware attempting to abuse the compromised certificates. Google said it has not found evidence that the malware snuck into the Google Play Store, meaning that it was making the rounds via third-party distribution. Disclosure and coordination to address the threat happened through a consortium known as the Android Partner Vulnerability Initiative.

“While this attack is quite bad, we got lucky this time, as OEMs can quickly rotate the affected keys by shipping over-the-air device updates,” says Zack Newman, a researcher at the software supply-chain security firm Chainguard, which did some analysis of the incident. 

Abusing the compromised “platform certificates” would allow an attacker to create malware that is anointed and has extensive permissions without needing to trick users into granting them. The Google report, by Android reverse engineer Łukasz Siewierski, provides some malware samples that were taking advantage of the stolen certificates. They point to Samsung and LG as two of the manufacturers whose certificates were compromised, among others.

LG did not return a request from WIRED for comment. Samsung acknowledged the compromise in a statement and said that “there have been no known security incidents regarding this potential vulnerability.”

Though Google seems to have caught the issue before it spiraled, the incident underscores the reality that security measures can become single points of failure if they aren’t designed thoughtfully and with as much transparency as possible. Google itself debuted a mechanism last year called Google Binary Transparency that can act as a check of whether the version of Android running on a device is the intended, verified version. There are scenarios in which attackers could have so much access on a target’s system that they could defeat such logging tools, but they are worth deploying to minimize damage and flag suspicious behavior in as many situations as possible.

As always, the best defense for users is to keep the software on all their devices up to date

“The reality is, we will see attackers continue to go after this type of access,” Chainguard’s Newman says. “But this challenge is not unique to Android, and the good news is that security engineers and researchers have made significant progress in building solutions that prevent, detect, and enable recovery from these attacks.”

Latest news

Bug in Google Markup, Windows Photo-Cropping Tools Exposes Removed Image Data

At the beginning of March, Google released an update for its flagship Pixel smartphones to patch a vulnerability in...

16 Best Spring Sales: Google Pixel Phones, Samsung Galaxy S23, and More

Spring is officially here, and retailers are celebrating by holding seasonal sales. While these kinds of sale events often...

Q&A: MLS NEXT Pro president on development league’s ‘very ambitious plan’

Yahoo Sports: OK, let’s talk about some of the unique rules in the league.Altchek: In the middle of last...

Funke Akindele Deserves Her Flowers For Standing Up For Lagos State – Tonto Dikeh

Nollywood actress cum politician, Tonto Dikeh has taken to Instagram to celebrate her colleague, Funke Akindele for...
- Advertisement -

Nothing Ear (2) Review: Vibrant Sound, Control Issues

The app also has some welcome customization features. There’s an extensive listening test, for example, provided by hearing experts...

Travelrest Nest Ultimate Travel Pillow: Neck Support for Great Sleep

Throughout my life, I’ve tried a bunch of U-shaped travel pillows—the ones that go around your neck—and frankly, they...

Must read

Bug in Google Markup, Windows Photo-Cropping Tools Exposes Removed Image Data

At the beginning of March, Google released an update...

16 Best Spring Sales: Google Pixel Phones, Samsung Galaxy S23, and More

Spring is officially here, and retailers are celebrating by...
- Advertisement -

You might also likeRELATED
Recommended to you