Sideloaded Fake Updates May Hide Dangerous Malware Android OEM Key Leak Reveals

A huge part of Android phones’ security is the app signing process since it is pretty much a way to make sure that all updates come from the actual developer instead of suspicious and even dangerous sources.

After all, the key used to sign in needs to be kept private no matter what, for security reasons.

Unfortunately, it appears that a few platform certificates from giants such as MediaTek, Revoview, LG and even Samsung, have leaked and have even been used to sign malware!

The bad news was shared through the Android Partner Vulnerability Initiative (APVI) and applies solely to application updates and not OATs.

As for how it works, it seems like when signing keys leak, any hypothetical attacker could sign a malicious app with a signing key and then share it in the form of an update to somebody’s device.

Next thing someone needs to do to give Android operating system-level access to malware is sideload the update from a third party site, something that’s rather common.

These malicious apps are able to use Android’s shared UID and interface with the system process.

More precisely, the reporter on the APVI explains that “A platform certificate is the app signing certificate used to sign the “android” app on the system image. The “android” app runs with a highly privileged username – android.uid.system – and holds some system permissions, including to access user data. Any other app signed with the same certificate can declare it wants to run with the same username, giving it the exact same level of access to the Android’s operating system.”

These malware samples have been discovered by a reverse engineer at Google by the name of Łukasz Siewierski.

Siewierski was the one who made SHA256 hashes of the malware samples and each of their signing certificates public on VirusTotal, allowing the public to identify them.

It’s still not sure where the samples have been found, and whether or not they have been distributed on sites like APKMirror before, but Google has at least confirmed that this malware had not been detected on Google Play Store.

The report states that “All affected parties were informed of our findings and have taken measures to minimize the user impact.”

As far as Samsung is concerned, however, it appears that the certificates are still in use.

What’s even more concerning is that one of the malware samples signed with Samsung’s certificate was submitted for the first time way back in 2016.

This might mean that it could’ve been in the hands of malicious sources for no less than 6 years, although that is yet to be confirmed.

The reporter advises that “All affected parties need to rotate the platform certificate by just replacing it with a brand new set of public and private keys. In addition, they should conduct an internal investigation in order to find the root cause of the issue and take some steps to prevent the incident from happening again in the future. We strongly recommend minimizing the app number signed with the platform certificate as well, as it will significantly lower the costs of rotating platform keys in case a similar incident occurs in the future.”