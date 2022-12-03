Hackers obtained validation certificates for various brands of hardware, which could lead to serious cybersecurity issues.
Google security expert Lukasz Siewierski and his team made the discovery. These security validators are used to sign Android applications from mobile phone and component manufacturers to prove their authenticity, differentiating them from malware.
LG, MediaTek, Samsung and Revoview certificates were used irregularly by hackers. However, the total number of security validators is much higher and it was not identified which other companies had the security device compromised.
Another element that raises questions is how the hackers obtained the security certificates. The bet is that they were stolen through leaks, intrusions into the companies’ internal systems or with the collaboration of dishonest employees.
New APVI entry: platform certificates used to sign malware
Found by yours truly :)https://t.co/qiFMJW111A
— Łukasz (@[email protected]) (@maldr0id) November 30, 2022
According to information from Lukasz Siewierski, the following packages were identified in malicious applications using the certificates illegally:
- com.russian.signato.renewis
- com.sledsdffsjkh.Search
- com.android.power
- com.management.propaganda
- com.sec.android.musicplayer
- com.houla.quicken
- com.attd.da
- com.arlo.fappx
- com.metasploit.stage
- com.vantage.ectronic.cornmuni
The Android Vulnerability Partners Initiative (AVPI) report reveals that certificates can be used in malware to disguise them as official apps and allow them to gain access to victim data, collecting information, intercepting and making phone calls. , as well as installing and uninstalling applications remotely.
More worryingly, the hacker would gain the same level of control as the device’s owner, which could lead to targeted and damaging attacks.
Fortunately, the team led by Lukasz says that it did not detect the presence of malware using these certificates in the Play Store, reducing the action of criminals. The report was only published now, after companies were notified of the leak and were able to renew security validators.
In the recommendations, Google encourages companies to investigate how the certificates were leaked and reduce the number of applications signed by them to reduce this type of incident.
If the user has downloaded any of the applications that use the certificates illegally, Google guarantees that they will not suffer new attacks, since the validators will no longer work. The company also recommends downloading software only from official sources, which would avoid this type of incident.