Malicious Android apps have been signed using legitimate certificates from original equipment manufacturers (OEMs) of Android devices. The certificates provide malicious apps with system-level privileges.

Android OEMs use platform certificates to sign the core ROM images of devices containing the Android operating system and related apps.

When using the certificates to sign malicious apps and assigning the highly privileged ‘android.uid.system’ user id, the apps are given system-level privileges to Android devices.

These privileges provide access to sensitive operations, including conversations, adding or removing packages, acquiring device information and other actions often gated from legitimate applications.

High-privilege malware

The abuse of platform keys was revealed in a statement on the Android Partner Vulnerability Initiative (AVPI) issue tracker by Łukasz Siewierski, a reverse engineer on Google’s Android Security team.

“A platform certificate is the application signing certificate used to sign the ‘android’ application on the system image”, Siewierski explained. “The ‘android’ application runs with a highly privileged user id — android.uid.system — and holds system permissions, including permissions to access user data.”

Compromised

Siewierski discovered several malware samples signed using ten different Android platform certificates.

It’s not known what caused the certificates to become available to malware developers. The certificates may have been stolen by threat actors or provided by industry insiders with authorized access.

Additionally, it’s unclear whether the malware samples were discovered on Google’s Play Store or distributed using third parties and exploits.

Tip: Zscaler finds malware in Play Store apps with 300,000+ downloads