This is a security measure to prevent apps from being used to install unauthorized updates or malicious code.
Google is updating its app permissions policy to give more control to users over the apps they install. Previously, all apps installed on a device had access to certain permissions, regardless of where they were downloaded from. Now, Google is introducing a new policy called “Permission Sets” which will allow users to choose which permissions an app can access. This new policy will be available for both apps that are downloaded from the Google Play Store and those that are bundled with the device. ..
If the OEM loses or has lost their system app signing key, and if malicious apps are signed in with the same signing key, which is aligned to a highly privileged ‘android.uid.system’ user id, then the apps will also get the system-level access to the Android device. ..
The permissions granted to the app by the manufacturer are unique and can only be used by the app itself. These permissions can be used to install or delete packages, manage ongoing calls, collect information about the device, or other sensitive activities.
Reserve Engineer Lukasz Siewierski discovered that the Android keys were being abused by third-party developers to gain access to user data. The report is now available on the Android Partner Vulnerability Initiative tracker. ..
Platform certificates are used to sign Android applications on the system image. The android application runs with a high privilege user id, which holds system permission which includes permission to access User data. ..
Siewierski found several signed using these ten Android platform certificates and provided the SHA256 hashes for each of the samples. ..
At this time, there is no information available about how these certificate keys were leaked to sign-in malware or if one or more threat actors have access to them, or if someone inside the company with authorized signed the APK with the OEM keys. Also, there is no information about where these samples of malware were found or if they were shared on the play store or from any third-party stores. ..
Android platform keys packages are ten different types of Android security keys that can help protect your device and data. ..
Samsung, LG, MediaTek, Revoview, and Szroco are all Samsung-issued certificates.
The malware which was detected by HiddenAdtrojans, steelers, and Metasploit is used to deploy more malicious payloads on infected devices.
Google has advised all the vendors which are affected and have advised them to rotate their platform keys, also to investigate what was the root cause of the leak, and retain the number of apps signed with their android platform cret to a minimum to stop the incident happening in the future.
Google recommends minimizing the number of applications signed with its platform certificate, as it will reduce the cost of rotating platform keys in the future.
To know all of the signed Android apps with possibly infected certificates, go to APK Mirror & search for them (list of the apps signed with Samsung & LG). Although Google has said that all the affected vendors have been informed of the abused platform certificates and have taken corrective measures to lower the impact on users. However, Samsung is still using the platform certificate keys that were leaked to digitally signed apps.
Unfortunately, these keys are just for the app updates, not the keys to sign in for OS updates, so the affected vendor can still roll out secure OTA updates that include new system apps with which they can update Google Play Protect with new keys that are compatible though that would be too much work.
Google has added infected keys to the Android Build Suite, which scans the system images and Google Play Protect also scans for the malware. Moreover, there is no evidence that this malware is or was on Google Play Store, and it recommends users make sure they are on the latest Android version.
A37 Group, a South Korean technology company, said its Dolphin malware was used to steal data and target South Korean paper companies. The company said the malware was first discovered in March and has since been used to steal data from more than 100 South Korean companies.