Android’s 2022 platform certificate leak explained
Google disclosed a serious issue mainly affectingSamsung phonestoward the end of 2022. Someplatform certificates from Samsung got into the hands of bad actors, which allowed them to create malware with elevated permissions, potentially allowing hackers to hijack phones by loading tampered software on them. This seems to affect all phones from a given manufacturer, regardless of whether you haveAndroid 13. Here’s everything we know about the vulnerability and what you can do to protect yourself and your phone.
How did these Android platform certificates leak, and how was it spotted?
It’s currently not clear how the certificates leaked. We only know thatthey leaked. Interestingly, it looks like one of the certificates was used by malware back in 2016. Back then, a malicious app signed with what’s now known to be a compromised certificate was logged by VirusTotal. Either some of this data is wrong, or the vulnerability hadn’t been spotted all this time.
There is some positive takeaway from this finding. Even though 10 certificates were affected, it’s likely that they were not extracted in a single, coordinated attack but rather trickled out over time. Otherwise, the evidence we’re seeing wouldn’t be so spread out, and there wouldn’t be this 2016 outlier.
Why is an Android platform certificate leak so dangerous?
Manufacturers use platform or vendor certificates to sign software and Android versions and verify that they’re legitimate. Apps with these signatures can be trusted with elevated permissions to interact with the underlying Android system and user data. Normally, this should only allow a handful of vital system apps access to these parts of your phone. Still, when a bad actor gets their hands on these certificates, they can sign malware with it and give it the same elevated access as a legitimate application.
This malware can then be distributed to Android phones that will install it and assign all requested permissions without further questions or user interaction. That makes this attack vector very dangerous. Android malware usually has to convince users to grant it elevated permissions before it can wreak havoc on devices.
Which phones are affected by the platform certificate leak?
While Google disclosed that 10 individual certificates leaked, the only ones that were found to have been exploited were two certificates from Samsung and LG. While LG didn’t use the certificate for many of its apps, Samsung heavily uses the certificate in question for hundreds of its apps. If you have a Samsung Galaxy phone, it was likely vulnerable to the attack at some point. That said, Google worked with Samsung and the other vendors to address the vulnerability and believes it to be resolved. At this point, it’s highly unlikely that there is still malware that can use these certificates to attack your handset.
One other vendor to be affected is the manufacturer of Walmart’s Onn tablets, szroco. There is also the chip manufacturer MediaTek and Chinese ODM Revoview. It’s advised to be cautious if you own a device from one of these manufacturers or with a MediaTek chip, as the security report indicates that malware was spotted using all these certificates.
How can I protect myself from malware using a platform certificate?
Google has already updated its built-in malware scanner that’s pre-installed on all Android phones, Google Play Protect. With it in place, it should be next to impossible for malware using the illegitimately acquired platform certificates to be installed on your phone. It’s still a good idea to make sure thatyour Samsung Galaxy phone is updatedand that you follow some basic rules for your safety.
To protect yourself from malware, you should avoid downloading apps from outside the Play Store, even when it’s supposed to be an update to an app already on your phone. For most people, it’s best to stick with the official Google Play Store platform, as there are only a few trusted and vetted sources for app distribution outside it. If someone sends you a link to download an app from somewhere that’s not the Play Store, it’s best to ignore it or look for an alternative from within the Play Store.
Still, the Play Store isn’t always perfect, and sometimes malware slips through the cracks. That’s why you will have to use common sense when installing apps. Never blindly give apps permissions they don’t need. You should also be careful about granting permission to use accessibility services when it isn’t 100% clear why the app would need those.
What are manufacturers doing to prevent platform certificate leaks?
Google gave manufacturers and other Android vendors some homework following the incident. Companies are encouraged to rotate their certificates often to limit the attack vector if a certificate leaks again for whatever reason. Vendors are also asked to use platform certificates for as few apps as possible, opting for more limited certificates otherwise. This is something that Samsung needs to work on, given that the company offers hundreds of apps using the same platform certificate.
Manufacturers are encouraged to use the latest version of the certificates, V3. This allows them to switch out an old certificate for a new one without having to push a system update to their devices. Older certificate versions don’t support this, so devices need to receive a system update to accept updated certificates.
It looks like the situation is contained now, though there are a few lingering questions. It’s still unclear how the certificates leaked in the first place. They should be some of the best-protected assets for software engineers, as they can wreak havoc in the wrong hands. It’s also unclear how exactly the 2016 incident with the Samsung-certified malware plays into the situation and whether it is related to what is happening now.
The note-taking app I should have used all along
Broader branding hints at wider paid-tier ambitions
The gimmicks phone makers keep selling us every single year
Via the Phone Link app, of course
Goodbye, text-only analysis
It’s been an interesting journey
