While Google grows Its open source Android mobile operating system, the “original equipment manufacturers” that make Android smartphones, like Samsung, play a big role in regulating and securing the OS for their devices. But a new discovery that Google public announcement on Thursday it was revealed that a number of digital certificates used by vendors to authenticate critical system applications had recently been compromised and had been misused to stamp approval for applications. malicious Android apps.
Like most computer operating systems, Google’s Android is designed with a “privilege” model in mind, so different software runs on your Android phone, from third-party apps to the system itself. operating system, are restricted as much as possible and are only allowed to access the system. based on their needs. This keeps the latest game you’re playing from silently collecting all your passwords while still allowing the photo editing app to access your camera roll and the entire structure is enforced by technical certificates number is signed with a cryptographic key. If the keys are compromised, an attacker can grant their own software permissions that shouldn’t be.
Google said in a statement on Thursday that Android device makers have implemented mitigations, rotated the keys, and automatically rolled out fixes to users’ phones. And the company added scanner detection for any malware that tries to abuse compromised certificates. Google said it found no evidence that the malware had sneaked into the Google Play Store, meaning it was making rounds through a third-party distribution. Disclosure and coordination to address the threat occurred through a consortium known as the Android Partner Vulnerability Initiative.
“Although the attack was pretty bad, this time we got lucky because OEMs were able to quickly rotate the keys,” said Zack Newman, a researcher at software supply chain security firm Chainguard. affected by sending device updates over the network”. did some analysis of the case.
Misusing a compromised “platform certificate” would allow an attacker to create anointed and authoritative malware without having to trick users into granting them. Google’s report by Android reverse engineer Łukasz Siewierski provides several samples of malware that is taking advantage of stolen certificates. They point to Samsung and LG as two of the manufacturers whose certificates were compromised, among others.
LG did not return a request for comment from WIRED. Samsung acknowledged the compromise in a statement, saying there were “no known security incidents related to this potential vulnerability.”
While Google seems to have grasped the issue before it got complicated, the incident highlighted the fact that security measures can become the sole point of failure if they are not thoughtfully designed. and be as transparent as possible. Google itself debut a mechanism last year called Google Binary Transparency can act as a mechanism to check if the Android version running on the device is the intended, verified version. There are situations where an attacker can have so much access to a target’s system that they can defeat such logging tools, but they are worth deploying to minimize damage and attack. flag suspicious behavior in as many situations as possible.
As always, the best protection for users is software updates on all their devices.
“The reality is, we will see attackers continue to pursue this type of access,” said Chainguard’s Newman. “But this challenge is not unique to Android, and the good news is that security engineers and researchers have made significant progress in building solutions that prevent, detect, and enable recovery from attacks. this attack.”
