Samsung, LG, Mediatek certificates compromised to sign Android malware (Bleeping Computer)

[Posted December 2, 2022 by corbet]

Bleeping Computer reports that the Android platform signing certificates for several manufacturers have leaked and been used to sign malware.

However, based on the results, even though Google said that "all affected parties were informed of the findings and have taken remediation measures to minimize the user impact," it looks like not all the vendors have followed Google's recommendations since, at least in Samsung's case, the leaked platform certificates are still being used to digitally sign apps.

(Log in to post comments)

Samsung, LG, Mediatek certificates compromised to sign Android malware(Bleeping Computer)

Posted Dec 3, 2022 7:56 UTC (Sat) by oldtomas (guest, #72579) [Link]

Given the history of disrespect Samsung and LG show for their users, I tend to keep a safe distance to their products, if I can ever manage.

Mediatek... I don't know whether it's possible to avoid them and still be posting stuff on the Internet.

Samsung, LG, Mediatek certificates compromised to sign Android malware(Bleeping Computer)

Posted Dec 8, 2022 0:51 UTC (Thu) by bartoc (subscriber, #124262) [Link]

Indeed, I just bought a Samsung phone and ended up going and returning it after it force-installed an unremovable bitcoin wallet.

Samsung, LG, Mediatek certificates compromised to sign Android malware(Bleeping Computer)

Posted Dec 3, 2022 8:29 UTC (Sat) by LtWorf (subscriber, #124958) [Link]

Remember the wifi vulnerability that made all the wifi clients require a fix?

Samsung didn't upgrade for almost a year.

Samsung, LG, Mediatek certificates compromised to sign Android malware(Bleeping Computer)

Posted Dec 4, 2022 13:22 UTC (Sun) by parametricpoly (subscriber, #143903) [Link]

You are supposed to fix these issues by buying the very latest flagship model, not wait for updates like some poor peasants.

Samsung, LG, Mediatek certificates compromised to sign Android malware(Bleeping Computer)

Posted Dec 5, 2022 10:22 UTC (Mon) by eduperez (guest, #11232) [Link]

Android's "update train" is a serious threat to the platform... code is modified upstream, then Google has to pick the patches, then the manufacturer has to update the platform, and sometimes even the carrier has the final saying about what goes into the devices.

Samsung, LG, Mediatek certificates compromised to sign Android malware(Bleeping Computer)

Posted Dec 5, 2022 21:46 UTC (Mon) by khim (subscriber, #9252) [Link]

> sometimes even the carrier has the final saying about what goes into the devices

Sadly that's where the whole charade starts. There are countries where almost all phones are sold as customized by carriers (Japan, US, some others) and they are important enough that system which wouldn't allow carriers to stuff silly things into their phones wouldn't be accepted.

They accept iPhones, usually, but nothing else. And Apple fought for that privilege many years with the most desirable phone (at the time).

Samsung, LG, Mediatek certificates compromised to sign Android malware(Bleeping Computer)

Posted Dec 8, 2022 0:55 UTC (Thu) by bartoc (subscriber, #124262) [Link]

fwiw in the US carriers don't really reject unlocked phones that much anymore, I think verizon sometimes might, but generally you can just buy an unlocked phone and throw a SIM card in it with no problems. Well no problems except that US carriers use different bands than EU carriers, so you till need a (probably more expensive) US variant of the phone.

Samsung, LG, Mediatek certificates compromised to sign Android malware(Bleeping Computer)

Posted Dec 8, 2022 1:54 UTC (Thu) by khim (subscriber, #9252) [Link]

I was able to do that 15 years ago, no problem. The problem is that people don't know that and still buy phones from carriers.

Apple was using all it's weight and played AT&T against Verizon to make it possible to deliver it's highly hyped device to US citizens.

Google wasn't willing to do such a huge gamble and it's not clear whether they would have succeeded given the fact that there were many established players like Microsoft, RIM, Nokia… they were in race after introduction of iPhone and couldn't afford multi-year effort required to push through carriers defense.

And before they may try that they would need to make it impossible to create Android without Google's involvement (that carriers may like). Somehow.

Samsung, LG, Mediatek certificates compromised to sign Android malware(Bleeping Computer)

Posted Dec 8, 2022 16:18 UTC (Thu) by Wol (subscriber, #4433) [Link]

In Europe carriers don't have any choice. I'm not sure when it came about, but once the contract expired, they were told "it's not your phone, you MUST unlock it if the customer asks". And once you've got loads of unlocked phones floating around, carriers can't afford not to accept them.

Cheers,
Wol

Samsung, LG, Mediatek certificates compromised to sign Android malware(Bleeping Computer)

Posted Dec 8, 2022 20:49 UTC (Thu) by NYKevin (subscriber, #129325) [Link]

It used to be that carriers would give the consumer a substantial discount, at least in terms of up-front cost (and then make it up on your monthly bill, so you weren't actually getting a good deal, but you could tell yourself that you "saved" hundreds of dollars). Nowadays, they seem to have realized that they don't have to do that, and consumers will still buy through them anyway. I wonder how long it will last.

> Apple was using all it's weight and played AT&T against Verizon to make it possible to deliver it's highly hyped device to US citizens.

To my mind, at least part of the problem here was Verizon's sheer arrogance in thinking that they could dictate terms and not let any unlocked devices onto their network. Apple called their bluff.

Samsung, LG, Mediatek certificates compromised to sign Android malware(Bleeping Computer)

Posted Dec 9, 2022 12:32 UTC (Fri) by farnz (subscriber, #17727) [Link]

In the UK, the other thing that's appeared is cheap SIM-only contracts. It used to be the case that I could get an £800 phone from my carrier for £600 and pay £25/month for 12 months service, or I could buy the £800 phone separately from my carrier and pay £25/month for 12 months service. In this scenario, by buying the phone from my carrier, I'd save £200.

That's no longer the case - I now get the choice between buying the £800 phone separately, and paying £20/month for service, or buying the phone from my carrier for £600, and paying £40/month for the same service I'd get for £20/month on a SIM-only contract. It now costs me 20% more to buy via the carrier, when I can get a credit card which will cost me 17% more over the same time assuming I pay off the extra £200 from buying the phone outright at £20/month.

That, in turn, has moved people away from buying phones through the carrier - if the carrier won't give me a subsidy for accepting their restrictions, why shouldn't I buy the phone elsewhere without their restrictions?

Samsung, LG, Mediatek certificates compromised to sign Android malware(Bleeping Computer)

Posted Dec 9, 2022 18:19 UTC (Fri) by khim (subscriber, #9252) [Link]

> To my mind, at least part of the problem here was Verizon's sheer arrogance in thinking that they could dictate terms and not let any unlocked devices onto their network. Apple called their bluff.

It wasn't a bluff. Apple just managed to find smaller carrier who was desperate enough yet still popular enough for Apple's gamble to work.

And it was very much a gamble: recall how carriers effectively managed to kick out Nokia out of US market.

Nokia was very much a market leader everywhere but in US. Of course when Apple have shown how desirable finger-driven device may be Nokia panicked and was destroyed by Microsoft, but that's another story.

And Apple's gamble worked only because it's even more locked-down device than carrier's regular phone thus carriers couldn't offer anything comparable without signing agreement with them.

He who fights too long against dragons becomes a dragon himself…

Samsung, LG, Mediatek certificates compromised to sign Android malware(Bleeping Computer)

Posted Dec 3, 2022 12:23 UTC (Sat) by karim (subscriber, #114) [Link]

The significance of this cannot be understated. This goes to the heart of the Android chain of trust. And if it's been seen for a few then it's likely been going on for some time. It's especially significant that it involves several vendors. This would seem to imply that those keys would have been circulating. I'm not sure we'll ever find out publicly how they leaked, but I'd be very curious. I'm also very curious to see what sort of mitigation the Android team will devise to try to solve this. Surely they can offer to counter-sign/certify platform/vendor APKs for their partners through some form of partner portal. They could run their usual cloud malware suite on such APKs before signing them and on an ongoing basis thereafter like they do for Play Store apps.

Samsung, LG, Mediatek certificates compromised to sign Android malware(Bleeping Computer)

Posted Dec 5, 2022 2:15 UTC (Mon) by ssmith32 (subscriber, #72404) [Link]

Since 2016, at least, going by Samsung's own reports...

Samsung, LG, Mediatek certificates compromised to sign Android malware(Bleeping Computer)

Posted Dec 3, 2022 14:16 UTC (Sat) by mss (subscriber, #138799) [Link]

Is there a list of affected phone models somewhere?

Or is every Samsung and LG Android phone affected (probably not)?

Samsung, LG, Mediatek certificates compromised to sign Android malware(Bleeping Computer)

Posted Dec 6, 2022 5:12 UTC (Tue) by ssmith32 (subscriber, #72404) [Link]

As I understand it, it's not per-model. If you sideload apps, the author can pretend to be Samsung. Or if you use a store like FDroid, I imagine that could be used to deliver spoofed apps as well. In theory Google Play should vulnerable, but hopefully Samsung and LG pay attention when they get a notification about one of "their" apps being added.. hopefully..

Samsung, LG, Mediatek certificates compromised to sign Android malware(Bleeping Computer)

Posted Dec 6, 2022 5:14 UTC (Tue) by ssmith32 (subscriber, #72404) [Link]

Think of it more like DigiNotar

Samsung, LG, Mediatek certificates compromised to sign Android malware(Bleeping Computer)

Posted Dec 6, 2022 15:59 UTC (Tue) by mss (subscriber, #138799) [Link]

In theory Google Play should [be] vulnerable

I thought these leaked certs can only be used to sign apps, do they also allow accessing manufacturer's Google Play account and uploading apps under that account?

By the way, it feels weird that Google Play store would even allow new installs of such super-privileged apps via the ordinary app install flow.
I would think these apps (at best) should be update-only (obviously won't help if manufacturer's Google Play account is also compromised).

Samsung, LG, Mediatek certificates compromised to sign Android malware(Bleeping Computer)

Posted Dec 4, 2022 23:13 UTC (Sun) by NZheretic (guest, #409) [Link]

Maybe just relying on signed certificates is no longer enough, instead shift up to third party Reproducible builds.

From Twelve Step TrustABLE IT : VLSBs in VDNZs From TBAs

[12] Governments, organizations and individuals are becoming increasingly concerned about software compatibility, conflicts and the possible existence of spyware in the software applications they use. If you have access to the source code, then you can check it and compile it for yourself. This is not an option for closed source proprietary applications, and not everyone has the resources to check each line of source code. One solution for these issues is to employ a trusted third party, separate from the application developer, who is tasked with maintaining a trusted build environment, to build the binaries from source code. The Trusted Build Agent (TBA) would hold the source to each build in escrow, releasing the source code for only open source licensed code. Competing businesses providing a TBA service in a free market would compete with each other in not only price and level of certification, but also on the ability to detect hostile, vulnerable, incompatible or just plain buggy source code. You could request a trusted build from multiple TBAs test the ability to detect defects. Defects would be reported back to the application developers, along with any patches and suggestions that provide a fix. To a lesser extent, most Linux distributions and other operating system vendors that build and redistribute open source licensed code already provide this role.

Samsung, LG, Mediatek certificates compromised to sign Android malware(Bleeping Computer)

Posted Dec 5, 2022 6:38 UTC (Mon) by oldtomas (guest, #72579) [Link]

"[...] compete with each other [...] also on the ability to detect hostile, vulnerable, incompatible or just plain buggy source code"

I can't help it, but this sounds to me like the perfect recipe for snake oil (I don't mean reproducible build themselves: those seem to be a good idea).

Samsung, LG, Mediatek certificates compromised to sign Android malware(Bleeping Computer)

Posted Dec 5, 2022 18:29 UTC (Mon) by NZheretic (guest, #409) [Link]

Significantly mitigated by developers the ability to present the evidence of false positives of any "hostile, vulnerable, incompatible or just plain buggy source code",
either in public, arbitration or in court.

Samsung, LG, Mediatek certificates compromised to sign Android malware(Bleeping Computer)

Posted Dec 7, 2022 12:41 UTC (Wed) by eharris (guest, #144549) [Link]

"Trust" .... yes, I've heard of it!!
....but I've also heard of SolarWinds.....
....and the so called "Ken Thompson hack".....

Samsung, LG, Mediatek certificates compromised to sign Android malware(Bleeping Computer)

Posted Dec 9, 2022 7:04 UTC (Fri) by pabs (subscriber, #43278) [Link]

Does anyone know if these keys could be used to gain root access to a device, and thus replace the proprietary vendor fork of Android with a FLOSS distro?

Samsung, LG, Mediatek certificates compromised to sign Android malware(Bleeping Computer)

Posted Dec 9, 2022 8:00 UTC (Fri) by mjg59 (subscriber, #23239) [Link]

Root, potentially, but it's not the key that signs the firmware so you're still going to be stuck with the underlying vendor OS to some extent.

Samsung, LG, Mediatek certificates compromised to sign Android malware(Bleeping Computer)

Posted Dec 9, 2022 8:18 UTC (Fri) by pabs (subscriber, #43278) [Link]

Which parts could you replace? The rootfs? Linux? bootloaders?

Samsung, LG, Mediatek certificates compromised to sign Android malware(Bleeping Computer)

Posted Dec 9, 2022 10:26 UTC (Fri) by mjg59 (subscriber, #23239) [Link]

None of those. Assuming a correct dm-verity implementation you could only replace things that are installed as apks, but potentially including system-level apks.