Samsung, LG, Mediatek certificates compromised to sign Android malware (Bleeping Computer)
However, based on the results, even though Google said that "all affected parties were informed of the findings and have taken remediation measures to minimize the user impact," it looks like not all the vendors have followed Google's recommendations since, at least in Samsung's case, the leaked platform certificates are still being used to digitally sign apps.
(Log in to post comments)
Samsung, LG, Mediatek certificates compromised to sign Android malware(Bleeping Computer)
Posted Dec 3, 2022 7:56 UTC (Sat) by oldtomas (guest, #72579) [Link]
Mediatek... I don't know whether it's possible to avoid them and still be posting stuff on the Internet.
Samsung, LG, Mediatek certificates compromised to sign Android malware(Bleeping Computer)
Posted Dec 8, 2022 0:51 UTC (Thu) by bartoc (subscriber, #124262) [Link]
Samsung, LG, Mediatek certificates compromised to sign Android malware(Bleeping Computer)
Posted Dec 3, 2022 8:29 UTC (Sat) by LtWorf (subscriber, #124958) [Link]
Samsung didn't upgrade for almost a year.
Samsung, LG, Mediatek certificates compromised to sign Android malware(Bleeping Computer)
Posted Dec 4, 2022 13:22 UTC (Sun) by parametricpoly (subscriber, #143903) [Link]
Samsung, LG, Mediatek certificates compromised to sign Android malware(Bleeping Computer)
Posted Dec 5, 2022 10:22 UTC (Mon) by eduperez (guest, #11232) [Link]
Samsung, LG, Mediatek certificates compromised to sign Android malware(Bleeping Computer)
Posted Dec 5, 2022 21:46 UTC (Mon) by khim (subscriber, #9252) [Link]
> sometimes even the carrier has the final saying about what goes into the devicesSadly that's where the whole charade starts. There are countries where almost all phones are sold as customized by carriers (Japan, US, some others) and they are important enough that system which wouldn't allow carriers to stuff silly things into their phones wouldn't be accepted.
They accept iPhones, usually, but nothing else. And Apple fought for that privilege many years with the most desirable phone (at the time).
Samsung, LG, Mediatek certificates compromised to sign Android malware(Bleeping Computer)
Posted Dec 8, 2022 0:55 UTC (Thu) by bartoc (subscriber, #124262) [Link]
Samsung, LG, Mediatek certificates compromised to sign Android malware(Bleeping Computer)
Posted Dec 8, 2022 1:54 UTC (Thu) by khim (subscriber, #9252) [Link]
I was able to do that 15 years ago, no problem. The problem is that people don't know that and still buy phones from carriers.
Apple was using all it's weight and played AT&T against Verizon to make it possible to deliver it's highly hyped device to US citizens.
Google wasn't willing to do such a huge gamble and it's not clear whether they would have succeeded given the fact that there were many established players like Microsoft, RIM, Nokia… they were in race after introduction of iPhone and couldn't afford multi-year effort required to push through carriers defense.
And before they may try that they would need to make it impossible to create Android without Google's involvement (that carriers may like). Somehow.
Samsung, LG, Mediatek certificates compromised to sign Android malware(Bleeping Computer)
Posted Dec 8, 2022 16:18 UTC (Thu) by Wol (subscriber, #4433) [Link]
Cheers,
Wol
Samsung, LG, Mediatek certificates compromised to sign Android malware(Bleeping Computer)
Posted Dec 8, 2022 20:49 UTC (Thu) by NYKevin (subscriber, #129325) [Link]
> Apple was using all it's weight and played AT&T against Verizon to make it possible to deliver it's highly hyped device to US citizens.
To my mind, at least part of the problem here was Verizon's sheer arrogance in thinking that they could dictate terms and not let any unlocked devices onto their network. Apple called their bluff.
Samsung, LG, Mediatek certificates compromised to sign Android malware(Bleeping Computer)
Posted Dec 9, 2022 12:32 UTC (Fri) by farnz (subscriber, #17727) [Link]
In the UK, the other thing that's appeared is cheap SIM-only contracts. It used to be the case that I could get an £800 phone from my carrier for £600 and pay £25/month for 12 months service, or I could buy the £800 phone separately from my carrier and pay £25/month for 12 months service. In this scenario, by buying the phone from my carrier, I'd save £200.
That's no longer the case - I now get the choice between buying the £800 phone separately, and paying £20/month for service, or buying the phone from my carrier for £600, and paying £40/month for the same service I'd get for £20/month on a SIM-only contract. It now costs me 20% more to buy via the carrier, when I can get a credit card which will cost me 17% more over the same time assuming I pay off the extra £200 from buying the phone outright at £20/month.
That, in turn, has moved people away from buying phones through the carrier - if the carrier won't give me a subsidy for accepting their restrictions, why shouldn't I buy the phone elsewhere without their restrictions?
Samsung, LG, Mediatek certificates compromised to sign Android malware(Bleeping Computer)
Posted Dec 9, 2022 18:19 UTC (Fri) by khim (subscriber, #9252) [Link]
> To my mind, at least part of the problem here was Verizon's sheer arrogance in thinking that they could dictate terms and not let any unlocked devices onto their network. Apple called their bluff.It wasn't a bluff. Apple just managed to find smaller carrier who was desperate enough yet still popular enough for Apple's gamble to work.
And it was very much a gamble: recall how carriers effectively managed to kick out Nokia out of US market.
Nokia was very much a market leader everywhere but in US. Of course when Apple have shown how desirable finger-driven device may be Nokia panicked and was destroyed by Microsoft, but that's another story.
And Apple's gamble worked only because it's even more locked-down device than carrier's regular phone thus carriers couldn't offer anything comparable without signing agreement with them.
He who fights too long against dragons becomes a dragon himself…
Samsung, LG, Mediatek certificates compromised to sign Android malware(Bleeping Computer)
Posted Dec 3, 2022 12:23 UTC (Sat) by karim (subscriber, #114) [Link]
Samsung, LG, Mediatek certificates compromised to sign Android malware(Bleeping Computer)
Posted Dec 5, 2022 2:15 UTC (Mon) by ssmith32 (subscriber, #72404) [Link]
Samsung, LG, Mediatek certificates compromised to sign Android malware(Bleeping Computer)
Posted Dec 3, 2022 14:16 UTC (Sat) by mss (subscriber, #138799) [Link]
Or is every Samsung and LG Android phone affected (probably not)?
Samsung, LG, Mediatek certificates compromised to sign Android malware(Bleeping Computer)
Posted Dec 6, 2022 5:12 UTC (Tue) by ssmith32 (subscriber, #72404) [Link]
Samsung, LG, Mediatek certificates compromised to sign Android malware(Bleeping Computer)
Posted Dec 6, 2022 5:14 UTC (Tue) by ssmith32 (subscriber, #72404) [Link]
Samsung, LG, Mediatek certificates compromised to sign Android malware(Bleeping Computer)
Posted Dec 6, 2022 15:59 UTC (Tue) by mss (subscriber, #138799) [Link]
In theory Google Play should [be] vulnerable
I thought these leaked certs can only be used to sign apps, do they also allow accessing manufacturer's Google Play account and uploading apps under that account?
By the way, it feels weird that Google Play store would even allow new installs of such super-privileged apps via the ordinary app install flow.
I would think these apps (at best) should be update-only (obviously won't help if manufacturer's Google Play account is also compromised).
Samsung, LG, Mediatek certificates compromised to sign Android malware(Bleeping Computer)
Posted Dec 4, 2022 23:13 UTC (Sun) by NZheretic (guest, #409) [Link]
Maybe just relying on signed certificates is no longer enough, instead shift up to third party Reproducible builds.
From Twelve Step TrustABLE IT : VLSBs in VDNZs From TBAs[12] Governments, organizations and individuals are becoming increasingly concerned about software compatibility, conflicts and the possible existence of spyware in the software applications they use. If you have access to the source code, then you can check it and compile it for yourself. This is not an option for closed source proprietary applications, and not everyone has the resources to check each line of source code. One solution for these issues is to employ a trusted third party, separate from the application developer, who is tasked with maintaining a trusted build environment, to build the binaries from source code. The Trusted Build Agent (TBA) would hold the source to each build in escrow, releasing the source code for only open source licensed code. Competing businesses providing a TBA service in a free market would compete with each other in not only price and level of certification, but also on the ability to detect hostile, vulnerable, incompatible or just plain buggy source code. You could request a trusted build from multiple TBAs test the ability to detect defects. Defects would be reported back to the application developers, along with any patches and suggestions that provide a fix. To a lesser extent, most Linux distributions and other operating system vendors that build and redistribute open source licensed code already provide this role.
Samsung, LG, Mediatek certificates compromised to sign Android malware(Bleeping Computer)
Posted Dec 5, 2022 6:38 UTC (Mon) by oldtomas (guest, #72579) [Link]
I can't help it, but this sounds to me like the perfect recipe for snake oil (I don't mean reproducible build themselves: those seem to be a good idea).
Samsung, LG, Mediatek certificates compromised to sign Android malware(Bleeping Computer)
Posted Dec 5, 2022 18:29 UTC (Mon) by NZheretic (guest, #409) [Link]
either in public, arbitration or in court.
Samsung, LG, Mediatek certificates compromised to sign Android malware(Bleeping Computer)
Posted Dec 7, 2022 12:41 UTC (Wed) by eharris (guest, #144549) [Link]
....but I've also heard of SolarWinds.....
....and the so called "Ken Thompson hack".....
Samsung, LG, Mediatek certificates compromised to sign Android malware(Bleeping Computer)
Posted Dec 9, 2022 7:04 UTC (Fri) by pabs (subscriber, #43278) [Link]
Samsung, LG, Mediatek certificates compromised to sign Android malware(Bleeping Computer)
Posted Dec 9, 2022 8:00 UTC (Fri) by mjg59 (subscriber, #23239) [Link]
Samsung, LG, Mediatek certificates compromised to sign Android malware(Bleeping Computer)
Posted Dec 9, 2022 8:18 UTC (Fri) by pabs (subscriber, #43278) [Link]
Samsung, LG, Mediatek certificates compromised to sign Android malware(Bleeping Computer)
Posted Dec 9, 2022 10:26 UTC (Fri) by mjg59 (subscriber, #23239) [Link]