Last updated at Fri, 02 Dec 2022 22:59:44 GMT
On November 30, 2022, a Google apvi report from Łukasz Siewierski initially filed on November 11, 2022 was made public. The report contained 10 different platform certificates and malware sample SHA256 sums where the malware sample had been signed by a platform certificate — the application signing certificate used to sign the “Android” application on the system image. Applications signed with platform certificates can therefore run with the same level of privileges as the “Android” application, yielding system privileges on the operating system without user input. Google has recommended that affected parties should rotate their platform certificate. However, platform certificates are considered very sensitive, and the source of these certificates is unknown at this time.
Impact and Remediation
This use of platform certificates to sign malware indicates that a sophisticated adversary has gained privileged access to very sensitive code signing certificates. Any application signed by these certificates could gain complete control over the victim device. Rapid7 does not have any information that would indicate a particular threat actor group as being responsible, but historically, these types of techniques have been preferred by state-sponsored actors. That said, a triage-level analysis of the malicious applications reported shows that the signed applications are adware — a malware type generally considered less sophisticated. This finding suggests that these platform certificates may have been widely available, as state-sponsored actors tend to be more subtle in their approach to highly privileged malware.
We note that although these platform certificates are very sensitive, the over-the-air update certificates are different, and so these cannot be used to push malicious updates.
In cases where the malware can be detected on user devices, it should be remediated immediately. The Google apvi report contains the relevant hashes and we have also listed them at the bottom of this post.
Indicators of Compromise
SHA256 File Hashes
e4e28de8ad3f826fe50a456217d11e9e6a80563b35871ac37845357628b95f6a
5c173df9e86e959c2eadcc3ef9897c8e1438b7a154c7c692d0fe054837530458
b1f191b1ee463679c7c2fa7db5a224b6759c5474b73a59be3e133a6825b2a284
19c84a2386abde0c0dae8661b394e53bf246f6f0f9a12d84cfc7864e4a809697
0251bececeffbf4bf90eaaad27c147bb023388817d9fbec1054fac1324c6f8bf
c612917d68803efbd2f0e960ade1662be9751096afe0fd81cee283c5a35e7618
6792324c1095458d6b78e92d5ae003a317fe3991d187447020d680e99d9b6129
091733658c7a32f4673415b11733ae729b87e2a2540c87d08ba9adf7bc62d7ed
5aaefc5b4fb1e1973832f44ba2d82a70106d3e8999680df6deed3570cd30fb97
32b9a33ad3d5a063cd4f08e0739a6ce1e11130532fd0b7e13a3a37edaf9893eb