Samsung's Android App-Signing Key Has Leaked, is Being Used To Sign Malware (arstechnica.com) 23
Lukasz Siewierski, a member of Google's Android Security Team, has a post on the Android Partner Vulnerability Initiative (AVPI) issue tracker detailing leaked platform certificate keys that are actively being used to sign malware. From a report: The post is just a list of the keys, but running each one through APKMirror or Google's VirusTotal site will put names to some of the compromised keys: Samsung, LG, and Mediatek are the heavy hitters on the list of leaked keys, along with some smaller OEMs like Revoview and Szroco, which makes Walmart's Onn tablets. [...] Esper Senior Technical Editor Mishaal Rahman, as always, has been posting great info about this on Twitter. As he explains, having an app grab the same UID as the Android system isn't quite root access, but it's close and allows an app to break out of whatever limited sandboxing exists for system apps. These apps can directly communicate with (or, in the case of malware, spy on) other apps across your phone. Imagine a more evil version of Google Play Services, and you get the idea.
Going forward ... (Score:3)
Samsung will use two keys and they will have to be used at least 8 feet apart ...
User Control (Score:2)
So this is primarily a problem because it allows malware to appear to be an official Samsung application. But I'm wondering what, if anything, this may allow phone owners to do that they couldn't easily do before? Are there any particular things this would unlock?
Re: (Score:3)
Huh? (Score:2)
Imagine a more evil version of Google Play Services, and you get the idea
I dunno. Google Play Services is pretty evil. Why does it need access to my messages? It never explains.
It is more trustworthy because it Google? Like they should be trusted.
Re: (Score:2)
Why does it need access to my messages? It never explains. It is more trustworthy because it Google? Like they should be trusted.
If you use Android you end up fully "trusting" Google because they control the operating system so there's not much point in worrying about that. "Play services" has little to do with Play as in he app market. Play Services is Google's hack to remain in control of Android by bundling a bunch of key functions into a proprietary bit where Microsoft and Amazon can't copy and build on them. The "Why" bit is simple. Play services has to be able to do more or less anything so that they can build extra special suf
Re: Huh? (Score:2)
Re: (Score:2)
What? Amazon has its app store a replacement for the play store. Samsung has its own suite of apps often duplicating Google functionality.
Samsung is a special case because they have an agreement with Google to allow them to bundle both their own extensions and Google's, in return for which they follow Google's rules elsewhere. Samsung also bundles Google's apps and most Samsung users use Gmail and Google maps at least whilst in most places Samsung's apps don't get anywhere near the usage.
Amazon attempted to enter Google's space, their fire phone was a disaster which is now used as a lesson in failure [maestrolearning.com], first they killed the phone team [the-digital-reader.com] and the
Re: (Score:2)
Samsung has some "special" apps. For example, if you have a Samsung device (well several of their tablet devices at least) it comes with a Kindle app that allows you to buy a book directly in the app. The version from the Google Play store does not allow that.
Re: Huh? (Score:2)
Knox (Score:1)
So, what should users do ?!? (Score:2)
Re:So, what should users do ?!? (Score:4, Interesting)
so, if you have a Samsung Android phone, should you be worried ? Anything you should do / avoid ?
Don't install new apps until the cert has been revoked.
I am in this position with two Samung phones in the house.
Re: (Score:2)
> I am in this position with two Samsung phones in the house."
Will a revoked cert affect apps already installed? There's a lot of cheap Samsung phones who don't get any app or other updates.
Re: (Score:2)
I don't know. I didn't design those phones.
I'm hoping someone in the know can tell us. TFA left me with questions.
Re: So, what should users do ?!? (Score:2)
It depends on what the platform is designed to do and how the key handling is implemented.
If the key is only checked at installation then any new apps or app updates can be risky, also apps from the official store.
What a certificate might permit is full level system access without the need for user approval. Blocking this means a new system update wirh the compromised certificate removed/blocked.
But older devices might suffer if they no longer are supported.
Let's hope there are more details soon (Score:1)
Last paragraph in TFA:
Consumers are now left in the dark about how this happened and how it's being handled. We're going to be very generous and hope it's just because this is a newly developing situation right now. We'll update this post if Samsung or Google answers any of our myriad questions. [emphasis added]
Heard of an HSM? (Score:5, Interesting)
You would have thought that Samsung would have used a hardware security module (HSM), to guarantee that the key material would never be able to be exfiltrated. At best, if a HSM is compromised, bogus signatures can be made, but the key itself is still protected.
HSMs are not expensive. YubiHSM2 modules are $650. Ones that can handle more signing bandwidth is definitely more ($20-30k), but the damage done by a key being exfiltrated far outweighs the cost of 1-2 of these modules + backups.
This is basic security here... I am hoping this is due to something else, but for any type of secure key infrastructure, a HSM is a must have.
Re: (Score:2)
The problem is not that there are no solution. The problem is abysmal stupidity. And then no available solutions will help because the ones responsible for keeping these keys safe will not even know about them.
Hmmm... (Score:2)
Sounds like I should be glad I don't have a Samsung phone.
So app-signing is worthless on Android? (Score:2)
Yeah, figured as much. Pretty much the same as SSL-cert signatures from CAs.
Re: So app-signing is worthless on Android? (Score:2)