Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
Security

Samsung's Android App-Signing Key Has Leaked, is Being Used To Sign Malware (arstechnica.com) 23

Posted by msmash from the security-woes dept.
Lukasz Siewierski, a member of Google's Android Security Team, has a post on the Android Partner Vulnerability Initiative (AVPI) issue tracker detailing leaked platform certificate keys that are actively being used to sign malware. From a report: The post is just a list of the keys, but running each one through APKMirror or Google's VirusTotal site will put names to some of the compromised keys: Samsung, LG, and Mediatek are the heavy hitters on the list of leaked keys, along with some smaller OEMs like Revoview and Szroco, which makes Walmart's Onn tablets. [...] Esper Senior Technical Editor Mishaal Rahman, as always, has been posting great info about this on Twitter. As he explains, having an app grab the same UID as the Android system isn't quite root access, but it's close and allows an app to break out of whatever limited sandboxing exists for system apps. These apps can directly communicate with (or, in the case of malware, spy on) other apps across your phone. Imagine a more evil version of Google Play Services, and you get the idea.
This discussion has been archived. No new comments can be posted.

Samsung's Android App-Signing Key Has Leaked, is Being Used To Sign Malware More

Samsung's Android App-Signing Key Has Leaked, is Being Used To Sign Malware

Comments Filter:

  • Going forward ... (Score:3)

    by fahrbot-bot ( 874524 ) on Thursday December 08, 2022 @04:56PM (#63114592)

    Samsung will use two keys and they will have to be used at least 8 feet apart ...

  • So this is primarily a problem because it allows malware to appear to be an official Samsung application. But I'm wondering what, if anything, this may allow phone owners to do that they couldn't easily do before? Are there any particular things this would unlock?

    • Typically these keys are used to validate updates as being legitimate, so a malicious site could trick someone into downloading and installing an "update" for an official samsung app, including ones installed as system apps with special privileges.

  • Imagine a more evil version of Google Play Services, and you get the idea

    I dunno. Google Play Services is pretty evil. Why does it need access to my messages? It never explains.
    It is more trustworthy because it Google? Like they should be trusted.

    • Why does it need access to my messages? It never explains. It is more trustworthy because it Google? Like they should be trusted.

      If you use Android you end up fully "trusting" Google because they control the operating system so there's not much point in worrying about that. "Play services" has little to do with Play as in he app market. Play Services is Google's hack to remain in control of Android by bundling a bunch of key functions into a proprietary bit where Microsoft and Amazon can't copy and build on them. The "Why" bit is simple. Play services has to be able to do more or less anything so that they can build extra special suf

      • What? Amazon has its app store a replacement for the play store. Samsung has its own suite of apps often duplicating Google functionality. What are you on?

        • What? Amazon has its app store a replacement for the play store. Samsung has its own suite of apps often duplicating Google functionality.

          Samsung is a special case because they have an agreement with Google to allow them to bundle both their own extensions and Google's, in return for which they follow Google's rules elsewhere. Samsung also bundles Google's apps and most Samsung users use Gmail and Google maps at least whilst in most places Samsung's apps don't get anywhere near the usage.

          Amazon attempted to enter Google's space, their fire phone was a disaster which is now used as a lesson in failure [maestrolearning.com], first they killed the phone team [the-digital-reader.com] and the

          • Re: (Score:2)

            by jabuzz ( 182671 )

            Samsung has some "special" apps. For example, if you have a Samsung device (well several of their tablet devices at least) it comes with a Kindle app that allows you to buy a book directly in the app. The version from the Google Play store does not allow that.

    • If you think one permission is worrisome (they back up your sms), then wait until you read and learn about every other smartphone provider (fruits included)
  • Ok, KNOX it off!
  • so, if you have a Samsung Android phone, should you be worried ? Anything you should do / avoid ?

    • Re:So, what should users do ?!? (Score:4, Interesting)

      by TechyImmigrant ( 175943 ) on Thursday December 08, 2022 @05:52PM (#63114838) Homepage Journal

      so, if you have a Samsung Android phone, should you be worried ? Anything you should do / avoid ?

      Don't install new apps until the cert has been revoked.
      I am in this position with two Samung phones in the house.

      • > "Don't install new apps until the cert has been revoked.
        > I am in this position with two Samsung phones in the house."

        Will a revoked cert affect apps already installed? There's a lot of cheap Samsung phones who don't get any app or other updates.

        • I don't know. I didn't design those phones.
          I'm hoping someone in the know can tell us. TFA left me with questions.

        • It depends on what the platform is designed to do and how the key handling is implemented.
          If the key is only checked at installation then any new apps or app updates can be risky, also apps from the official store.

          What a certificate might permit is full level system access without the need for user approval. Blocking this means a new system update wirh the compromised certificate removed/blocked.

          But older devices might suffer if they no longer are supported.

  • Last paragraph in TFA:

    Consumers are now left in the dark about how this happened and how it's being handled. We're going to be very generous and hope it's just because this is a newly developing situation right now. We'll update this post if Samsung or Google answers any of our myriad questions. [emphasis added]

  • Heard of an HSM? (Score:5, Interesting)

    by ctilsie242 ( 4841247 ) on Thursday December 08, 2022 @06:41PM (#63114988)

    You would have thought that Samsung would have used a hardware security module (HSM), to guarantee that the key material would never be able to be exfiltrated. At best, if a HSM is compromised, bogus signatures can be made, but the key itself is still protected.

    HSMs are not expensive. YubiHSM2 modules are $650. Ones that can handle more signing bandwidth is definitely more ($20-30k), but the damage done by a key being exfiltrated far outweighs the cost of 1-2 of these modules + backups.

    This is basic security here... I am hoping this is due to something else, but for any type of secure key infrastructure, a HSM is a must have.

    • Re: (Score:2)

      by gweihir ( 88907 )

      The problem is not that there are no solution. The problem is abysmal stupidity. And then no available solutions will help because the ones responsible for keeping these keys safe will not even know about them.

  • Sounds like I should be glad I don't have a Samsung phone.

  • Yeah, figured as much. Pretty much the same as SSL-cert signatures from CAs.

Slashdot Top Deals

I tell them to turn to the study of mathematics, for it is only there that they might escape the lusts of the flesh. -- Thomas Mann, "The Magic Mountain"

Close