Guess what has happened! Łukasz Siewierski, a member of Google’s Android Security Team, has a post on the Android Partner Vulnerability Initiative (AVPI) issue tracker detailing leaked platform certificate keys that are actively being used to sign malware. The post is just a list of the keys, but running each one through APKMirror or Google’s VirusTotal site will put names to some of the compromised keys: Samsung, LG, and Mediatek are the heavy hitters on the list of leaked keys, along with some smaller OEMs like Revoview and Szroco, which makes Walmart’s Onn tablets.
These companies somehow had their signing keys leaked to outsiders, and now you can’t trust that apps that claim to be from these companies are really from them. To make matters worse, the “platform certificate keys” that they lost have some serious permissions.
I tend to not really focus on security issues, because more often than not they amount to baseless scaremongering for clicks (or worse, to scare people into buying antivirus software), but this one seems possibly serious enough to warrant attention. I’m just not entirely sure how bad this can actually turn out to be, and the vague statements from Samsung, Google, and other sure aren’t helping in cleaning up the confusion.
This is easy to fix. Surely Samsung is going to a proper security update for all their older phones, right?
Right?
Samsung likely will do just that. As they do tend to support their devices with such security fixes. Long after other updates stop arriving.
All their devices? Even the cheap ones? For how long?
Thinking about this more. The idea one could fix this with some patch is likely not going to work. As you can’t simply invalidate all the existing installed applications from mentioned companies. Hence i don’t know on how they will tackle this. Likely new signing keys for new applications and the rest stays as is. That is installing applications from lets say Google Play or F-Droid. Here you likely have little to worry about. If you manually install some package and it claims it was made from one of the mentioned companies. Here you can’t trust that anymore. In regards to compromised signing keys. And if i understand correctly applications signed like that have more permissions by default. Hence not only you can’t trust the company made the package. On top of that it can exploit your system more easily.
“Invasive and Intrusive”
I would normally reserve all development decisions to be made by companies themselves. But in case of securing signing keys, especially highly trusted ones, we should probably have some standards.
There are known ways to prevent this. For example, no single person, ever has the entire signing key. Or it is done in an “air gapped” offline system. I don’t care about smaller ones, yes, someone sending a malicious update to “Yet Another Screenshot App” is a problem.
However master keys for a manufacturer or a package repository (like npm, pip, …) should be audited externally. They should receive the “nuclear football” treatment.
MediaTek firmware already has malware installed by default to intercept all messages as mandated by the CCP. I advise all users to uninstall the OMACP package on all their mediatek handsets.
Isn’t MediaTek a Taiwanese company?
Do you have anything to back this up or are talking out of your rear end?
I read things like this online from time to time.
Implementing something in the system firmware to spy on you is not as trivial as some people seem to think.
While something that takes screenshots, intercepts some input, etc is doable. After all, BMCs do this on PCs.
Having something in the firmware, that survives an OS boot, can somehow keep up with randomized memory layouts and memory encryption, filesystem encryption, stealing cycles from the processor without the user seeing it, etc … no.
The above would require android running under a hypervisor of some sort, and google would not certify such devices for play services.
Sure, you could have a service processor of some type (ala intel ME), and it could have direct access to memory. Entirely possible.
Utilizing such crude tools is extremely difficult however, and therefor costly.
Why go through all this trouble, if you can get people to install an app that does it all in software? You spoke of china?
https://ub.triviumchina.com/2019/10/long-read-the-apps-of-chinas-social-credit-system/
Or in the west? Why not slip something into your country’s CST app?
How about that CA with ties to the military that was distributing malware?
Implementing something in firmware to spy on people is difficult, might break at any time with an OS patch, and would only provide crude tools at best.
p13.,
I am not familiar with mediatek and I’m reading this for the first time…
https://www.bleepingcomputer.com/news/security/malware-found-in-the-firmware-of-141-low-cost-android-devices/
The link says it’s being used to install adware and doesn’t mention spying. However because the payload is running as root is seems conceivable something like that could spy if it wanted to. Encryption is ineffective if a processes can just access the decrypted data directly.
AFAIK google doesn’t audit OEM firmware and sometimes android OEMs don’t even have the full source code themselves…
https://www.pcmag.com/news/phone-maker-blu-trades-chinese-spyware-for-google-software
We can criticize these vendors, but here’s something to keep in mind: all auto update mechanisms from all vendors including western ones are technically backdoors. An audit of an update mechanism wouldn’t necessarily reveal the intentions behind how it is used. As an example, microsoft has a backdoor called “windows update” running on the vast majority of computers today. Users can trust microsoft but from a purely technical point of view, the update mechanism can easily be used for targeted malware or spying.
If an update backdoor phones home to redmond, does that make it less suspect than the same mechanism phoning home to bejing? It’s a tough call because neither have a good reputation.
https://en.wikipedia.org/wiki/Mass_surveillance_in_the_United_States
I don’t know if the “NSA key” still exists in windows today, but I’d say it’s plausible if not likely that the NSA has used windows update and other “trusted” services to plant spyware on government targets.
Obviously this depends on what the malware is doing and how it’s implemented. In the case of mediatek, it was polling for updates, so they may well be able to update their payloads after the fact.
They still can’t fake apps being submitted to app stores, so it shouldn’t matter too much. The problem is e.g. when downloading “older versions” of apps from unofficial internet sites. I guess FB will also be flooded with fake accounts touting new breakthrough apps from Samsung etc.
If you use Google Play or F-Droid. Likely you won’t be affected. If you install random APK from the internet. There this could be used to fool you in believing on who made the package. And more problematically such APK likely has some additional privileges and can use them as an attack vector to exploit your system. State agencies and preinstalled software obviously could use this to temper the system. Claiming the app is from one of the companies in mention. A fix for existing packages likely isn’t going to happen. Companies will change the keys for creating new packages. And such new keys likely to leak again in the future.
Its more than that. If someone uses a more common zero day that has a lot less privileges, they could easily then sneak this on, then they would be in business.