Share this page!

Mishaal Rahman Profile picture
Twitter logo
Dec 1 18 tweets 6 min read
Folks, this is bad. Very, very bad. Hackers and/or malicious insiders have leaked the platform certificates of several vendors. These are used to sign system apps on Android builds, including the "android" app itself. These certs are being used to sign malicious Android apps!
Why is that a problem? Well, it lets malicious apps opt into Android's shared user ID mechanism and run with the same highly privileged user ID as "android" - android.uid.system. Basically, they have the same authority/level of access as the Android OS process!
(Here's a short summary of shared UID, from my Android 13 deep dive: blog.esper.io/android-13-dee…)
The post on the Android Partner Vulnerability Initiative issue tracker shared SHA256 hashes of the platform signing certificates and correctly signed malware using those certificates. Thanks to sites like @virustotal and @APKMirror, it's trivial to see who is affected...
So, for example, this malware sample: virustotal.com/gui/file/b1f19…

scroll down to the certificate subject/issuer, and whose name do you see? The biggest Android OEM on the planet? Yeah, yikes.
Go to APKMirror and just search for the SHA256 hash of the corresponding platform signing certificate... apkmirror.com/?post_type=app…

Yeah, this certificate is still being used to sign apps.
That's just one example. There are others at risk, too.

In any case, Google recommends that affected parties should rotate the platform certificate, conduct an investigation into how this leak happened, and minimize the number of apps signed with the platform certificate, so that future leaks won't be as devastating.
Okay, so what are the immediate implications/takeaways for users?

- You can't trust that an app has been signed by the legitimate vendor/OEM if their platform certificate was leaked. Do not sideload those apps from third-party sites/outside of Google Play or trusted OEM store.
- This may affect updates to apps that are delivered through app stores if the OEM rotates the signing key, depending on whether or not that app has a V3 signature or not. V3 signature scheme supports key rotation, older schemes do not.

source.android.com/docs/security/…
OEMs are not required to sign system apps with V3 signatures. The minimum signature scheme version for apps targeting API level 30+ on the system partition is V2.

You can check the signature scheme using the apksigner tool: developer.android.com/studio/command…
Affected OEMs can still rotate the cert used to sign their system apps that have V2 signatures and then push an OTA update to deliver the updated apps. Then they can push app updates with that new cert, but devices that haven't received OTAs won't receive those app updates.
The leaked platform signing certificates can't be used to install compromised OTA updates, thankfully.

Tip @Techmeme, this story has massive implications.
Statement from Google given to @9to5Google.
Google Play Protect can indeed mitigate this issue somewhat. Play Protect could flag apps signed by the leaked platform certificate as a potentially harmful application. Google Play already has a database of legitimate app releases from the legitimate vendor, after all.
Statement from Samsung given to @AndroidPolice.
As @ArtemR and others have noted already, many of the malware samples submitted to VirusTotal are several years old.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Mishaal Rahman

Mishaal Rahman Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @MishaalRahman

Mishaal Rahman Profile picture
Dec 2
End-to-end encryption for group chats in Google Messages is rolling out for some users!

H/T @SeeAreEff ImageImageImage
End-to-end encryption for 1:1 chats became available for everyone mid-2021. At their I/O 2022 keynote earlier this year, Google said that end-to-end encryption for group chats would be enabled later this year.
Another report of it rolling out:
Read 4 tweets
Mishaal Rahman Profile picture
Dec 1
Google has announced that Android 13 is the first Android release where the majority of new code is written in a memory safe language. About 21% of all new native code added to Android 13 is written in Rust.
Support for Rust was introduced in Android 12. There is now approximately 1.5 million total lines of Rust code for new AOSP components such as Keystore2, the Ultra-wideband stack, DNS-over-HTTP/3, the Android Virtualization Framework, and more.
The drop in memory safety vulnerabilities (223 in 2019 to 85 in 2022) and the severity of vulnerabilities overall have been credited to Google's shift away from memory unsafe languages. 2022 is the first year where memory safety vulnerabilities aren't a majority of Android vulns.
Read 6 tweets
Mishaal Rahman Profile picture
Dec 1
For December 2022's Android Feature Drop, Google is bringing:

- New styles in Google Photos' collage editor
- New holiday-themed emoji in Gboard's Emoji Kitchen
- A dedicated Reading Mode app
- New YouTube home screen search widget

(cont)
- Select a device to cast to from within the Google TV app
- Share your digital car key within Google Wallet with other Pixel and iPhone users (and soon users on other select phones running Android 12+)
- New Wear OS tiles (favorite contacts, sunrise/sunset) & updated Keep app
Full details (and images/GIFs) in Google's blog post: blog.google/products/andro…
Read 4 tweets
Mishaal Rahman Profile picture
Nov 30
"What's new in Google System Updates" has been updated with Dec. 2022 changes. Notably:

* Beta support for adding a mobile driver's license issued by select US states to Google Wallet
* Inform the user if a tablet they're trying to cast to needs user interaction
At I/O 2022, Google said it was working with state govts. in the U.S. and around the world to bring mobile driver's license support to Google Wallet. This feature is finally launching, though we still don't know which states will support it first.

blog.esper.io/google-io-2022…
Android has been ready for mobile driver's licenses for some time now (Identity Credential API was added in Android 11), so this has been a long time coming. The challenge has primarily been regulatory/political.

blog.esper.io/android-desser…
Read 5 tweets
Mishaal Rahman Profile picture
Nov 30
Android's Bluetooth stack supports A2DP source and sink roles, but not both simultaneously. Most Android devices (apart from Automotive) are A2DP sources to stream audio to BT headphones. If you want to also be able to stream audio via BT *to* an Android device, what can you do?
(For context, A2DP is the "Advanced Audio Distribution Profile", the standard Bluetooth Classic profile used for streaming audio to remote devices.

A "source" device is where the audio originates, while a "sink" device is where the audio is played.)
The other day, I spotted this patch in AOSP that modifies Android's Bluetooth stack to support simultaneous A2DP source/sink functionality.

android-review.googlesource.com/c/platform/pac…
Read 6 tweets
Mishaal Rahman Profile picture
Nov 30
Google is working on making OTA updates faster. A new set of patches has been submitted to AOSP that speed up OTAs on devices that use the virtual A/B with compression update mechanism. Combined, these improvements bring a full OTA install time from ~23 minutes to ~13 minutes! Image
The first improvement is to batch write COW operations in a cluster: android-review.googlesource.com/q/topic:%22lib…

The second improvement is to use two threads to compress the snapshot: android-review.googlesource.com/c/platform/sys…
Android's OTA update mechanisms can get a bit confusing, but this article I wrote a few weeks back explains all of them (including the newer virtual A/B with compression that's used on Pixels and is being improved here!)

blog.esper.io/android-13-vir…
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

:(