"Android Phone Makers' Encryption Keys Stolen and Used in Malware"

Although Google develops its open-source Android mobile Operating System (OS), the Original Equipment Manufacturers (OEMs) that make Android smartphones, such as Samsung, play a significant role in customizing and securing the OS for their devices. However, a recent discovery made public by Google reveals that several digital certificates used by vendors to authenticate essential system applications were recently compromised and have already been used to certify malicious Android apps. Similar to nearly every other computer OS, Google's Android is built with a "privilege" model. As a result, the software running on an Android phone, from third-party apps to the OS itself, is limited as much as possible and only given system access based on their needs. This enables the photo editing app to access the camera roll while preventing a game from covertly collecting all of a user's passwords. Digital certificates signed with cryptographic keys enforce the entire structure. Attackers can give their own software access to resources it should not be allowed to have if the keys are stolen. According to Google, manufacturers of Android-based devices have implemented mitigations, rotating keys, and automatically distributing updates to users' phones. Additionally, the company has implemented scanner detections to look for malware that tries to exploit the compromised certificates. Google says there is no proof that the malware was on the Google Play Store, indicating that it spread through third parties. Through a group known as the Android Partner Vulnerability Initiative, information about the threat was disclosed, and action was coordinated to address it. An attacker would be able to develop malware that has numerous permissions by abusing the compromised platform certificates without having to trick users into giving them permission. Lukasz Siewierski, an Android reverse engineer, provided some malware samples from his Google report that exploited the stolen certificates. Among other manufacturers whose certificates were compromised, they list Samsung and LG as two of them. This article continues to discuss the compromise of digital certificates by vendors to validate critical system applications. 

Wired reports "Android Phone Makers' Encryption Keys Stolen and Used in Malware"