Malicious Android apps have been signed by threat actors through the exploitation of platform certificates used by device vendors Samsung, LG, and MediaTek, The Hacker News reports.
Platform certificates have been abused by the com.russian.signato.renewis, com.android.power, com.management.propaganda, com.sledsdffsjkh.Search, com.sec.android.musicplayer, com.attd.da, com.houla.quicken, com.metasploit.stage, com.arlo.fappx, and com.vantage.ectronic.cornmuni app packages, according to Google reverse engineer ukasz Siewierski, who first identified and reported such exploitation.
Even though the process of locating the artifacts and their potential use in malware campaigns continue to be uncertain, identified samples were noted as Metasploit, information stealers, HiddenAds adware, downloaders, and other malware. All affected vendors have been urged by Google to rotate their certificates following the exploitation.
"Google has implemented broad detections for the malware in Build Test Suite, which scans system images. Google Play Protect also detects the malware. There is no indication that this malware is or was on the Google Play Store. As always, we advise users to ensure they are running the latest version of Android," said Google.
Malware apps signed with Android platform certificates
Malicious Android apps have been signed by threat actors through the exploitation of platform certificates used by device vendors Samsung, LG, and MediaTek, The Hacker News reports.
Threat actors leveraged social engineering techniques to lure targets into executing a malicious MSI installer-spoofing LNK file that would run an obfuscated script, which ensures persistence and downloads the VSCode command-line interface in the absence of VSCode to enable file access and additional compromise.
Such an issue, which was identified and reported by Databricks security team member Kostya Kortchinsky, affects all Apache Avro instances up to version 1.11.3, according to Qualys Manager of Threat Research Mayuresh Dani, who also noted potential abuse of the bug through Kafka.