A November 11 blog post revealing the leak of at least 10 Android platform certificates went under the radar for nearly a month—but now experts like Rapid7 analyst Erick Galinkin are paying attention.
The post, written by Google researcher Łukasz Siewierski, identified the certificates, which have been used to install ad malware onto people’s phones. But the potential for more adversarial action is there—the certificate “holds system permissions, including permissions to access user data,” Siewierski wrote. Google did not return a comment for this story.
That’s what has Galinkin worried, he told IT Brew in a recent interview.
“Anything signed with the certificate is saying it is okay for this program to run with the privileges of the entire system,” Galinkin said.
The type of known unknown that keeps security professionals up at night is the question of how many leaked certificates could be out there. It is of course possible that the 10 leaked certificates are the extent of the leak, but it’s hard to be sure of that.
“There’s no way to know whether it is just 10 certificates in the whole world that happened to be out there, or if it is just the tip of the iceberg,” Galinkin said.
Adversaries can write executables and sign the malware with the platform certificate. Once they’re downloaded onto a phone, the Android software reads the certificate and sees it as legit—then opens up permissions.
Such a major security flaw potentially opens phones up to a lot of dangerous exploits. In this case, according to Galinkin, attackers haven’t yet used the certificates to install damaging spyware. That indicates a lack of refinement on the part of the adversaries and suggests it is unlikely the people behind the leak are going to turn to more powerful attacks in the future.
Keep reading here.—EH
Do you work in IT or have information about your IT department you want to share? Email [email protected].
