Cybersecurity

Danger of leaked platform certificates raises questions about security for Android phones

Security dangers from the leaked certificates include threats to multi-factor authentication and broad system privileges.
article cover

Francis Scialabba

· 3 min read

Top insights for IT pros

From cybersecurity and big data to software development and gaming, IT Brew delivers the latest news and analysis of trends shaping the IT industry, like only The Brew can.

A November 11 blog post revealing the leak of at least 10 Android platform certificates went under the radar for nearly a month—but now experts like Rapid7 analyst Erick Galinkin are paying attention.

The post, written by Google researcher Łukasz Siewierski, identified the certificates, which have been used to install ad malware onto people’s phones. But the potential for more adversarial action is there—the certificate “holds system permissions, including permissions to access user data,” Siewierski wrote. Google did not return a comment for this story.

That’s what has Galinkin worried, he told IT Brew in a recent interview.

“Anything signed with the certificate is saying it is okay for this program to run with the privileges of the entire system,” Galinkin said.

The type of known unknown that keeps security professionals up at night is the question of how many leaked certificates could be out there. It is of course possible that the 10 leaked certificates are the extent of the leak, but it’s hard to be sure of that.

“There’s no way to know whether it is just 10 certificates in the whole world that happened to be out there, or if it is just the tip of the iceberg,” Galinkin said.

Adversaries can write executables and sign the malware with the platform certificate. Once they’re downloaded onto a phone, the Android software reads the certificate and sees it as legit—then opens up permissions.

Such a major security flaw potentially opens phones up to a lot of dangerous exploits. In this case, according to Galinkin, attackers haven’t yet used the certificates to install damaging spyware. That indicates a lack of refinement on the part of the adversaries and suggests it is unlikely the people behind the leak are going to turn to more powerful attacks in the future.

“You’ve got a decent amount of adware, some kind of generic info-stealers, another dropper Meterpreter which is like a super common payload for Metasploit exploits, more adware,” Galinkin said. “They’re not sophisticated pieces of malware, they’re not quiet little applications that you would expect to see from a state sponsored group.”

Shadowy certificate leaks and malware on phones are among the greatest unknown threats facing engineers. There’s such a huge information gap between what threats are understood and which are still secret that it puts the security community at a disadvantage.

One major risk? Compromised two-factor authentication services, as companies use the service for added security as employees log into internal accounts. Hypothetically, a hostile actor could gain access to a user’s phone and use it for espionage, Galinkin told IT Brew.

“There is a way by which you are letting people use their personal devices for anything work-related,” Galinkin said. “Little things like this that don't feel like enterprise threats can actually turn into enterprise risk.”—EH

Do you work in IT or have information about your IT department you want to share? Email [email protected]

Top insights for IT pros

From cybersecurity and big data to software development and gaming, IT Brew delivers the latest news and analysis of trends shaping the IT industry, like only The Brew can.