Malicious applications have been found to be signed with the platform certificates used by Android smartphone manufacturers like Samsung, LG, and MediaTek.

On Thursday, Google’s reverse engineer ukasz Siewierski announced his findings.

ALSO, READ Researchers Expose Over 80 ShadowPad Malware C2 Servers

According to a report submitted via the Android Partner Vulnerability Initiative (AVPI), “a platform certificate is the application signing certificate used to sign the ‘android’ application on the system image.”

“The ‘android’ application runs with a highly privileged user id – android.uid.system – and holds system permissions, including permissions to access user data.”

Hackers Sign Android Malware Apps with Compromised Platform Certificates

This effectively means that a rogue application signed with the same certificate can gain the highest level of privileges as the Android operating system, permitting it to harvest all kinds of sensitive information from a compromised device.

ALSO, READ Chinese Hackers Using New Stealthy Infection Chain to Deploy LODEINFO Malware

The list of malicious Android app packages that have abused the certificates is below –

• com.russian.signato.renewis
• com.sledsdffsjkh.Search
• com.android.power
• com.management.propaganda
• com.sec.android.musicplayer
• com.houla.quicken
• com.attd.da
• com.arlo.fappx
• com.metasploit.stage
• com.vantage.ectronic.cornmuni

That said, it’s not immediately clear how and where these artifacts were found, and if they were used as part of any active malware campaign.

A search on VirusTotal shows that the identified samples have been flagged by antivirus solutions as HiddenAds adware, Metasploit, information stealers, downloaders, and other obfuscated malware.

ALSO, READ Most Common Mobile Security Threats & How To Protect Your Device

When reached for comment, Google said it informed all impacted vendors to rotate the certificates and that there’s no evidence these apps were delivered through the Play Store.

Hackers Sign Android Malware Apps with Compromised Platform Certificates

ALSO, READ How Organizations Can Secure Clients’ Data From Hackers.

“OEM partners promptly implemented mitigation measures as soon as we reported the key compromise,” the company told The Hacker News in a statement. “End users will be protected by user mitigations implemented by OEM partners.”

“Google has implemented broad detections for the malware in Build Test Suite, which scans system images. Google Play Protect also detects the malware. There is no indication that this malware is or was on the Google Play Store. As always, we advise users to ensure they are running the latest version of Android.”