Stolen Android cryptographic keys used to sign info-stealing malware
According to Wired, malware and spyware are being distributed using compromised Android platform certificate keys from important device vendors, including Samsung, LG and Mediatek.
A Google security alert in fact revealed that a number of digital certificates used by manufacturers to validate vital system applications were recently compromised and have already been abused to put a stamp of approval on malicious Android apps.
“Platform certificates” are normally used to verify an app’s authenticity, and if they end up in wrong hands they can allow malicious applications to gain the same level of privileges as the Android operating system, including unrestricted access to the victim’s device.
In other terms: abusing the compromised “platform certificates” would allow attackers to create malware that has extensive permissions without even need to trick users into granting them, accessing media, passwords and any sensitive information on your device.
If this scenario sounds dreadful to you, you might be interested in our Hushmeeting corporate solutions: our Hushmeeting Phone and Hushmeeting Laptop will grant you the possibility to autonomously create and manage your own certificates, with no need to trust any third-party.