Click the link below the picture
.
While Google develops its open-source Android mobile operating system, the “original equipment manufacturers” who make Android smartphones, like Samsung, play a large role in tailoring and securing the OS for their devices. But a new finding that Google made public on Thursday reveals that a number of digital certificates used by vendors to validate vital system applications were recently compromised and have already been abused to put a stamp of approval on malicious Android apps.As with almost any computer operating system, Google’s Android is designed with a “privilege” model, so different software running on your Android phone, from third-party apps to the operating system itself, are restricted as much as possible and only allowed system access based on their needs. This keeps the latest game you’re playing from quietly collecting all your passwords while allowing your photo editing app to access your camera roll, and the whole structure is enforced by digital certificates signed with cryptographic keys. If the keys are compromised, attackers can grant their own software permissions it shouldn’t have.
Google said in a statement on Thursday that Android device manufacturers had rolled out mitigations, rotating keys, and pushing out the fixes to users’ phones automatically. And the company has added scanner detections for any malware attempting to abuse the compromised certificates. Google said it has not found evidence that the malware snuck into the Google Play Store, meaning that it was making the rounds via third-party distribution. Disclosure and coordination to address the threat happened through a consortium known as the Android Partner Vulnerability Initiative.
“While this attack is quite bad, we got lucky this time, as OEMs can quickly rotate the affected keys by shipping over-the-air device updates,” says Zack Newman, a researcher at the software supply-chain security firm Chainguard, which did some analysis of the incident.
.
Photograph: Thiago Prudencio/Getty Images
.
.
Click the link below for the article:
.
__________________________________________
James' World 2 
Leave a comment