Vendor certificate leak could give malware full control over Android phones

Manuel Vonau writing for Android Police

Spotted by Google malware reverse engineering expert Łukasz Siewierski (via Mishaal Rahman), the certificates in question are platform certificates meant to verify the authenticity of the “android” application that’s part of every phone, but are also used to sign individual apps from manufacturers. The problem is that this core android application has the highest level of access to the system, allowing it almost unrestricted access to user data. Since the android application is basically what makes your phone run in the first place, this makes sense for it. That’s why it’s a big issue when malware gets its hands on the platform certificate used by the android application. Bad actors can gain the same far-reaching permissions as this core service.