A report posted by Google on November 11th (released November 30th) using the Android Partner Vulnerability Initiative (APVI) has the title “Issue 100: Platform certificates used to sign malware“. It carries this detail:
A platform certificate is the application signing certificate used to sign the “android” application on the system image. The “android” application runs with a highly privileged user id – android.uid.system – and holds system permissions, including permissions to access user data. Any other application signed with the same certificate can declare that it wants to run with the same user id, giving it the same level of access to the Android operating system.
[…]
All affected parties should rotate the platform certificate by replacing it with a new set of public and private keys. Additionally, they should conduct an internal investigation to find the root cause of the problem and take steps to prevent the incident from happening in the future.
Find the root cause of the problem? That’s a template, not a recommendation.
Way down in the notes section it also makes a rather bold yet vague assertion.
All affected parties were informed of the findings and have taken remediation measures to minimize the user impact.
Were you affected? Were you informed?