Certifi-gate takes advantages of security shortcomings in architecture of popular mobile Remote Support Tools (RSTs) used by most every Android device manufacturers and network service provider.
TeamViewer took steps earlier this month to mitigate the Certifi-gate threat, explaining in a press release that the “updated version of TeamViewer QuickSupport for Android includes an improved security mechanism to ensure safe communication between internal app components”.
While it’s possible for device owners to uninstall vulnerable plug-ins, the vulnerability that allows the plug-in to be installed in the first place without the user’s knowledge can’t be fixed so easily-because the permissions for remote access are burned into the ROM of the device itself. Of the 15.8% of devices that are vulnerable and have a remote support plug-in installed, 0.1% are under active exploit.
A Google spokesperson confirmed to SCMagazine.com that the Recordable Activator app has been suspended.
“It exploits the Certifi-gate vulnerability to gain system permissions”, Basham told El Reg. Those plugins essentially let a manufacturer deal with smartphone problems remotely. After their presentation at Black Hat, a Google representative said in a statement that OEMs were providing updates to resolve the issue and that the company hadn’t seen any exploit attempts.
Taking a closer look at the infected phones, the Check Point staff have identified that the Recordable Activator Android app was to blame, an app which was being distributed through the official Google Play Store.
More than 70 percent of Android phones from LG have a plugin installed that exposes them to the Certifi-gate remote support app vulnerability, where a rogue application – or even a text message – can completely take over a device. A tool called “Recordable Activator” from UK-based Invisibility Ltd was advertised as an “EASY screen recorder” that doesn’t require root access to the device.
Recordable Activator, a Google Play store app, downloads a vulnerable version of the TeamViewer plug-in on demand.
According to Check Point, from Aug. 6 until Aug. 19, there were approximately 100,000 downloads of the Certifi-gate scanner app. Approximately 30,000 people who downloaded the app opted to send their information anonymously to Check Point.
One interesting aspect is that Recordable Activator was last updated on August 3, before Check Point’s public presentation at Black Hat.
The Recordable Activator app, developed by Invisibility, uses the Certifi-gate vulnerability, bypassing the Android permission model to access system level resources. As for TeamViewer, they admit that the application is using their plug-in but in violation to their code as the plug-in is not allowed for use with any third parties. “TeamViewer’s was freely distributable so I used that”. It can then be used to exploit the existing authentication vulnerability and connect with the plugin to record what’s happening on the screen, Check Point said.
According to Fraser, screen recording is a functionality that a lot of users desire, especially on older devices. It also shows that such apps could be present in Google Play despite Google’s security checks.
“Most of the new LG devices come with pre-installed support software”, said Michael Shaulov, Check Point’s head of mobility product management. This leaves users with no guarantee that there are no malicious apps in Google Play right now that do the same; or that there won’t be any in the future.
Second, while the remote access software is signed with the manufacturer’s digital certificates, there is no easy way to revoke those certificates, said Shaulov.