A mobile application exploiting the so-called Certifi-gate vulnerability disclosed at Black Hat has been removed from the Google Play store.
Though the number of downloads of Recordable Activator, a screen recorder app for Android devices, hovers between 100,000 and a half-million, researchers at Check Point Software Technologies who discovered the vulnerability said it was successfully exploited on only three devices.
The data comes from Check Point’s homegrown Certifi-gate scanner application, the company said in a blog post. Data from scans using the scanning app show that LG devices are most at risk, along with Samsung and HTC; 16 percent of devices responding to scans show they host vulnerable plugins.
Certifi-gate was disclosed three weeks at Black Hat and when exploited, it allows an attacker to take full control of the device using a malicious mobile app or SMS message. The vulnerability lies in a number of third-party remote support tools that are either pre-installed on Android devices by manufacturers and/or carriers, or are available for download.
The mobile remote support tools (mRST) are usually signed with OEM certificates giving them system-level privileges in order to handle remote support tasks. Check Point revealed at Black Hat that there are authentication issues that can be bypassed by a malicious app using one of these mRST tools.
The problem with Recordable Activator specifically is that it downloads a vulnerable version of TeamViewer and abused insecure communication between the app and system-level plugins. Apps signed with OEM certificates are considered trusted and bypass native Android restrictions preventing apps such as Recordable Activator from gaining excessive permissions. It can then be used to exploit the existing authentication vulnerability and connect with the plugin to record what’s happening on the screen, Check Point said.
“From our research team’s perspective, the developer did a poor job of protecting the interaction with subcomponents,” Check Point said. “The communication with the Recordable Activator component can be spoofed without any authentication, thus allowing any malicious app to record the screen of the device.”
At Black Hat, Check Point researcher Ohad Bobrov explained that a malicious app would impersonate the original mRST and get access to everything on the device.
“The reason this is so problematic is that on many devices, these tools come preinstalled and in many cases because these tools don’t have a UI, you don’t know it exists on the device,” Bobrov said during a press conference at Black Hat. “You don’t know it exists on the device, you don’t see an icon, and there’s nothing visible on the device that it even exists. This makes it much easier for an attacker to take control of it.”
Patching this issue isn’t simple, either, because the tools are often preinstalled, they require manufacturers to push updated ROMs to vulnerable devices, Check Point said. Even if new versions of remote support tools such as TeamViewer are released, older versions are still likely to be in circulation for some time.
“It will take a long time until there is a new version out there, but what’s more problematic is not only the bug itself, it’s the architecture,” Bobrov said. “The vendors and OEMS signed this vulnerable mRST with their certificate. You can’t revoke it, otherwise the plugin won’t work.”