Android Certifi-Gate exploited
A newly uncovered security vulnerability on the Android operating system, named Certifi-Gate, puts hundreds of millions of smartphones at risk – and a fix is not easyGetty

An app published by a London-based company is putting Android smartphone users at risk after it was discovered that hackers were using it to exploit the Certifi-Gate vulnerability. The app, which is available on the official Google Play Store and has between 100,000 and 500,000 downloads, allows users to record what they are doing on their Android devices.

The Certifi-Gate security vulnerability was first reported on 6 August by researchers from security company Check Point who revealed that it allows hackers to gain what they called "illegitimate privileged access rights" and take full control of your smartphone or tablet though apps installed on your Android devices by manufacturers and mobile phone networks. The flaw potentially puts hundreds of millions of devices at risk.

In the wake of the revelations, Check Point published a scanner app to allow users to check if their smartphone has been compromised and having analysed the data from this app, the company has already found devices which are actively being exploited by Certifi-Gate.

According to the company "a handful of devices" which have provided it with scan results have already been successfully exploited through an app called Easy Screen Recorder No Root and more specifically a subcomponent of the app called Recordable Activator. Typically Google's Android doesn't allow apps to carry out screen capture, as it raises a lot of security and privacy issues, but the developers of this app got around those restrictions by installing a vulnerable version of the TeamViewer plug-in on-demand.

TeamViewer is a tool which allows you to access your computer, tablet or smartphone remotely, and is often used by companies to provide on-device support for customers. Because TeamViewer is signed by various device manufacturers, Check Point said it is considered trusted by Android, and is granted system-level permissions.

Bypass permissions

The app is developed by Invisibility Ltd, a company with a London address and which publishes a number of similar Android apps. "Hackers were able to bypass the Android permission model to access system level resources and capture details from the affected device," Check Point said. The hackers were able to leverage the vulnerability and bypass the Android permission model to use the TeamViewer's plug-in to access system level resources and to record the device screen.

Christopher Fraser, the director of Invisibility Ltd, told The Register that the app was primarily used by gamers to upload footage to YouTube, and that the reason it used the TeamViewer plugin was to save people having to activate an older version of Android. He added that Google removed the older version of the TeamViewer plugins a few weeks ago, and has now removed Recordable Activator.

Check Point said that its scanner app has been downloaded almost 100,000 times and it has received more than 30,000 anonymous scan results which revealed that 40% of all devices were at risk. The data also showed that 16% of samples showed a vulnerable plug-in was installed on the device, which would enable "any malicious application to take full control of the device by exploiting the installed plug-in".

Vulnerable

While the number of devices being actively exploited as reported by Check Point is just three, the data set it is using is a tiny sample of the hundreds of millions of Android smartphones and tablets in use today. More worrying is the 4,700 devices which reported having a vulnerable plug-in installed.

The Certifi-Gate vulnerability affects implementations of Remote Support applications that come pre-installed on your smartphone or tablet such as TeamViewer, and are used to offer technical help to users by allowing support staff to remotely take over your screen to fix an issue.

"Attackers can exploit Certifi-Gate to gain unrestricted device access, allowing them to steal personal data, track device locations, turn on microphones to record conversations and more," a Check Point spokesperson said.

The security company reported the major security flaw to Google, manufacturers and support software developers but to date there has been no fix for the vulnerability. The issue is that the bug cannot be easily fixed as Android offers no way to revoke the certificates that provide the privileged permissions. "Left unmatched, and with no reasonable workaround, devices are exposed right out of the box. OEMs also cannot revoke the valid signed vulnerable components, making unmatched versions valid for installation on devices," Check Point said.