Certifi-Gate: Massive Android vulnerability affects hundreds of millions of smartphones and tablets

On Wednesday (5 August 2015), the lead engineer of Android security at Google, Adrian Ludwig, addressed the Black Hat conference in Las Vegas telling the assembled groups of hackers, researchers and journalists that in the next few days, his employer – along with hundreds of manufacturers and high-profile partners including Samsung, HTC, LG and Sony – would be pushing out a security patch that Ludwig described as "the single largest software update the world has ever seen".

Ludwig said it was incredible that hundreds of millions of devices would be updated within a few days. He added that the events of the last few weeks had forced Google to move faster to fix problems. Most people present instinctively linked the announcement to the Stagefright bug, which was revealed just last week. The bug could allow any hacker to take remote control of an Android smartphone simply by knowing the phone number and sending the handset in question a video multimedia message. However, it appears that there may have been an even more pressing reason for Google to push out this security update.

Certifi-Gate is "very-easily exploited"

Security researchers from Check Point have discovered a vulnerability, which they have dubbed Certifi-Gate, that allows hackers to gain what they call "illegitimate privileged access rights" and take full control of your smartphone or tablet though apps installed on your Android devices by manufacturers and mobile phone networks.

These vulnerability affects implementations of Remote Support applications that come pre-installed on your smartphone or tablet, and are used to offer technical help to users by allowing support staff to remotely take over your screen to fix an issue.

"Attackers can exploit Certifi-Gate to gain unrestricted device access, allowing them to steal personal data, track device locations, turn on microphones to record conversations and more," a Check Point spokesperson said. Check Point told IBTimes UK ahead of its Black Hat presentation that it is yet to see the vulnerability being exploited in the wild, but that the bug could nonetheless be "very easily exploited", should a hacker wish to do so.

A much bigger issue is that the bug cannot be easily fixed as Android offers no way to revoke the certificates that provide the privileged permissions. "Left unmatched, and with no reasonable workaround, devices are exposed right out of the box. OEMs also cannot revoke the valid signed vulnerable components, making unmatched versions valid for installation on devices," Check Point said.

When asked about the bug, Google said the fault lay with third-party apps rather than Android itself, adding that its own Nexus devices were therefore not susceptible:

"We want to thank the researcher for identifying the issue and flagging it for us. The issue they've detailed pertains to customisations OEMs make to Android devices and they are providing updates which resolve the issue. Nexus devices are not affected and we haven't seen attempts to exploit this," a Google spokesperson said.

Google added that in order for a user to be affected, they would need to install "a potentially harmful application" which the company says it continually monitors for with VerifyApps and SafetyNet. "We strongly encourage users to install applications from a trusted source, such as Google Play" the spokesperson added.

Complete control

Such vulnerabilities could allow hackers to take advantage of insecure apps that have been certified by manufacturers such as Samsung, HTC and LG, as well as mobile phone networks, giving them unrestricted access to devices and allowing for screen-scraping, key logging and extraction of private data, as well as downloading and installing malware. "The root causes of these vulnerabilities include hash collisions, IPC abuse and certificate forging, which allow an attacker to grant their malware complete control of a victim's device, the company said.

The security company disclosed the vulnerability to Google, app developers and manufacturers adding that the only way to fix the Certifi-Gate vulnerability is by pushing a new software build to the affected devices, a process it has called "notoriously slow". With this in mind, it seems clear that Ludwig's announcement of new monthly security updates for Android on Wednesday came about not only because of Stagefright, but also because of Certifi-Gate issue – which is potentially a much more harmful security flaw.

Check Point says that all versions of Android 5.0 (Lollipop) and 4.4 (KitKat) are vulnerable to Certifi-Gate. This means that, according to Google's latest figures, a minimum 57% of all devices in use today are vulnerable. It is also likely that earlier versions of the operating system are also susceptible to this attack.

Android, which is the world's most popular smartphone operating system with an 80% market share, is seen as a much more insecure platform than Apple's iOS, and one of the reasons for this is fragmentation. A study published on Thursday (6 August 2015) shows that there are more than 24,000 different Android smartphones and tablets on the market, making it all-but-impossible to simultaneously update and patch the software.

When you add to that the fact that 5% of all devices are still running versions of Android that were launched five years ago or more, the problem is not one that can be solved any time soon.

Check Point has produced an app you can download to check if your Android device is vulnerable to Certifi-Gate.