Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



App Exploiting Certifi-gate Vulnerability Removed from Google Play

An application designed to exploit the recently disclosed “Certifi-gate” vulnerability affecting devices running Android has been removed from Google Play.

An application designed to exploit the recently disclosed “Certifi-gate” vulnerability affecting devices running Android has been removed from Google Play.

Earlier this month, researchers at Check Point disclosed the existence of vulnerabilities affecting the mobile Remote Support Tools (mRTS) used by Android device manufacturers and network service providers for technical support, including TeamViewer QuickSupport, RSupport, and CommuniTake RemoteCare. These tools, which are often pre-installed on devices, are signed with the manufacturer’s certificates.

The problem, according to experts, lies in the authorization methods between the RTS apps and the system-level plugins they use to read the device’s screen. The flaws, dubbed by researchers “Certifi-gate,” allow malicious applications to elevate their privileges and take control of the affected device.

Affected vendors have been notified and TeamViewer said it had released an updated version of TeamViewer QuickSupport for Android even before Check Point disclosed its findings. Check Point also developed a scanner that allows users to determine if their devices are vulnerable to potential attacks.

Data gathered by the scanner revealed that nearly 16 percent of devices had a vulnerable plugin installed, with devices made by LG being the most vulnerable. Researchers also discovered that an app uploaded to Google Play had been exploiting the Certifi-gate flaw.

The app in question, an activator for a screen video recording application called Recordable, was downloaded between 100,000 and 500,000 times from Google Play before being removed by Google.

Recordable Activator was not uploaded to Google Play by its developer, UK-based Invisibility Ltd., for malicious purposes. According to the developer, Recordable has been using the TeamViewer QuickSupport plugin to read the screen without having to activate the app over USB.

Advertisement. Scroll to continue reading.

Recordable Activator achieved this by installing a vulnerable version of the TeamViewer plugin, which is trusted by Android because it’s signed by device manufacturers.

“From our research team’s perspective, the developer did a poor job of protecting the interaction with subcomponents. The communication with the Recordable Activator component can be spoofed without any authentication, thus allowing any malicious app to record the screen of the device,” Check Point explained in a blog post published on Tuesday.

In a post published on Google+ on August 18, the developers of Recordable acknowledged that the technique they used makes abuse possible.

“Both Recordable and Quicksupport inform you when they are reading the screen, but it is possible a malicious app could use the plugin to start reading the screen without telling you. So, if you have installed the plugin and are concerned about malicious apps you might want to consider uninstalling the plugin when you’re not using it,” the developers said.

According to Check Point, three devices that had the company’s Certifi-gate scanner installed were actively being exploited.

Check Point says the best way to address the vulnerability is for mobile carriers and manufacturers to release an update that revokes the certificate used to sign the vulnerable versions of the RTS plugins. However, the security firm noted that none of the affected vendors have delivered such patches.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.