App Exploiting Certifi-gate Vulnerability Removed from Google Play

An application designed to exploit the recently disclosed “Certifi-gate” vulnerability affecting devices running Android has been removed from Google Play.

Earlier this month, researchers at Check Point disclosed the existence of vulnerabilities affecting the mobile Remote Support Tools (mRTS) used by Android device manufacturers and network service providers for technical support, including TeamViewer QuickSupport, RSupport, and CommuniTake RemoteCare. These tools, which are often pre-installed on devices, are signed with the manufacturer’s certificates.

The problem, according to experts, lies in the authorization methods between the RTS apps and the system-level plugins they use to read the device’s screen. The flaws, dubbed by researchers “Certifi-gate,” allow malicious applications to elevate their privileges and take control of the affected device.

Affected vendors have been notified and TeamViewer said it had released an updated version of TeamViewer QuickSupport for Android even before Check Point disclosed its findings. Check Point also developed a scanner that allows users to determine if their devices are vulnerable to potential attacks.

Data gathered by the scanner revealed that nearly 16 percent of devices had a vulnerable plugin installed, with devices made by LG being the most vulnerable. Researchers also discovered that an app uploaded to Google Play had been exploiting the Certifi-gate flaw.

The app in question, an activator for a screen video recording application called Recordable, was downloaded between 100,000 and 500,000 times from Google Play before being removed by Google.

Recordable Activator was not uploaded to Google Play by its developer, UK-based Invisibility Ltd., for malicious purposes. According to the developer, Recordable has been using the TeamViewer QuickSupport plugin to read the screen without having to activate the app over USB.

Recordable Activator achieved this by installing a vulnerable version of the TeamViewer plugin, which is trusted by Android because it’s signed by device manufacturers.

“From our research team’s perspective, the developer did a poor job of protecting the interaction with subcomponents. The communication with the Recordable Activator component can be spoofed without any authentication, thus allowing any malicious app to record the screen of the device,” Check Point explained in a blog post published on Tuesday.

In a post published on Google+ on August 18, the developers of Recordable acknowledged that the technique they used makes abuse possible.

“Both Recordable and Quicksupport inform you when they are reading the screen, but it is possible a malicious app could use the plugin to start reading the screen without telling you. So, if you have installed the plugin and are concerned about malicious apps you might want to consider uninstalling the plugin when you’re not using it,” the developers said.

According to Check Point, three devices that had the company’s Certifi-gate scanner installed were actively being exploited.

Check Point says the best way to address the vulnerability is for mobile carriers and manufacturers to release an update that revokes the certificate used to sign the vulnerable versions of the RTS plugins. However, the security firm noted that none of the affected vendors have delivered such patches.