​Android Certifi-Gate remote access security hole exploited

A security hole in several Android's remote support tools is being exploited in the wild.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

Remote support tools, by their very nature, are dangerous. That's why when Check Point revealed the so-called "Certifi-Gate" security holes with Android-based mobile Remote Support Tool (mRST) apps, it was a big deal. Any device infected with malware with mRST permissions can be taken over.

Now, Check Point is reporting that it has seen Certifi-Gate exploits in the wild.

Check Point's Avi Bashan, Technology Leader, Mobile Threat Prevention, e-mailed, "When we announced the Certifi-Gate last week, we also announced an app, Certifi-gate Scanner, that scans your device to see if your phone has an app that is affected, or if there has been any exploitation of the vulnerability. The app has identified a few cases of Certifi-Gate being exploited, and we are currently working on gathering more data around the exploits."


Bashan also wrote, "We reached out to Google and all affected vendors, and the last we heard they were working to create patches for Certifi-Gate. However, it's important to note that because the vulnerability is tied to the use of certificates that are used by applications from innocent vendors and programmers worldwide, the patching process is more difficult than it usually would be for vulnerabilities."

One company, however, TeamViewer claims to have already fixed the Certifi-Gate hole.

In an e-mail the company stated, "The updated version of TeamViewer QuickSupport for Android includes an improved security mechanism to ensure safe communication between internal app components. This enhancement prevents potential misuse of the QuickSupport app and its Add-On on compromised devices. The updated TeamViewer apps are already widely deployed and automatically updated for most device partners, and in fact were made available to the entire community of TeamViewer partners in advance of Check Point's report publication."

Sources at other affected companies Rsupport, Koino AnySupport, and CommuniTake Remote Care, say that they are working on fixing the weaknesses in their apps that enable this hole to be exploited.

Google isn't taking responsibility for the Certifi-Gate problem.

A Google spokesperson said in an e-mail, "We want to thank the researcher for identifying the issue and flagging it for us. The issue they've detailed pertains to customizations OEMs make to Android devices and they are providing updates which resolve the issue. Nexus devices are not affected and we haven't seen attempts to exploit this. In order for a user to be affected, they'd need to install a potentially harmful application, which we continually monitor for with VerifyApps and SafetyNet. We strongly encourage users to install applications from a trusted source, such as Google Play."

This leaves Android users with remote support software in trouble. With exploits in the wild, Certifi-Gate can no longer be regarded as a dangerous but purely theoretical problem. Because a smartphone or tablet that's been successfully attacked via Certifi-Gate is then wide-open to an attacker, this problem needs to be addressed as soon as possible.

First, you need to see if you're vulnerable. To do this run Certifi-gate Scanner on your Android device.

Unfortunately, this application is not very useful. All it will do is tell you if your device is vulnerable. The report, which you must supply an e-mail address to receive, provides general information about the problem. It does not tell you, for example, which one of your applications is open to attack.

At the moment, there appears to be only two ways to defend against this attack. First, you can subscribe to Check Point's Mobile Threat Prevention service. This program detects Certifi-Gate in two ways. First, it uses an application analysis which includes Mobile Threat Emulation. This runs the application in an specifically modified (instrumented) emulator in order to examining their behavior. The other is advanced static code analysis. In this, the code is automatically decompiled and search algorithms applied to detect malicious flows in the code.

Mobile Threat Prevention's general pricing starts at $4 per device or $8 per user, which includes 3 devices.

The other method is to update the app, in the case of TeamViewer, and to uninstall the other vulnerable remote control/tech support programs. Given how bad the attacks could be, I'd recommend removing potentially vulnerable programs until the fixes are in.

Related stories:

Editorial standards