Check Point: Certifi-Gate-based attacks could take complete control of Android devices

Check Point has discovered a serious security hole with mobile remote support tools commonly used by hundreds of millions of Android devices.

Android security holes are popping up like mushrooms after a rain. The latest, Certifi-Gate, targets serious vulnerabilities in the authorization methods between mobile Remote Support Tool (mRST) apps and system-level plugins.

certfi-gate.png
Remote support apps that are vulnerable to Certifi-Gate are very common.

Check Point, a security company, revealed this set of security holes at Black Hat in Las Vegas. The company claims that it affects devices made by major manufacturers including LG, Samsung, HTC, and ZTE. Worse still, it's not just that hundreds of millions of smartphones and tablets are liable to attack, Certifi-Gate-based attacks could take complete control of Android devices.

The security hole works by using the mobile Remote Support Tool (mRST) apps security certificates to gain privileged access rights. These remote support applications, which are often pre-installed, often have root level access to Android devices.

You see, a mRST must provide as much data as possible from the device to the remotely control support screen. The only way to do this is to give the mRST system user level permissions.

This means that malware that uses these Certifi-Gate vulnerabilities would grab close to unrestricted device access. This, in turn, would enable them to steal personal data, track device locations, turn on microphones to record conversations, and the like.

Worse still, Android offers no way to revoke the certificates that are providing privileged permissions. There are a variety of ways to exploit access to these certificates. Once successfully attacked, an invader can then masquerade as the original remote support app with all its system privileges.

There's nothing new about this kind of attack. Indeed, the Check Point researchers report that

"[Existing] Mobile Remote Access Trojans (mRATs) provide unauthorized, stealth access to mobile devices. An attacker can exploit mRATs to exfiltrate sensitive information from devices such as location, contacts, photos, screen capture, and even recordings of nearby sounds. While analyzing and classifying mRATs, our research team found some apps share common traits with mRST. Known mRAT players include HackingTeam, mSpy, and SpyBubble."

Specifically, Check Point has found that the following mRSTs are vulnerable to Certifi-Gate attacks: TeamViewer, Rsupport, and CommuniTake Remote Care The company has made available a scanner app that can determine whether your device has Certifi-gate vulnerable mRSTs on it. You can download the scanner app from Google Play.

Even if you find you are vulnerable, there's not much you can do about it. According to Check Point, "The problem is further intensified because vulnerable apps cannot be completely revoked. Even after a fixed version is released, an attacker could use the old version to get control of the device."

Check Point claims their new Check Point Mobile Threat Prevention service can block such attacks. The company does not, however, make it clear how this service can protect from Certi-Gate attacks. I presume it would work by checking mRST security certificates to make sure that they're valid and alerting you if a device has been compromised.

That said, Check Point has informed Google and vulnerable OEMs and ISVs on the technical details of how these attacks can be made. Until the core problem of vulnerable security certificates is fixed, Certifi-Gate will remain a threat. Fortunately, there is no Certifi-Gate malware at this time.

Related Stories: