Researchers with Check Point observed a popular app on the Google Play store successfully exploiting Certifi-gate, a critical Android vulnerability that the security firm disclosed at Black Hat USA 2015 in Las Vegas.
At the conference, Avi Bashan, technology leader at Check Point, demonstrated the vulnerability to SCMagazine.com. He showed how a malicious app requiring no special permissions can enable an attacker to completely take over nearly any device running the popular mobile operating system.
Bashan showed the vulnerability using a proof of concept flashlight app, but the offending application observed in the Google Play store is Recordable Activator, a screen recording app from U.K.-based Invisibility Ltd with between 100,000 and 500,000 downloads.
Unlike the flashlight app that exploited the Certifi-gate vulnerability to completely take over devices, Bashan said that Recordable Activator could only be used to record the screen.
A Google spokesperson confirmed to SCMagazine.com in a Tuesday email correspondence that the app has been suspended, but that two other apps by Invisibility Ltd – ‘EASY screen recorder NO ROOT,' and ‘FREE screen recorder NO ROOT' – do not exploit the vulnerability and are still available on the Google Play store.
Certifi-gate exists due to a problem with the architecture of popular mobile Remote Support Tools used by practically all device manufacturers and network service providers. According to a Tuesday Check Point post, the Recordable Activator issue involves a vulnerable version of a TeamViewer plugin.
TeamViewer took steps earlier this month to mitigate the Certifi-gate threat, explaining in a press release that the “updated version of TeamViewer QuickSupport for Android includes an improved security mechanism to ensure safe communication between internal app components.”
Bashan told SCMagazine.com in a Tuesday email correspondence that despite the efforts taken by TeamViewer, older versions of the plugin are still out there and someone attempting to exploit Certifi-gate could still push vulnerable versions of the plugin from – for example – a third-party server.
Christopher Fraser, director of Invisibility Ltd and developer of Recordable Activator, explained to SCMagazine.com in a Tuesday email correspondence that exploiting the Certifi-gate vulnerability was never his intention.
Fraser said he contacted vendors to get his own plugin signed in order to simplify processes for using the app. It was while waiting for a response that he found the TeamViewer QuickSupport app is freely distributable, he said.
“The plugins allowed [third-party] applications to access the screen so I added support for using that via the Recordable Activator app,” Fraser said. “I only intended that this was a temporary solution until I had my own plugin, but I never received any responses from the vendors I contacted.”
Meanwhile, Check Point has collected more than 30,000 anonymous scan results from users of its Certifi-gate scanner app. From that data, the security firm determined that 42 percent of devices were not vulnerable to Certifi-gate, 42 percent were vulnerable, nearly 16 percent had a vulnerable plugin installed, and .01 percent had been exploited.