Major Android remote-access vulnerability is now being exploited [Updated]
Based on anonymized data collected from users of an app designed to check for a newly revealed vulnerability in many Android devices, Check Point discovered that one application in the Google Play store is exploiting the vulnerability to gain a high level of access to the Android OS, bypassing user permissions—and bypassing Google’s security scans of Play applications to do so. Update: A Google spokesperson told Ars that the offending app has been suspended in the Play store.
While the app was discovered installed on an infinitesimal percentage of devices checked by Check Point, it shows that the vulnerability caused by insecure OEM and cell carrier software meant to provide remote access to devices for customer service engineers has already been exploited by “legitimate” phone applications—and the method used to bypass Google’s security checks could be used for more malicious purposes on millions of devices. And there’s no easy way for Google or phone manufacturers alone to patch the problem.
At the Black Hat security conference in Las Vegas earlier this month, Check Point’s Ohad Bobrov and Avi Bashan presented research into an Android vulnerability introduced by software installed by phone manufacturers and cellular carriers that could affect millions of devices. Labeled by Bobrov and Bashan as “Certifi-Gate,” the vulnerability is caused by insecure versions of remote administration tools installed by the manufacturers and carriers to provide remote customer service—including versions of TeamViewer, CommuniTake Remote Care, and MobileSupport by Rsupport. These carry certificates that give them complete access to the Android operating system and device hardware. The applications are commonly pre-installed on Samsung, LG, and HTC handsets.
Jump to original: