Easily exploitable Certifi-gate bug opens Android devices to hijacking

Check Point’s mobile security research team discovered a vulnerability in Android that affects phones, tablets and devices made by major manufacturers including LG, Samsung, HTC and ZTE. The team disclosed its findings during a briefing session at Black Hat USA 2015.

“Certifi-gate” is a vulnerability – a set of vulnerabilities, actually – in the architecture of mobile Remote Support Tools (mRSTs) used by virtually every Android device manufacturer and network service provider.

The vulnerability allows applications to gain illegitimate privileged access rights, which are typically used by remote support applications that are either pre-installed or personally installed on Android devices.

Attackers can exploit Certifi-gate to gain unrestricted device access, allowing them to steal personal data, track device locations, turn on microphones to record conversations, and more.

Hundreds of millions of Android devices, including those running Lollipop OS, can be hijacked. A study by the researchers revealed the existence of multiple instances of a fundamental flaw within the Android customisation chain that leave millions of devices (and users) vulnerable to attack. The researchers say the vulnerabilities are “very easily exploited.”

The root causes of these vulnerabilities include hash collisions, IPC abuse and certificate forging which allow an attacker to grant their malware complete control of a victim’s device.

Android offers no way to revoke the certificates that provide the privileged permissions. Left unpatched, and with no reasonable workaround, devices are exposed right out of the box. OEMs also cannot revoke the valid signed vulnerable components, making unpatched versions valid for installation on devices.

These vulnerabilities allow an attacker to take advantage of unsecure apps certified by OEMs and carriers to gain unrestricted access to any device, including screen scraping, key logging, private information exfiltration, back door app installation, and more.

All affected vendors were notified by Check Point about Certifi-gate and have begun releasing updates. The vulnerability cannot be fixed, and can only be updated when a new software build is pushed to the device – a notoriously slow process (that will hopefully pick up pace in the future).

Android users can also check to see if their device is vulnerable to Certifi-gate by downloading this free Check Point Certifi-gate scanner app in Google Play.