Hours after Google and smartphone makers promised an imminent patch for the infamous Stagefright vulnerability another critical flaw in Android is being outed.
The “Certifi-gate” vulnerability allows applications to gain illegitimate privileged access rights, typically reserved for remote support applications that are either pre-installed or personally installed on Android devices.
Attackers can exploit Certifi-gate to gain unrestricted device access, allowing them to steal personal data, track device locations, turn on microphones to record conversations, and much more.
The vulnerability allows an attacker to take advantage of insecure apps certified by OEMs and carriers to gain unrestricted access to any device, including screen scraping, key logging, private information exfiltration, and back door app installation.
The root causes of these vulnerabilities include hash collisions, IPC abuse and certificate forging, which allow an attacker to grant their malware complete control of a compromised device.
The flaw affects hundreds of millions of Android devices from vendors including LG, Samsung, HTC and ZTE, according to security researchers at Check Point. The latest mega-flaw isn’t related to Stagefright, but it’s on the same scale in terms of numbers of devices (Android smartphones and tablets) affected.
All affected vendors were notified by Check Point about Certifi-gate and have begun releasing updates. Even so, fixing Certifi-gate may be even trickier than resolving the Stagefright vulnerability1.
For one thing the Certifi-gate vulnerability can only be resolved after a new software build is pushed to the device – a notoriously slow process. Even smartphones and tablets running the latest version of Android (Lollipop) are at risk.
Worse yet, resolving Certifi-gate involves updating multiple components and mobile remote support tool (mRST) plugins, according to Check Point researcher Avi Bashan.
The Certifi-gate patching process is fragmented as it relies on multiple updates from a range of different vendors (Google, OEMs and developers, especially those that make mRSTs) pushing updates.