Mobile device screens recorded using the Certifi-gate vulnerability
Shouldn’t even be possible on thingies not jailbroke
Vulnerable plug-ins have been installed on hundreds of thousands of Android devices, allowing screens to be recorded, according to data from the scanning tool which discovered that the so-called Certifi-gate vulnerability is already being exploited in the wild.
The Certifi-gate vulnerability was disclosed by security researchers at Check Point during the Black Hat conference in Las Vegas earlier this month.
The Check Point team also released a scanner app that checks Android devices for the vulnerability. Users have the option to share scan results with Check Point.
The Certifi-gate scanner app has nearly 100,000 downloads on Google Play, and Check Point has received over 30,000 anonymous scan results from users. These anonymous stats have allowed Check Point to access the level of exposure to the vulnerability across different devices and vendors.
More than 40 per cent of all the scan samples showed devices were vulnerable to Certifi-gate.
And 16 per cent of samples showed a vulnerable plug-in was installed on the device, allowing any malicious application to take full control of the device by exploiting the installed plug-in.
In fact, a handful of scanned devices had already been exploited with a specific app from a UK-based company, available from the Play Store and which has already seen 100,000 and 500,000 downloads.
The Recordable Activator app, developed by Invisibility, uses the Certifi-gate vulnerability, bypassing the Android permission model to access system level resources.
Avi Basham, a mobile security researcher at Check Point, explained that the app is able to record the screen on devices onto which it is installed. Users of affected devices are not notified that this is happening and the whole process is in any case something that should not be possible on devices that are not jailbroke.
“It exploits the Certifi-gate vulnerability to gain system permissions,” Basham told El Reg. “This should violate Play Store conditions.”
Christopher Fraser, a representative of Invisibility, responded to our queries by explaining that developers did not set out to exploit a vulnerability.
Recordable is screen recorder ... able to make to record the screen via four possible methods: "activation" via USB, Android 5 projection, root, and via the TeamViewer plugin (which saved people having to activate on older version of Android).
Recordable Activator used the older versions of the TeamViewer plugin in exactly the same way that TeamViewer did. It did this in response to a user requesting it ... and would notify the user in the same way that TeamViewer would.
Google removed the older version of the TeamViewer plugins a few weeks ago and has now removed Recordable Activator.
Recordable is primarily used by games wanting to recording their gameplay and upload it to YouTube. Hundreds of thousands of kids use it to run their YouTube channels.
El Reg also quizzed Google, which confirmed that the app had been suspended.
The Certifi-gate vulnerability is a risk for apps downloaded from third-party app stores as well as Google Play, although scanning using the Check Point tool has only turned up issues on Google Play thus far.
Certifi-gate takes advantages of security shortcomings in architecture of popular mobile Remote Support Tools (RSTs) used by most every Android device manufacturers and network service provider.
Malicious applications could gain unrestricted access to a targeted device by impersonating plug-ins for legitimate tools such as Team Viewer, as explained in greater depth in a blog post by Check Point here. ®