Mobile device screens recorded using the Certifi-gate vulnerability

Shouldn’t even be possible on thingies not jailbroke

Vulnerable plug-ins have been installed on hundreds of thousands of Android devices, allowing screens to be recorded, according to data from the scanning tool which discovered that the so-called Certifi-gate vulnerability is already being exploited in the wild.

The Certifi-gate vulnerability was disclosed by security researchers at Check Point during the Black Hat conference in Las Vegas earlier this month.

The Check Point team also released a scanner app that checks Android devices for the vulnerability. Users have the option to share scan results with Check Point.

The Certifi-gate scanner app has nearly 100,000 downloads on Google Play, and Check Point has received over 30,000 anonymous scan results from users. These anonymous stats have allowed Check Point to access the level of exposure to the vulnerability across different devices and vendors.

More than 40 per cent of all the scan samples showed devices were vulnerable to Certifi-gate.

And 16 per cent of samples showed a vulnerable plug-in was installed on the device, allowing any malicious application to take full control of the device by exploiting the installed plug-in.

In fact, a handful of scanned devices had already been exploited with a specific app from a UK-based company, available from the Play Store and which has already seen 100,000 and 500,000 downloads.

The Recordable Activator app, developed by Invisibility, uses the Certifi-gate vulnerability, bypassing the Android permission model to access system level resources.

Avi Basham, a mobile security researcher at Check Point, explained that the app is able to record the screen on devices onto which it is installed. Users of affected devices are not notified that this is happening and the whole process is in any case something that should not be possible on devices that are not jailbroke.

“It exploits the Certifi-gate vulnerability to gain system permissions,” Basham told El Reg. “This should violate Play Store conditions.”

Christopher Fraser, a representative of Invisibility, responded to our queries by explaining that developers did not set out to exploit a vulnerability.

Recordable is screen recorder ... able to make to record the screen via four possible methods: "activation" via USB, Android 5 projection, root, and via the TeamViewer plugin (which saved people having to activate on older version of Android).

Recordable Activator used the older versions of the TeamViewer plugin in exactly the same way that TeamViewer did. It did this in response to a user requesting it ... and would notify the user in the same way that TeamViewer would.

Google removed the older version of the TeamViewer plugins a few weeks ago and has now removed Recordable Activator.

Recordable is primarily used by games wanting to recording their gameplay and upload it to YouTube. Hundreds of thousands of kids use it to run their YouTube channels.

El Reg also quizzed Google, which confirmed that the app had been suspended.

The Certifi-gate vulnerability is a risk for apps downloaded from third-party app stores as well as Google Play, although scanning using the Check Point tool has only turned up issues on Google Play thus far.

Certifi-gate takes advantages of security shortcomings in architecture of popular mobile Remote Support Tools (RSTs) used by most every Android device manufacturers and network service provider.

Malicious applications could gain unrestricted access to a targeted device by impersonating plug-ins for legitimate tools such as Team Viewer, as explained in greater depth in a blog post by Check Point here. ®

Similar topics

Other stories you might like

  • Experts: AI should be recognized as inventors in patent law
    Plus: Police release deepfake of murdered teen in cold case, and more

    In-brief Governments around the world should pass intellectual property laws that grant rights to AI systems, two academics at the University of New South Wales in Australia argued.

    Alexandra George, and Toby Walsh, professors of law and AI, respectively, believe failing to recognize machines as inventors could have long-lasting impacts on economies and societies. 

    "If courts and governments decide that AI-made inventions cannot be patented, the implications could be huge," they wrote in a comment article published in Nature. "Funders and businesses would be less incentivized to pursue useful research using AI inventors when a return on their investment could be limited. Society could miss out on the development of worthwhile and life-saving inventions."

    Continue reading
  • Declassified and released: More secret files on US govt's emergency doomsday powers
    Nuke incoming? Quick break out the plans for rationing, censorship, property seizures, and more

    More papers describing the orders and messages the US President can issue in the event of apocalyptic crises, such as a devastating nuclear attack, have been declassified and released for all to see.

    These government files are part of a larger collection of records that discuss the nature, reach, and use of secret Presidential Emergency Action Documents: these are executive orders, announcements, and statements to Congress that are all ready to sign and send out as soon as a doomsday scenario occurs. PEADs are supposed to give America's commander-in-chief immediate extraordinary powers to overcome extraordinary events.

    PEADs have never been declassified or revealed before. They remain hush-hush, and their exact details are not publicly known.

    Continue reading
  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading

Biting the hand that feeds IT © 1998–2022