Android Certifi-gate flaw threatens hundreds of millions of devices

Google's Android mobile operating system comes with a fundamental flaw in its privileged permissions mechanism that can be abused by attackers to remotely access devices without users noticing, exposing sensitive data.

Security vendor Check Point Software studied how mobile remote support tools (mRSTs) are implemented, and discovered a lack of certificate revocation and the discarding of privileged permissions, among other things.

The poor security implementation for mSRTs on Android is dangerous as the tools have full access to user devices.

Additionally, it may not be possible to patch against the flaw, which Check Point said affects hundreds of millions of devices.

"The problem is further intensified because vulnerable apps cannot be completely revoked. Even after a fixed version is released, an attacker could use the old version to get control of the device," Check Point said.

Check Point tested four different mobile remote support tools [pdf] from TeamViewer, RSupport, AnySupport and CommuniTake, and said it found certificate vulnerabilities in all, which require varying degrees of expertise to exploit.

In CommuniTake, the researchers found it was possible to change settings on the main app with an SMS or text message.

They discovered attackers could fully change the domain name of the command and control server for the plugin as the SMS is not authenticated and doesn't sanitise the content of messages.

The flaw makes it easy for attackers to take control of the plugin by pointing it to a command and control server under their control, giving them full access to the device.

The TeamViewer mSRT - which has over five million Google Play downloads - can be attacked with a certificate that has a serial number matching that of the plugin on the device, Check Point said.

RSupport has over ten million downloads on Google Play. It contains a vulnerable hashCode function with an integer as a hash entry - attackers can calculate the resulting hash and generate a code that matches the hard-coded hash in the plugin, the researchers found.

Since the plugins for the mSRTs are so-called exported services, they don't show up as icons in the Android launcher. This means users are unlikely to discover the plugin unless they are familiar with the advanced configuration screens in Android.

Check Point has written a scanner for the "Certifi-gate" flaw that is available on Google Play. iTnews tested a Samsung Galaxy Note 4 which came up as vulnerable.

The mSRT vulnerability in Android follows the publication of another flaw this week, which permits attackers to steal data on devices running the Google mobile operating system.