Android Certifi-gate vulnerability exploited, no patches in sight

Check Point, the company that disclosed the Certifi-gate vulnerability a few weeks ago, has published a blog post with further analysis of the problem. The security researchers report that an app called Recordable Activator was exploiting the vulnerability, using TeamViewer's plugin to gain system-level access and record the screen. The app has now been removed from Google Play, although Check Point claims it had somewhere between 100,000 and 500,000 downloads before that point.

The security company provides an application that tests whether a device is vulnerable and collects anonymous data. It's important to make a distinction: a "vulnerable device" is exploitable only if the user installs a remote support plug-in, while one that's both vulnerable and has a plug-in installed is far easier prey. Only 42.1% of scanned devices are considered clean, and a further 42.1% are vulnerable but unaffected. Of the 15.8% of devices that are vulnerable and have a remote support plug-in installed, 0.1% are under active exploit.

The company also provides a breakdown by manufacturer. Sony's devices fared well with a 99% clean rating, but the same can't be said for Samsung and HTC. Only 14.8% and 5% of devices from those manufacturers are considered safe, respectively. LG was the worst by far—only 8.6% of its devices are clean, and a whopping 72.4% have a vulnerable remote support plug-in installed.

Check Point also provides mitigation guidelines. For devices under active exploit or that have a vulnerable plug-in installed, it's recommended that users disable remote support services in Android's app management. For devices that are are vulnerable but don't yet have remote support apps, users are advised to avoid installing them, and run Check Point's scanner app afterwards if they do.

As a final note, Check Point is pretty clear on the patching situation for this vulnerability: the company says "as far as we know today, no device manufacturers have delivered a patch."

Comments closed
    • flip-mode
    • 4 years ago

    I just ran the scan and it says I’m not affected. That’s on a nexus 5.

    • Zizy
    • 4 years ago

    The best solution to not get infected is to simply not install apps. But why not get WP then? 😀

      • Klimax
      • 4 years ago

      Heh. We got apps too…

    • oldog
    • 4 years ago

    So… is an encrypted Android phone at risk from any of these exploits?

      • trackerben
      • 4 years ago

      Likely if they enabled remote support apps with iffy plug-ins installed, since these things can default to deep filesystem access which is an Android threat specialty.

      • just brew it!
      • 4 years ago

      Sounds like it is a screen-scraper. No access to the internal storage required, it just needs access to the contents of the display.

      • maxxcool
      • 4 years ago

      If your using it, its not encrypted. Data you touch and use has to be clear text at some point and can be dumped or sniffed.

    • DancinJack
    • 4 years ago

    FWIW, my 2014 (Verizon) Moto X (stock/no root) is NOT vulnerable. I don’t install anything at all shady, or even that many apps in general, though.

      • trackerben
      • 4 years ago

      This is the android users’ strategy from hereon. Don’t install many apps, don’t get too curious about unknown ones. Buy a Nexus every two years or so, and any other brand after its last major OEM update or two.

    • bthylafh
    • 4 years ago

    Seriously, though. Stop with the -gate crap.

      • DancinJack
      • 4 years ago

      Please, listen to this man.

        • albundy
        • 4 years ago

        I dont have anymore thumbs to up, but yeah, this.

      • sweatshopking
      • 4 years ago

      Find your own vulnerability and you get to name it.

      • flip-mode
      • 4 years ago

      It’s odd that it bothers you so much that you’re starting gate-gate.

        • bthylafh
        • 4 years ago

        That probably sounded clever in your head.

      • Takeshi7
      • 4 years ago

      I don’t see the problem with appending -gate to the end of this. It fits, because it’s a gate to root access.

        • bthylafh
        • 4 years ago

        Unless you’ve paid attention to American media since the ’90s you probably wouldn’t understand.

      • Deanjo
      • 4 years ago

      Certifi-geddon?

    • UnfriendlyFire
    • 4 years ago

    “it’s recommended that users disable remote support services in Android’s app management.”

    Not helpful when piles of legit (and shady) apps demand permissions to access everything on your phone and the only way to deny the permission is to not install it.

    I’ll bet that it will take several months for all of the devices that are under 2 years old to be patched, and a large portion of older ones to be abandoned.

      • DancinJack
      • 4 years ago

      Luckily, Android M lets you decide on the permissions an app can have. Hopefully it’ll be a step in the right direction security wise for Android.

      Yes I know it doesn’t matter much since you can’t have it now (unless you are on DP3 and have a Nexus), I’m just saying.

      edit: spelling

        • UnfriendlyFire
        • 4 years ago

        By that point, I would have to root my first-gen Moto G to install Android M (with no guarantees that the installation would work).

        Less tech-savvy users would have to upgrade to the new phones to get the new OS.

          • trackerben
          • 4 years ago

          If we’ll need to buy new phones to stay safe and good, we’ll be looking at Apple or Microsoft models which won’t be giving us many big security headaches.

        • Prestige Worldwide
        • 4 years ago

        Running M DP3 on my Nexus 5 since last week. Seems solid so far.

        • jihadjoe
        • 4 years ago

        I seem to remember things were that way before.

        (or I may have been running CyanogenMod on an older device)

Pin It on Pinterest

Share This