Google Pulls Plug on Vulnerability Exploiting App

Google has removed a mobile application exploiting the Certifi-gate vulnerability uncovered and publicized at the Black Hat conference earlier this year from the Google Play store.

Recordable Activator, a screen recorder app developed for Android phones, tablets, and other devices has been removed from the Google Play store by Google after the app was found to exploit a vulnerability dubbed ‘Certifi-gate,’ ThreatPost reports.

Researchers at Check Point technologies, who discovered the original vulnerability note that the number of installs for the application is anywhere between 100,000 and 500,000. However, the vulnerability was successfully exploited on only three Android devices, the researchers say.

Related article: Researchers Uncover a New Android SMS Vulnerability

“From our research team’s perspective, the developer did a poor job of protecting the interaction with subcomponents,” Check Point noted. “The communication with the Recordable Activator component can be spoofed without any authentication, thus allowing any malicious app to record the screen of the device.”

Certifi-gate comes to the fore.

Check Point’s very own Certifi-gate scanner application collected the data about the exploits; the company explained in a blog post. Other highlights from the scans show that:

  • LG devices are the most vulnerable, along with Samsung and HTC.
  • 16% of devices scanned show that they contain the vulnerable plugins.
  • At least three devices sending anonymous scan results were actively being exploited.

The Certifi-gate vulnerability was initially revealed at the Black Hat conference earlier this month by the researchers. When exploited, it allows a malicious attacker to take complete remote control of the targeted device using a malware-laced application or a simple SMS message. The vulnerability stems from a third-party remote support tools that are usually pre-installed on Android devices by mobile manufacturers and carriers. These tools are also readily downloadable via the Play Store.

Since these support tools are routinely signed with OEM certificates, they have system-level privileges to handle remote support tasks. Check Point revealed that authentication roadblocks could easily be bypassed by a malicious application using these support tools.

With the tools being preinstalled, patching the vulnerability poses a daunting task. They’d require hardware manufacturers to push the patched ROMs to vulnerable devices.

“It will take a long time until there is a new version out there, but, what’s more, problematic is not only the bug itself, it’s the architecture,” Check Point researcher Ohad Bobrov said. “The vendors and OEMS signed this vulnerable mRST (mobile remote support tools) with their certificate. You can’t revoke it, otherwise the plugin won’t work.”

Image Credit: Flickr