Researchers Uncover a New Android SMS Vulnerability

The hits keep on coming. Merely a week after Android phones were revealed to have a significant vulnerability with Stagefright bugs, another similar vulnerability has surfaced.

Two Israeli researchers from Check Point have unveiled their research and findings to present a critical Android vulnerability at the Black Hat conference in Las Vegas. Dubbed ‘Certifi-gate’, the vulnerability could potentially open up hundreds of millions of Android devices to hackers, according to a report in Forbes.

The researchers found fault in the way OEMs (Original Equipment Manufacturers of devices such as Samsung, LG, HTC, Lenovo, Sony etc.) implement Remote Support, allowing third-party applications’ plugins to demand access to Android devices’ screen and controls using the OEMs own signed certificates which are meant to be secure in the first place.

This means that malicious hackers can ostensibly see what Android users are doing with their phones and can also gain control over the targeted phone or tablet.

A certifiable catch-22

Fundamentally, there are two ways of gaining administrator-level access. They are:

  • Getting a target to download a malicious app, even one placed within the Google Play store through social engineering. While appearing legitimate and seeking very few permissions, such an application can easily contain a faux signed certificate, giving it access to the phone.
  • A simple text message to a phone can also trigger remote access tools to launch commands, effectively gaining complete control over the device, similar to the Stagefright threat.

Ohad Bobrov and Avi Bashan, the two researchers who discovered the vulnerability pulled no punches in stating the critical nature of the threat.

“All Android devices from major OEMs are vulnerable – hundreds of millions of devices,” the researchers told FORBES.

Related Post: Simple Android Hack Leaves 95% Devices Vulnerable

There is a catch, inherently in dealing with the vulnerability, according to the researchers. Certificates are meant to guarantee the authenticity of applications, assuring devices that they aren’t malicious by being signed by the original company. These certificates are crucial to the way applications work, granting them access to different parts and features of an Android device.

However, the vulnerability proves these certificates can be cloned and used maliciously. While revoking the certificates may sound like a quick-fix, it is counter-productive as this would also mean the removal of the OEM certificates, the researching hacker duo noted.

A spokesperson for Google made the following statement, noting the vulnerabilities reported by the researchers and thanking them for it.

“We want to thank the researcher for identifying the issue and flagging it for us. The issue they’ve detailed pertains to customizations OEMs make to Android devices and they are providing updates which resolve the issue.”

Check Point stressed that the only way to fully address the vulnerability from scratch is to have OEMs and mobile carriers work together to update the vulnerable plugins present in a significant majority of Android phones. Google and Check Point have also confirmed that Nexus devices (including mobiles and tablets) are not affected by the vulnerability.