Check Point reported the vulnerability, which it calls Certifi-gate, to Google and the affected manufacturers and some of them have already started releasing patches.
However, because the system plug-in is signed with a manufacturer's certificate, the problem can't easily be fixed, the researchers said. Such certificates cannot be revoked because that would cause all other apps added by those manufacturers to stop working as well. So, an attacker could trick users to install an older and vulnerable version of the plug-in, which would replace the patched one, re-enabling the attack, they said.
During a separate talk at the Black Hat security conference Wednesday, Adrian Ludwig, Google's lead engineer for Android security, described multiple defenses built into the OS that could potentially be used to detect such an attack.
Android has a feature called Verify Apps that acts like a built-in antivirus and an inter-application firewall that could be used to detect and block malicious interactions between applications, he said.
In an emailed statement, Google thanked the researchers and noted that the company's Nexus devices are not affected and it hasn't seen any exploitation attempts so far.
"The issue they've detailed pertains to customizations OEMs make to Android devices and they are providing updates which resolve the issue," a Google representative said. "In order for a user to be affected, they'd need to install a potentially harmful application which we continually monitor for with VerifyApps and SafetyNet. We strongly encourage users to install applications from a trusted source, such as Google Play."
Samsung did not immediately respond to a request for comment about the remote support tool issue, but the company announced Wednesday that it plans to start releasing monthly security updates for its Android devices.
Sign up for CIO Asia eNewsletters.