An application available in the Google Play store until August 24 took advantage for months of a flaw in the TeamViewer remote support tool for Android in order to enable screen recording on older devices.
The app's developer discovered the vulnerability independently from security researchers from Check Point Software Technologies who presented it earlier this month at the Black Hat security conference along with similar flaws in other mobile remote support tools.
The Check Point researchers dubbed the issues Certifi-gate because they stem from failures to properly validate the digital certificates of remote support apps that are supposed to communicate with privileged plug-ins installed in the system.
Companies that create remote support tools for Android devices, like TeamViewer and Rsupport, have convinced device manufacturers to sign some of their software components with their OEM (original equipment manufacturer) digital certificates. This gives those components, which are known as plug-ins or add-ons, system level privileges and access to powerful functionality that is not normally available through the Android APIs (application programming interfaces).
In some cases, these remote support plug-ins come preloaded on devices, but they can also be installed later from Google Play. Both TeamViewer and Rsupport distribute versions of their plug-ins for individual manufacturers through Google's app store.
The plug-ins are supposed to only allow the official remote support tools from those software companies to access their functionality. However, because of flaws in how certificate checking was implemented, any rogue app with no special permissions could masquerade as an official tool and gain control over devices.
The Check Point researchers notified Google and the affected phone vendors months before they publicly disclosed the issue. After their presentation at Black Hat, a Google representative said in a statement that OEMs were providing updates to resolve the issue and that the company hadn't seen any exploit attempts.
The representative also said that Google is constantly monitoring for potentially harmful applications through Android services like Verify Apps and SafetyNet and advised users to only download applications from trusted sources like Google Play.
TeamViewer also announced that it had released patched versions of its remote support tool and plug-in in advance of Check Point's report.
That's why it came as a surprise to Check Point when the company recently found a popular app called Recordable Activator in Google Play that appeared to take advantage of the Certifi-gate bug.
The app was found thanks to a free tool released by Check Point that was used by over 30,000 Android users to scan if their devices were vulnerable to the Certifi-gate issues. The scans submitted anonymously to Check Point revealed that nearly 15 percent of devices had a vulnerable remote support tool plug-in installed; 42 percent were technically vulnerable, but didn't have a plug-in installed yet; and 0.01 percent had already been exploited.
Sign up for CIO Asia eNewsletters.