The active exploitation reports were mostly triggered by the presence of an app called Recordable Activator on the scanned devices, the Check Point researchers said in a report scheduled to be released Tuesday.
Recordable Activator, which was still present in Google Play Monday, but has since been removed, had over 500,000 installations. It enabled another application called Recordable to allow screen recording, a functionality that was not available through the standard Android APIs before Android 5.0 (Lollipop).
According to the Check Point researchers, Recordable Activator installed an older version of the TeamViewer plug-in on users' devices then exploited the Certifi-gate authentication flaw to create a bridge between Recordable and TeamViewer. The TeamViewer plug-in had the necessary permissions to access the device screen because of its system privileges.
One interesting aspect is that Recordable Activator was last updated on Aug. 3, before Check Point's public presentation at Black Hat. This suggests that the app's developer -- a company called Invisibility Ltd -- discovered the issue independently.
The app's support website, recordable.mobi, is registered to a man named Christopher Fraser from London. Reached via email Monday, Fraser confirmed that he found the certificate validation flaw in TeamViewer on his own.
He began taking advantage of it in his app in April because it provided a simple alternative to an older and more complex method of enabling screen recording that involves connecting the phone to a computer and enabling USB debugging.
"When I looked at the other plugins available within about 10 minutes I noticed that none of them correctly implemented certificate checking and therefore allowed 3rd party apps to use them," Fraser said Monday via email. "TeamViewer's was freely distributable so I used that."
According to Fraser, he emailed Android device manufacturers in the past asking if they would be willing to sign his own plug-in, like they did for TeamViewer and other vendors, but he received no response.
"I'd really like to do a correctly implemented, secure plugin for screen recording, but at the moment I can't get a foot in the door," he said.
According to Fraser, screen recording is a functionality that a lot of users desire, especially on older devices. His Recordable app has been downloaded around 3 million times so far, "mostly by people wanting to record gameplay in games like Minecraft."
The Recordable Activator app does not appear to have been malicious in nature, but according to the Check Point researchers there was "no security on the Recordable plug-in service to make sure third parties cannot connect to it" and, therefore, access the vulnerable TeamViewer plug-in.
However, it's not clear how much that adds to the problem, since attackers could also distribute an older version of the TeamViewer plug-in themselves and then exploit the Certifi-gate issue directly, just like Fraser did in his app.
Sign up for CIO Asia eNewsletters.