Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Certifi-gate flaw in Android remote support tool exploited by screen recording app

Lucian Constantin | Aug. 26, 2015
An app developer found that he could trick TeamViewer to enable screen recording on Android.

In fact, this incident proves that even if TeamViewer released a fixed version of its plug-in, attackers could still abuse old versions, the Check Point researchers said in their report. It also shows that such apps could be present in Google Play despite Google's security checks.

According to Michael Shaulov, the head of mobility product management at Check Point, the company reported the application to Google on Thursday.

A Google representative confirmed via email that the application was suspended Monday.

Despite Google's previous statement that it is monitoring for attempts to exploit this issue, the company failed to detect Recordable Activator, Shaulov said. While this particular app is not malicious, it exploits the flaw to implement its screen recording workaround. This leaves users with no guarantee that there are no malicious apps in Google Play right now that do the same; or that there won't be any in the future.

The only real fix would be for phone manufacturers to release firmware updates that would revoke the certificates used to sign the old and vulnerable remote support plug-ins, the Check Point researchers said in their report. "As far as we know today, no device manufactures have delivered a patch."

Fraser, who is unhappy that his app was suspended, believes that this is not Google's problem and that expecting the company to clean up the mess after device manufacturers who decided to sign those plug-ins is a "a bit much to expect."

"If there's an angle to this story I would like to see told it's that hundreds of thousands of kids were using the plug-ins to run their YouTube channels, and can't any more," he said. "Google's not interested because they want people to move to Android 5."

 

Previous Page  1  2  3 

Sign up for CIO Asia eNewsletters.