Based on anonymized data collected from users of an app designed to check for a newly revealed vulnerability in many Android devices, Check Point has discovered that at least one application currently in the Google Play store is exploiting the vulnerability to gain root access to the Android OS—and bypassing Google’s security scans of Play applications to do so.
While the app was discovered installed on an infinitesimal percentage of devices checked by Check Point, it shows that the vulnerability caused by insecure OEM and cell carrier software meant to provide remote access to devices for customer service engineers has already been exploited by “legitimate” phone applications—and the method used to bypass Google’s security checks could be used for more malicious purposes on millions of devices. And there’s no easy way for Google or phone manufacturers alone to patch the problem.
At the Black Hat security conference in Las Vegas earlier this month, Check Point’s Ohad Bobrov and Avi Bashan presented research into an Android vulnerability introduced by software installed by phone manufacturers and cellular carriers that could affect millions of devices. Labeled by Bobrov and Bashan as “Certifi-Gate," the vulnerability is caused by insecure versions of remote administration tools installed by the manufacturers and carriers to provide remote customer service—including versions of TeamViewer, CommuniTake Remote Care, and MobileSupport by Rsupport. These carry certificates that give them complete access to the Android operating system and device hardware. The applications are commonly pre-installed on Samsung, LG, and HTC handsets.