(This post was edited to include additional remediation advice on August 10, 2015.)

Check Point today released details about Certifi-gate, a previously unknown vulnerability in the architecture of popular mobile Remote Support Tools (RSTs) used by virtually every Android device manufacturer and network service provider. The Check Point mobile threat research team disclosed its findings at a briefing session at Black Hat USA 2015 in Las Vegas, NV this morning.

What is Certifi-gate?
Certifi-gate is a set of vulnerabilities in the authorization methods between mobile Remote Support Tool (mRST) apps and system-level plugs on a device. mRSTs allow remote personnel to offer customers personalized technical support for their devices by replicating a device’s screen and by simulating screen clicks at a remote console. If exploited, Certifi-gate allows malicious applications to gain unrestricted access to a device silently, elevating their privileges to allow access to the user data and perform a variety of actions usually only available to the device owner.

How does Certifi-gate make my device vulnerable?
Check Point researchers examined the verification methods by which trusted components of the mRSTs validate remote support applications, and discovered numerous faulty exploitable implementations of this logic. This allows mobile platform attackers to masquerade as the original remote supporter with system privileges on the device. This allows an attacker to install malicious applications to gain unrestricted access to a device silently, gain full control of the mobile device including access to the sensitive user and corporate data.

What devices are at risk?
Vulnerable components of these 3rd party mRSTs are often pre-loaded on devices or included as part of a manufacturer or network provider’s approved software build for a device. This creates significant difficulty in the patching process and makes affected components impossible to remove or to work around.

Check Point has also made available a scanner app that can determine whether your device is vulnerable to Certifi-gate. Click here to download the scanner app from Google Play.

Above: Example of Check Point-built “malicious app” using Team Viewer plugin to gain access to an Android device;

How can I protect myself?
Device manufacturers and wireless service providers need to provide a security update that would fully protect your device from vulnerabilities like Certifi-gate. Until an update is received, Check Point recommends taking several steps to mitigate the risk:

  • Examine carefully any application before installing it to make sure it’s legitimate.
  • Contact your device manufacturer and mobile carrier to receive information regarding security updates.
  • Install the latest version of Android and your ROM as soon as they are issued.
  • Uninstall or disable the Remote Support Tool plugs when possible, and according to the vendor’s instructions.
  • Avoid installing applications from untrusted sources such as 3rd party markets or unfamiliar links.
  • Use a mobile security solution to provide protection from malware installed on the device.

What other solutions are available to help mitigate these risks?
Also announced Thursday was Check Point Mobile Threat Prevention, an innovative mobile security solution enterprises can use to battle today’s mobile threat environment effectively, including new and previously unknown threats like Certifi-gate. The solution delivers a complete platform for stopping mobile threats on iOS and Android, and delivers real-time threat intelligence into an organization’s existing security and mobility infrastructures for even greater visibility.

Learn more about Mobile Threat Prevention at http://www.checkpoint.com/mobilesecurity.

How can I learn more about Certifi-gate?
The Check Point mobile threat research team has compiled a report that includes a detailed analysis of Certifi-gate, how it works, and how you can protect your data. Click here to download the report.


  1. Can I not just download and view the full report without giving you guys so much information? I see absolutely no reason you should need to know the name of my company, my phone number, or anything else really. I’m simply trying to view a report to further assess the situation.

  2. Hi
    Can you please provide technical explanation why your scanner app requires the Android identity permission?
    Thanks

  3. Good Work! Especially for providing an App to check for the certifi-gate vulnerability. But wouldn’t it be helpfull if your App would provide the name of the App which is causing the security breach? This would be helpfull for people who have not the knowledge which remote app to uninstall.

  4. I think I’ve been hacked several times…What did I see: change my android mobile language to Armenian 3 times…..hacked pictures from whatsap two times…..change my home screen and lock screen five times…the hacker put his own pictures as he want to….this person turns on the wifi…, bluetooh. and screen rotation as he wants… and now…I think he or she took the control of my mobile….because I turned it off to charge it and next day the mobile is on……and…..the company that gives me the service is asking me to put more money because the service is empty of bucks …..it happened two times..after I did a factory data reset…
    I have a GT-18190N Samsung..android version 4.1.2
    Please, could you help me to destroy that bastard…jeje

  5. I think I’ve been hacked several times…What did I see: change my android mobile language to Armenian 3 times…..hacked pictures from whatsap two times…..change my home screen and lock screen five times…the hacker put his own pictures as he want to….this person turns on the wifi…, bluetooh. and screen rotation as he wants… and now…I think he or she took the control of my mobile….because I turned it off to charge it and next day the mobile is on……and…..the company that gives me the service is asking me to put more money because the service is empty of bucks …..it happened two times..after I did a factory data reset…
    I have a GT-18190N Samsung..android version 4.1.2

  6. Why hasn’t a CVE number been assigned to this vulnerability? I did a twitter search, google search and NVD search, nothing is coming up.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Please complete the equation to verify your submission. *