Certifi-gate: Hundreds of Millions of Android Devices Could Be Pwned

(This post was edited to include additional remediation advice on August 10, 2015.)

Check Point today released details about Certifi-gate, a previously unknown vulnerability in the architecture of popular mobile Remote Support Tools (RSTs) used by virtually every Android device manufacturer and network service provider. The Check Point mobile threat research team disclosed its findings at a briefing session at Black Hat USA 2015 in Las Vegas, NV this morning.

What is Certifi-gate?
Certifi-gate is a set of vulnerabilities in the authorization methods between mobile Remote Support Tool (mRST) apps and system-level plugs on a device. mRSTs allow remote personnel to offer customers personalized technical support for their devices by replicating a device’s screen and by simulating screen clicks at a remote console. If exploited, Certifi-gate allows malicious applications to gain unrestricted access to a device silently, elevating their privileges to allow access to the user data and perform a variety of actions usually only available to the device owner.

How does Certifi-gate make my device vulnerable?
Check Point researchers examined the verification methods by which trusted components of the mRSTs validate remote support applications, and discovered numerous faulty exploitable implementations of this logic. This allows mobile platform attackers to masquerade as the original remote supporter with system privileges on the device. This allows an attacker to install malicious applications to gain unrestricted access to a device silently, gain full control of the mobile device including access to the sensitive user and corporate data.

What devices are at risk?
Vulnerable components of these 3rd party mRSTs are often pre-loaded on devices or included as part of a manufacturer or network provider’s approved software build for a device. This creates significant difficulty in the patching process and makes affected components impossible to remove or to work around.

Check Point has also made available a scanner app that can determine whether your device is vulnerable to Certifi-gate. Click here to download the scanner app from Google Play.

Above: Example of Check Point-built “malicious app” using Team Viewer plugin to gain access to an Android device;

How can I protect myself?
Device manufacturers and wireless service providers need to provide a security update that would fully protect your device from vulnerabilities like Certifi-gate. Until an update is received, Check Point recommends taking several steps to mitigate the risk:

  • Examine carefully any application before installing it to make sure it’s legitimate.
  • Contact your device manufacturer and mobile carrier to receive information regarding security updates.
  • Install the latest version of Android and your ROM as soon as they are issued.
  • Uninstall or disable the Remote Support Tool plugs when possible, and according to the vendor’s instructions.
  • Avoid installing applications from untrusted sources such as 3rd party markets or unfamiliar links.
  • Use a mobile security solution to provide protection from malware installed on the device.

What other solutions are available to help mitigate these risks?
Also announced Thursday was Check Point Mobile Threat Prevention, an innovative mobile security solution enterprises can use to battle today’s mobile threat environment effectively, including new and previously unknown threats like Certifi-gate. The solution delivers a complete platform for stopping mobile threats on iOS and Android, and delivers real-time threat intelligence into an organization’s existing security and mobility infrastructures for even greater visibility.

Learn more about Mobile Threat Prevention at http://www.checkpoint.com/mobilesecurity.

How can I learn more about Certifi-gate?
The Check Point mobile threat research team has compiled a report that includes a detailed analysis of Certifi-gate, how it works, and how you can protect your data. Click here to download the report.