New Insights on the Extent, Exploitation, and Mitigation of This New Threat

Three weeks ago, Check Point publicly disclosed Certifi-gate, a new vulnerability on Android. Using anonymous data collected from the Certifi-gate scanner, an app that tells users if their devices are vulnerable, Check Point uncovered some startling new information:

  • An instance of Certifi-gate was found running in the wild in an app on Google Play
  • At least 3 devices sending anonymous scan results were actively being exploited
  • 15.84% of devices anonymously reported having a vulnerable plugin installed
  • Devices made by LG were the most vulnerable, followed by Samsung and HTC

In this blog, the research team presents its analysis of Recordable Activator, an in-the-wild exploitation of Certifi-gate, and shares new insights on the extent of the threat and recommendations for mitigation.

In-The-Wild Certifi-gate Exploitation

Recordable Activator

Recordable Activator, an app developed by UK-based Invisibility Ltd., and which has between 100,000 and 500,000 downloads on Google Play, exploited the Certifi-gate vulnerability successfully on three devices evaluated by our Certifi-gate scanner app. The Recordable Activator app bypassed the Android permission model to use the TeamViewer’s plug-in to access system level resources and to record the device screen.

<UPDATE: At August 25, 2015 @ 730AM PDT, the Check Point Mobile Research Team noticed that Google had removed Recordable Activator from Google Play. No further communication was received by Check Point from Google beyond notification that it was investigating the issue.>

Check Point reached out to both TeamViewer and Google regarding Recordable Activator. TeamViewer said that the way this app uses its plug-in is a violation of the code’s use and that it does not allow any third parties to use their code. Google said that it is investigating the issue, but it has not yet removed Recordable Activator from Google Play.

Our in-depth analysis of Recordable Activator highlights the unusual attributes of the Certifi-gate vulnerability.


A subcomponent in a multi-component utility called “EASY screen recorder NO ROOT” is designed to assist users with capturing the device screen. It’s described on Google Play as:

Recordable is the easy way to create high-quality screen recordings on Android.

  • Is simple to install and easy to use
  • Does not require root

Android restricts ordinary, non-system apps from interacting with screen capturing functionality, as this introduces significant security and privacy risks. Therefore, this functionality is usually available only to trusted, system-level apps or to apps on rooted devices.

To achieve this functionality, “EASY screen recorder NO ROOT” and its subcomponent Recordable Activator installs a vulnerable version of the TeamViewer plug-in on-demand. Because the plug-in is signed by various device manufacturers, it’s considered trusted by Android and is granted system-level permissions.

From this point, Recordable Activator exploits the authentication vulnerability and connects with the plug-in to record the device screen.

Recordable activator 1

Recordable activator 2

Recordable activator 3

From our research team’s perspective, the developer did a poor job of protecting the interaction with subcomponents. The communication with the Recordable Activator component can be spoofed without any authentication, thus allowing any malicious app to record the screen of the device.

Recordable Activator demonstrates the following inherent issues related to Certifi-gate:

  1. Unprivileged apps can leverage a vulnerability to take full control of a device without having to request permissions from Android to do so.
  2. Even after TeamViewer fixed its official version, malicious parties can still abuse old versions of the plug-in to conduct malicious acts.
  3. Mobile devices can be exploited even if a vulnerable plug-in was not pre-installed on a device.
  4. Apps that can exploit these vulnerabilities can be found today on Google Play.
  5. The only fix is for manufacturers to push updated ROMs to affected devices.

 In-Depth Analysis


The utility contains two main components: the Recording app ( or and a Recordable plug-in (

Vulnerable plug-in download:

The main app supports installing the plug-in or using root / adb shell to enable screen recording through other means. If the user decides to install the plug-in, when the plug-in runs it downloads the TeamViewer plug-in APK, based on the relevant certificate of the device manufacturer.

The download takes place from, a third-party APK marketplace. (Note that the User must enable “Unknown sources” for installation.)

Recordable activator flow

Recordable Activator Flow


The Recordable plug-in exports a service that wraps around the TeamViewer plug-in service and authenticates with the spoofed certificate field. Next, the Recording app binds to the Recordable plug-in service, which then binds to the TeamViewer plug-in, and returns that binder object back to the Recording app. From this point, the main recording app can communicate with the TeamViewer plug-in directly. There is no security on the Recordable plug-in service to make sure third parties cannot connect to it.

The Recordable plug-in only provides screen recording functionality.

Spoofing the TeamViewer certificate

Spoofing the TeamViewer Certificate

Scanner Results & Mitigation

A Look at the Numbers

Breakdown of vulnerability status across all submitted samples

Breakdown of samples submitted by mobile device manufacturer

Breakdown of vulnerability status across mobile device manufacturers

Exposure & Mitigation

There are three main exposures a user may experience:

Exploited   An exploited device

The device is affected by the Certifi-gate vulnerability, a vulnerable mRST plug-in is installed, and a third-party application is exploiting the plug-in to gain elevated access to the device and its sensitive resources. (i.e. the screen or keyboard, etc.).


If your device already has the vulnerable plug-in installed, and there is also a 3rd party application that is exploiting the plug-in:

  1. Try to remove the vulnerable plug-in using the following steps: Settings –> Apps –> Locate the vulnerable plug-in and click it –> Click Uninstall
  2. Try to locate the exploiting app and uninstall it.
  3. If the plug-in was pre-installed on the device, you will most likely not be able to uninstall it. In this case, contact your device manufacturer and ask for a fix.

Vulnerable plugin flow

Vulnerable plugin identified   A device with vulnerable plug-in installed

The device is affected by the Certifi-gate vulnerability and a vulnerable mRST plug-in is installed on the device. Any malicious application can take full control of the device by exploiting the installed plug-in.


If your device already has the vulnerable plug-in installed:

  1. Try to remove the vulnerable plug-in using the following steps: Settings –> Apps –> Locate the vulnerable plug-in and click it –> Click Uninstall
  1. If the plug-in was pre-installed on the device, you will most likely not be able to uninstall it. In this case, contact your device manufacture and ask for a fix.
  1. Download only trustworthy apps, and run the Certifi-gate scanner app after you install questionable apps.

Vulnerable plugin flow

Vulnerable device identified   Vulnerable device identified

The device is affected by the Certifi-gate vulnerability. A malicious application will need to install a vulnerable plug-in before proceeding with exploitation.


If your device is in a vulnerable state, and you should consider reaching out to your mobile carrier or device manufacturer (Samsung, LG, etc.) to ask when a patch or fix will be delivered.

  • The vulnerability can be fully remediated by a new ROM that revokes certificates the old, vulnerable plug-ins were signed with. As far as we know today, no device manufacturers have delivered a patch.
  • Our current recommendation is to download only trustworthy apps, and run the Certifi-gate scanner app after installing questionable apps.
  • If you are being asked to install a plug-in for a mobile remote support tool, consider canceling the installation.

  1. Why don’t you guys have a QR code to download the app directly (not via app store), so that folks without play store access can test it? I’m thinking primarily of china, of course. I figured that someone who should be as savvy as CheckPoint would have that covered.

  2. Thank you for the excellent security research you have done, and bringing this vulnerability to light. I have a few questions.

    “5. The only fix is for manufacturers to push updated ROMs to affected devices.”

    Is that really the case? There are many Android users (like myself) that are rooted and running custom ROMs, and are in a position to make modifications that are normally outside of userspace so that we can defend ourselves instead of relying upon OEMs and carriers. Could more detailed information be provided to elaborate on where the malicious apps live on respective devices? Do they install to /System/App or /Data/App? Does a device that is rooted in any way change the way the attack is made?

    My daily driver is an LG G3 (LS990…Sprint variant) and the CheckPoint scanner app says that my “Device Model” is vulnerable. Is the vulnerability really present in every version of the LG firmware that this device has had, though? (ZV4, ZV6, ZV8, ZVA). The ROM I’m running is based upon the stock ZVA firmware, and debloated of the LG/Sprint apps that aren’t necessary. I’ve run a search on “invisibility” in TitaniumBackup (with the package name + app name option selected) and turned up nothing. I do not have the “Remote support service” application pictured in the screenshot installed, either.

    Which versions of the TeamViewer plugin were vulnerable? Currently I have these TeamViewer apps installed and the scanner app doesn’t detect an exploitable plugin, so I take that to mean these ought to be safe:

    TeamViewer 10.0.2712
    TeamViewer QuickSupport 10.0.3264
    TeamViewer QuickSupport Add-On LG 10.0.3086

    Perhaps the answers to these questions are in the report at but that page appears to be down right now.

    Thank you for your consideration. It would be great to get some more clarification.

  3. François-Léonard Gilbert says:

    can you provide the name(s) of the vulnerable services somewhere?
    Your app does not specify, and my LG G3 has no clearly named remote support service installed.
    I am grateful for a way to ascertain if I am affected, but there is no way to remove the threat myself for the moment. This is frustrating because I have rooted my phone and could give the boot to the offending program without waiting for LG or my carrier.

    • Jonathan Hawks says:

      I second this. It is frustrating that the scanner app only tells you that your vulnerable. This makes remediation extremely difficult.

  4. Every weekend i used to visit this site, for the reason that i wish for enjoyment, for the reason that this
    this site conations really pleasant funny stuff too.

  5. I think this is one of the most vital information for me.
    And i am glad reading your article. But should remark on some general things, The web site style is wonderful,
    the articles is really nice : D. Good job, cheers

Comments are closed.