Android ‘Certifi-gate’ flaw leaves millions of devices at risk
Check Point says that all versions of Android 5.0 (Lollipop) and 4.4 (KitKat) are vulnerable to Certifi-Gate.
Check Point says that the vulnerability can be “very easily exploited” to give hackers unrestricted access to the affected devices, allowing them to steal personal data, track device locations, turn on microphones to record conversations, and more. Check Point noted that the devices that could suffer from Certifi-gate are from LG, Samsung, HTC and ZTE and that these OEMs have released updates to mitigate the issue.
That means a nefarious individual could see what you’re doing and control your phone or tablet.
Also at BlackHat, CheckPoint launched a mobile security product designed to bolster mobile app security.
Certifi-gate is a set of vulnerabilities present in the authorization methods between mobile Remote Support Tool (mRST) apps and system-level plugs on an Android device.
“The vulnerability stems from an issue in Android’s security architecture and that OEMs created flawed implementations of the remote support tools to get round the Android issue”. Google and Check Point have both stated that Nexus devices are not affected by Certifi-gate.
The firm said it has notified manufacturers of the flaw and that updates are being worked on, but given how long it can take for updates to arrive on devices this could be some time.
Even if you find you are vulnerable, there’s not much you can do about it. According to Check Point, “The problem is further intensified because vulnerable apps cannot be completely revoked”. They said they received responses from most by May, stating work had been started to resolve the issues. There is some good news hidden under the clouds of gray, though.
Hours after Google and smartphone makers promised an imminent patch for the infamous Stagefright vulnerability another critical flaw in Android is being outed.
“We want to thank the researcher for identifying the issue and flagging it for us”, a Google spokesperson told us, referring to Certifi-Gate.
During a separate talk at the Black Hat security conference Wednesday, Adrian Ludwig, Google’s lead engineer for Android security, described multiple defenses built into the OS that could potentially be used to detect such an attack. “In order for a user to be affected, they’d need to install a potentially harmful application which we continually monitor for with VerifyApps and SafetyNet”.
Check Point Software Technologies advises that in the meantime the best way to protect your Android phone from Certifi-gate is to avoid installing apps outside the Google Play store.
The security companies that have uncovered these two latest vulnerabilities are also responding with more than free scanner apps for end users.
Worse still, Android offers no way to revoke the certificates that are providing privileged permissions.