August 26, 2015 by

Google Pulls Plug on Vulnerability Exploiting App

Google has removed a mobile application exploiting the Certifi-gate vulnerability uncovered and publicized at the Black Hat conference earlier this year from the Google Play store.

Recordable Activator, a screen recorder app developed for Android phones, tablets, and other devices has been removed from the Google Play store by Google after the app was found to exploit a vulnerability dubbed ‘Certifi-gate,’ ThreatPost reports.

Researchers at Check Point technologies, who discovered the original vulnerability note that the number of installs for the application is anywhere between 100,000 and 500,000. However, the vulnerability was successfully exploited on only three Android devices, the researchers say.

Related article: Researchers Uncover a New Android SMS Vulnerability

“From our research team’s perspective, the developer did a poor job of protecting the interaction with subcomponents,” Check Point noted. “The communication with the Recordable Activator component can be spoofed without any authentication, thus allowing any malicious app to record the screen of the device.”

Certifi-gate comes to the fore.

Check Point’s very own Certifi-gate scanner application collected the data about the exploits; the company explained in a blog post. Other highlights from the scans show that:

  • LG devices are the most vulnerable, along with Samsung and HTC.
  • 16% of devices scanned show that they contain the vulnerable plugins.
  • At least three devices sending anonymous scan results were actively being exploited.

The Certifi-gate vulnerability was initially revealed at the Black Hat conference earlier this month by the researchers. When exploited, it allows a malicious attacker to take complete remote control of the targeted device using a malware-laced application or a simple SMS message. The vulnerability stems from a third-party remote support tools that are usually pre-installed on Android devices by mobile manufacturers and carriers. These tools are also readily downloadable via the Play Store.

Since these support tools are routinely signed with OEM certificates, they have system-level privileges to handle remote support tasks. Check Point revealed that authentication roadblocks could easily be bypassed by a malicious application using these support tools.

With the tools being preinstalled, patching the vulnerability poses a daunting task. They’d require hardware manufacturers to push the patched ROMs to vulnerable devices.

“It will take a long time until there is a new version out there, but, what’s more, problematic is not only the bug itself, it’s the architecture,” Check Point researcher Ohad Bobrov said. “The vendors and OEMS signed this vulnerable mRST (mobile remote support tools) with their certificate. You can’t revoke it, otherwise the plugin won’t work.”

Image Credit: Flickr


About the author

Image of Author

LIFARS is a digital forensics and cybersecurity intelligence firm based in New York City. LIFARS is ranked as one of the top Digital Forensics and Cyber Investigations companies in 2016 and as one of the top cybersecurity companies in the New York metropolitan area for 2015 on the Cybersecurity 500 – a directory of the hottest and most innovative companies to watch in the cybersecurity industry.

Related articles

New Ransomware ‘Spider’ Threatens Wipeout in 96 Hours

A new strain of ransomware discovered by security researchers encrypts files and gives victims a...

Read more arrow_forward

Security Researchers Discover Trove of 1.4 Billion Credentials

Security researchers at dark web monitoring firm 4iQ have stumbled upon a massive 41GB data file of...

Read more arrow_forward

Gartner Research: Cybersecurity Spending to Hit $96 Billion in 2018

Gartner has predicted worldwide security spending to increase by 8% in 2018 to hit a staggering $96...

Read more arrow_forward