August 7, 2015 by

Researchers Uncover a New Android SMS Vulnerability

The hits keep on coming. Merely a week after Android phones were revealed to have a significant vulnerability with Stagefright bugs, another similar vulnerability has surfaced.

Two Israeli researchers from Check Point have unveiled their research and findings to present a critical Android vulnerability at the Black Hat conference in Las Vegas. Dubbed ‘Certifi-gate’, the vulnerability could potentially open up hundreds of millions of Android devices to hackers, according to a report in Forbes.

The researchers found fault in the way OEMs (Original Equipment Manufacturers of devices such as Samsung, LG, HTC, Lenovo, Sony etc.) implement Remote Support, allowing third-party applications’ plugins to demand access to Android devices’ screen and controls using the OEMs own signed certificates which are meant to be secure in the first place.

This means that malicious hackers can ostensibly see what Android users are doing with their phones and can also gain control over the targeted phone or tablet.

A certifiable catch-22

Fundamentally, there are two ways of gaining administrator-level access. They are:

  • Getting a target to download a malicious app, even one placed within the Google Play store through social engineering. While appearing legitimate and seeking very few permissions, such an application can easily contain a faux signed certificate, giving it access to the phone.
  • A simple text message to a phone can also trigger remote access tools to launch commands, effectively gaining complete control over the device, similar to the Stagefright threat.

Ohad Bobrov and Avi Bashan, the two researchers who discovered the vulnerability pulled no punches in stating the critical nature of the threat.

“All Android devices from major OEMs are vulnerable – hundreds of millions of devices,” the researchers told FORBES.

Related Post: Simple Android Hack Leaves 95% Devices Vulnerable

There is a catch, inherently in dealing with the vulnerability, according to the researchers. Certificates are meant to guarantee the authenticity of applications, assuring devices that they aren’t malicious by being signed by the original company. These certificates are crucial to the way applications work, granting them access to different parts and features of an Android device.

However, the vulnerability proves these certificates can be cloned and used maliciously. While revoking the certificates may sound like a quick-fix, it is counter-productive as this would also mean the removal of the OEM certificates, the researching hacker duo noted.

A spokesperson for Google made the following statement, noting the vulnerabilities reported by the researchers and thanking them for it.

“We want to thank the researcher for identifying the issue and flagging it for us. The issue they’ve detailed pertains to customizations OEMs make to Android devices and they are providing updates which resolve the issue.”

Check Point stressed that the only way to fully address the vulnerability from scratch is to have OEMs and mobile carriers work together to update the vulnerable plugins present in a significant majority of Android phones. Google and Check Point have also confirmed that Nexus devices (including mobiles and tablets) are not affected by the vulnerability.


About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Netflix Launches Public Bug Bounty Program

Streaming giant Netflix has announced the launch of a public bug bounty program designed to allow...

Read more arrow_forward

15-Year-Old Hacks Ledger Hardware Cryptocurrency Wallet

A teenage hacker has discovered a flaw in Ledger, a popular hardware wallet that could essentially...

Read more arrow_forward

Expedia’s Orbitz: 880,000 Payment Cards Struck by Data Breach

Orbitz, a subsidiary of online travel giant Expedia has revealed a data breach wherein hackers may...

Read more arrow_forward