Listen up Android users... on many devices (such as those manufactured by LG, Samsung, HTC, and ZTE) there are support tools installed by default that enable companies to remote into your device to help you solve problems. Sounds like a great idea, right? Not when you find out that some of those tools suffer from a rather nasty flaw. This flaw, dubbed Certifi-Gate, was discovered by Check Point and revealed at Black Hat in Las Vegas. The flaw uses a remote support tool's security certificate to take total control over an Android device.
Unfortunately, the Android platform offers no means of revoking the certificates issued to the vulnerable apps. The only way Certifi-Gate can be fixed is for the makers of the remote support tools to issues patches. This means that you are at the mercy of a third-party, and not all third parties are created equal.
But which apps are vulnerable? Here's the official list from Check Point:
First and foremost, if you've installed any of these apps, or find them on your devices, remove them. If you're not sure (or you've removed the app and want to ensure the removal didn't leave behind a vulnerable certificate), you're in luck, because Check Point has created an app that will scan your device to make sure you're good to go. The app is called Certifi-Gate Scanner. Let's install it and run it to scan a device.
Here are the steps for installation:
- Open the Google Play Store on your Android device
- Search for certifi-gate
- Locate and tap the entry for Certifi-Gate Scanner by Check Point
- Tap Install
- Read the permissions listing
- If the permissions listing is acceptable, tap Accept
- Allow the installation to complete
On your home screen or from within the app drawer, you can now launch the Certifi-Gate Scanner app.
Scanning with the app is quite simple. You start it up and tap the big, round Scan button (Figure A). The app will go through your device and quickly scan for any vulnerabilities.
Certifi-Gate Scanner running on a Verizon-branded Droid Turbo.
I first installed TeamViewer to see if Certifi-Gate Scanner would catch any vulnerabilities. It didn't. This doesn't surprise me, as TeamViewer has always been quick to patch vulnerabilities. After that scan, I installed the other known vulnerable apps and ran the scan. Each scan came up clean. This, of course, could be a false-positive, as I haven't made a connection with any of the apps... so, there likely hasn't been a certificate generated by and for the app.
This doesn't mean you're safe. You might have an old certificate on your device that could render it vulnerable. Even if you believe your device is free of these apps, or you've read that the companies have patched their software, install and run Certifi-Gate Scanner anyway.
Should you come up with a vulnerable device, search for the app in question and check to see if it has an available update. If so, run the update immediately. If not, remove the app until the app developer has issued an update to fix the vulnerability.
I want to make this very clear... this is not something to scoff or ignore. If you have a remote support tool on your device (even outside of the three listed), you must install and run Certifi-Gate Scanner or, if possible, remove the remote support tool. The only issue, according to Check Point, is that even removing the offending software (if possible) will not remove the threat. To that end, Check Point has created a new service, Check Point Mobile Threat Prevention (which seems geared toward larger deployments of Android devices and not individuals). Check Point has also contacted Google and vulnerable manufacturers regarding the technical details of the issue. Hopefully, this means Google (and affected OEMs) will be issuing patches with more efficiency than they've patched Stagefright.
Are you listening Google... Alphabet... whatever we're to call you now?
Keep diligent, people! Check for updates often, and scan, scan, scan.
Do you think the recent glut of Android vulnerabilities points to an overall weakness in the platform, or were these two issues coincidental? Let us know your thoughts in the discussion thread below.
- How to scan your device for the Stagefright vulnerability
- Major flaw in Android texting discovered
- Google finally doubles down on security with monthly Android updates
- Resolve df-pfa-03 error in the Google Play Store
Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.