News
Certifi-gate Found in the Wild on Google Play
August 2015 by Marc Jacob
Three weeks ago, Check Point publicly disclosed Certifi-gate, a new vulnerability on Android. Using anonymous data collected from the Certifi-gate scanner, an app that tells users if their devices are vulnerable, Check Point discovered:
· An instance of Certifi-gate was found running in the wild in an app on Google Play
· At least 3 devices sending anonymous scan results were actively being exploited
· Over 4,700 devices anonymously reported having a vulnerable plugin installed
· Devices made by LG were the most vulnerable, followed by Samsung and HTC
Recordable Activator - an In-The-Wild Certifi-gate Exploitation
Two Certifi-gate scans reported an exploiting app installed on devices. Via Recordable Activator, an app developed by Invisibility Ltd, a UK based company, and which has between 100,000 and 500,000 downloads on Google Play, hackers had exploited the Certifi-gate vulnerability successfully, thereby bypassing the Android permission model to use the TeamViewer’s plug-in to access system level resources and to record the device screen.
In-depth analysis of this app highlights the unusual attributes of the Certifi-gate vulnerability.
Recordable Activator – Overview
A subcomponent in a multi-component utility called “EASY screen recorder NO ROOT” is designed to assist users with capturing the device screen. It’s described on Google Play as:
Recordable is the easy way to create high-quality screen recordings on Android.
· Is simple to install and easy to use
· Does not require root
Android restricts ordinary, non-system apps from interacting with screen capturing functionality, as this introduces significant security and privacy risks. Therefore, this functionality is usually available only to trusted, system-level apps or to apps on rooted devices.
To achieve this functionality, “EASY screen recorder NO ROOT” and its subcomponent “Recordable Activator” installs a vulnerable version of the TeamViewer plug-in on-demand. Because the plug-in is signed by various device manufacturers, it’s considered trusted by Android, and is granted system-level permissions.
From this point “Recordable Activator” exploits the authentication vulnerability and connects with the plug-in to record the device screen.
Check Point researchers believe that the developer of “Recordable Activator” did a poor job of protecting the interaction with subcomponents, and the communication with the “Recordable Activator” component can be spoofed without any authentication, thus allowing any malicious app to record the screen of the device.
The “Recordable Activator” app demonstrates the following inherent issues related to Certifi-gate:
1. Unprivileged apps can leverage a vulnerability to take full control of a device without having to request permissions from Android to do so.
2. Even after TeamViewer fixed its official version, malicious parties can still abuse old versions of the plug-in to conduct malicious acts.
3. Mobile devices can be exploited even if a vulnerable plug-in was not pre-installed on a device.
4. Apps that can exploit these vulnerabilities can be found today on Google Play.
5. The only fix is for manufacturers to push updated ROMs to affected devices.
In-Depth Analysis
Structure: The utility contains two main components: the Recording app (uk.org.invisibility.recordable or uk.org.invisibility.recordablefree) and a Recordable plug-in (uk.org.invisibility.activator)
Vulnerable plug-in download: The main app supports installing the plug-in or using root / adb shell to enable screen recording through other means. If the user decides to install the plug-in, when the plug-in runs it downloads the TeamViewer plug-in APK, based on the relevant certificate of the device manufacturer.
