Certifi-gate flaw in Android remote support tool exploited by screen recording app
The app's developer discovered the vulnerability independently from security researchers from Check Point Software Technologies who presented it earlier this month at the Black Hat security conference along with similar flaws in other mobile remote support tools.
The Check Point researchers dubbed the issues Certifi-gate because they stem from failures to properly validate the digital certificates of remote support apps that are supposed to communicate with privileged plug-ins installed in the system.
Companies that create remote support tools for Android devices, like TeamViewer and Rsupport, have convinced device manufacturers to sign some of their software components with their OEM (original equipment manufacturer) digital certificates. This gives those components, which are known as plug-ins or add-ons, system level privileges and access to powerful functionality that is not normally available through the Android APIs (application programming interfaces).
In some cases, these remote support plug-ins come preloaded on devices, but they can also be installed later from Google Play. Both TeamViewer and Rsupport distribute versions of their plug-ins for individual manufacturers through Google's app store.
The plug-ins are supposed to only allow the official remote support tools from those software companies to access their functionality. However, because of flaws in how certificate checking was implemented, any rogue app with no special permissions could masquerade as an official tool and gain control over devices.
The Check Point researchers notified Google and the affected phone vendors months before they publicly disclosed the issue. After their presentation at Black Hat, a Google representative said in a statement that OEMs were providing updates to resolve the issue and that the company hadn't seen any exploit attempts.
The representative also said that Google is constantly monitoring for potentially harmful applications through Android services like Verify Apps and SafetyNet and advised users to only download applications from trusted sources like Google Play.
TeamViewer also announced that it had released patched versions of its remote support tool and plug-in in advance of Check Point's report.
That's why it came as a surprise to Check Point when the company recently found a popular app called Recordable Activator in Google Play that appeared to take advantage of the Certifi-gate bug.
The app was found thanks to a free tool released by Check Point that was used by over 30,000 Android users to scan if their devices were vulnerable to the Certifi-gate issues. The scans submitted anonymously to Check Point revealed that nearly 15 percent of devices had a vulnerable remote support tool plug-in installed; 42 percent were technically vulnerable, but didn't have a plug-in installed yet; and 0.01 percent had already been exploited.
The active exploitation reports were mostly triggered by the presence of an app called Recordable Activator on the scanned devices, the Check Point researchers said in a report scheduled to be released Tuesday.
Recordable Activator, which was still present in Google Play Monday, but has since been removed, had over 500,000 installations. It enabled another application called Recordable to allow screen recording, a functionality that was not available through the standard Android APIs before Android 5.0 (Lollipop).
According to the Check Point researchers, Recordable Activator installed an older version of the TeamViewer plug-in on users' devices then exploited the Certifi-gate authentication flaw to create a bridge between Recordable and TeamViewer. The TeamViewer plug-in had the necessary permissions to access the device screen because of its system privileges.
One interesting aspect is that Recordable Activator was last updated on Aug. 3, before Check Point's public presentation at Black Hat. This suggests that the app's developer -- a company called Invisibility Ltd -- discovered the issue independently.
The app's support website, recordable.mobi, is registered to a man named Christopher Fraser from London. Reached via email Monday, Fraser confirmed that he found the certificate validation flaw in TeamViewer on his own.
He began taking advantage of it in his app in April because it provided a simple alternative to an older and more complex method of enabling screen recording that involves connecting the phone to a computer and enabling USB debugging.
"When I looked at the other plugins available within about 10 minutes I noticed that none of them correctly implemented certificate checking and therefore allowed 3rd party apps to use them," Fraser said Monday via email. "TeamViewer's was freely distributable so I used that."
According to Fraser, he emailed Android device manufacturers in the past asking if they would be willing to sign his own plug-in, like they did for TeamViewer and other vendors, but he received no response.
"I'd really like to do a correctly implemented, secure plugin for screen recording, but at the moment I can't get a foot in the door," he said.
According to Fraser, screen recording is a functionality that a lot of users desire, especially on older devices. His Recordable app has been downloaded around 3 million times so far, "mostly by people wanting to record gameplay in games like Minecraft."
The Recordable Activator app does not appear to have been malicious in nature, but according to the Check Point researchers there was "no security on the Recordable plug-in service to make sure third parties cannot connect to it" and, therefore, access the vulnerable TeamViewer plug-in.
However, it's not clear how much that adds to the problem, since attackers could also distribute an older version of the TeamViewer plug-in themselves and then exploit the Certifi-gate issue directly, just like Fraser did in his app.
In fact, this incident proves that even if TeamViewer released a fixed version of its plug-in, attackers could still abuse old versions, the Check Point researchers said in their report. It also shows that such apps could be present in Google Play despite Google's security checks.
According to Michael Shaulov, the head of mobility product management at Check Point, the company reported the application to Google on Thursday.
A Google representative confirmed via email that the application was suspended Monday.
Despite Google's previous statement that it is monitoring for attempts to exploit this issue, the company failed to detect Recordable Activator, Shaulov said. While this particular app is not malicious, it exploits the flaw to implement its screen recording workaround. This leaves users with no guarantee that there are no malicious apps in Google Play right now that do the same; or that there won't be any in the future.
The only real fix would be for phone manufacturers to release firmware updates that would revoke the certificates used to sign the old and vulnerable remote support plug-ins, the Check Point researchers said in their report. "As far as we know today, no device manufactures have delivered a patch."
Fraser, who is unhappy that his app was suspended, believes that this is not Google's problem and that expecting the company to clean up the mess after device manufacturers who decided to sign those plug-ins is a "a bit much to expect."
"If there's an angle to this story I would like to see told it's that hundreds of thousands of kids were using the plug-ins to run their YouTube channels, and can't any more," he said. "Google's not interested because they want people to move to Android 5."