Certifi-gate flaw in Android remote support tool exploited by screen recording app

An app developer found that he could trick TeamViewer to enable screen recording on Android.

An application available in the Google Play store until yesterday took advantage for months of a flaw in the TeamViewer remote support tool for Android in order to enable screen recording on older devices.

The app's developer discovered the vulnerability independently from security researchers from Check Point Software Technologies who presented it earlier this month at the Black Hat security conference along with similar flaws in other mobile remote support tools.

The Check Point researchers dubbed the issues Certifi-gate because they stem from failures to properly validate the digital certificates of remote support apps that are supposed to communicate with privileged plug-ins installed in the system.

Companies that create remote support tools for Android devices, like TeamViewer and Rsupport, have convinced device manufacturers to sign some of their software components with their OEM (original equipment manufacturer) digital certificates. This gives those components, which are known as plug-ins or add-ons, system level privileges and access to powerful functionality that is not normally available through the Android APIs (application programming interfaces).

In some cases, these remote support plug-ins come preloaded on devices, but they can also be installed later from Google Play. Both TeamViewer and Rsupport distribute versions of their plug-ins for individual manufacturers through Google's app store.

The plug-ins are supposed to only allow the official remote support tools from those software companies to access their functionality. However, because of flaws in how certificate checking was implemented, any rogue app with no special permissions could masquerade as an official tool and gain control over devices.

The Check Point researchers notified Google and the affected phone vendors months before they publicly disclosed the issue. After their presentation at Black Hat, a Google representative said in a statement that OEMs were providing updates to resolve the issue and that the company hadn't seen any exploit attempts.

The representative also said that Google is constantly monitoring for potentially harmful applications through Android services like Verify Apps and SafetyNet and advised users to only download applications from trusted sources like Google Play.

TeamViewer also announced that it had released patched versions of its remote support tool and plug-in in advance of Check Point's report.

That's why it came as a surprise to Check Point when the company recently found a popular app called Recordable Activator in Google Play that appeared to take advantage of the Certifi-gate bug.

The app was found thanks to a free tool released by Check Point that was used by over 30,000 Android users to scan if their devices were vulnerable to the Certifi-gate issues. The scans submitted anonymously to Check Point revealed that nearly 15 percent of devices had a vulnerable remote support tool plug-in installed; 42 percent were technically vulnerable, but didn't have a plug-in installed yet; and 0.01 percent had already been exploited.

The active exploitation reports were mostly triggered by the presence of an app called Recordable Activator on the scanned devices, the Check Point researchers said in a report scheduled to be released Tuesday.

Recordable Activator, which was still present in Google Play Monday, but has since been removed, had over 500,000 installations. It enabled another application called Recordable to allow screen recording, a functionality that was not available through the standard Android APIs before Android 5.0 (Lollipop).

According to the Check Point researchers, Recordable Activator installed an older version of the TeamViewer plug-in on users' devices then exploited the Certifi-gate authentication flaw to create a bridge between Recordable and TeamViewer. The TeamViewer plug-in had the necessary permissions to access the device screen because of its system privileges.

One interesting aspect is that Recordable Activator was last updated on Aug. 3, before Check Point's public presentation at Black Hat. This suggests that the app's developer -- a company called Invisibility Ltd -- discovered the issue independently.

The app's support website, recordable.mobi, is registered to a man named Christopher Fraser from London. Reached via email Monday, Fraser confirmed that he found the certificate validation flaw in TeamViewer on his own.

He began taking advantage of it in his app in April because it provided a simple alternative to an older and more complex method of enabling screen recording that involves connecting the phone to a computer and enabling USB debugging.

"When I looked at the other plugins available within about 10 minutes I noticed that none of them correctly implemented certificate checking and therefore allowed 3rd party apps to use them," Fraser said Monday via email. "TeamViewer's was freely distributable so I used that."

According to Fraser, he emailed Android device manufacturers in the past asking if they would be willing to sign his own plug-in, like they did for TeamViewer and other vendors, but he received no response.

"I'd really like to do a correctly implemented, secure plugin for screen recording, but at the moment I can't get a foot in the door," he said.

According to Fraser, screen recording is a functionality that a lot of users desire, especially on older devices. His Recordable app has been downloaded around 3 million times so far, "mostly by people wanting to record gameplay in games like Minecraft."

The Recordable Activator app does not appear to have been malicious in nature, but according to the Check Point researchers there was "no security on the Recordable plug-in service to make sure third parties cannot connect to it" and, therefore, access the vulnerable TeamViewer plug-in.

However, it's not clear how much that adds to the problem, since attackers could also distribute an older version of the TeamViewer plug-in themselves and then exploit the Certifi-gate issue directly, just like Fraser did in his app.

In fact, this incident proves that even if TeamViewer released a fixed version of its plug-in, attackers could still abuse old versions, the Check Point researchers said in their report. It also shows that such apps could be present in Google Play despite Google's security checks.

According to Michael Shaulov, the head of mobility product management at Check Point, the company reported the application to Google on Thursday.

A Google representative confirmed via email that the application was suspended Monday.

Despite Google's previous statement that it is monitoring for attempts to exploit this issue, the company failed to detect Recordable Activator, Shaulov said. While this particular app is not malicious, it exploits the flaw to implement its screen recording workaround. This leaves users with no guarantee that there are no malicious apps in Google Play right now that do the same; or that there won't be any in the future.

The only real fix would be for phone manufacturers to release firmware updates that would revoke the certificates used to sign the old and vulnerable remote support plug-ins, the Check Point researchers said in their report. "As far as we know today, no device manufactures have delivered a patch."

Fraser, who is unhappy that his app was suspended, believes that this is not Google's problem and that expecting the company to clean up the mess after device manufacturers who decided to sign those plug-ins is a "a bit much to expect."

"If there's an angle to this story I would like to see told it's that hundreds of thousands of kids were using the plug-ins to run their YouTube channels, and can't any more," he said. "Google's not interested because they want people to move to Android 5."

Join the CSO newsletter!

Error: Please check your email address.

More about Check PointCheck Point Software TechnologiesGooglePoint Software TechnologiesSoftware Technologies

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place