Security is definitely not one of Android’s stronger suits. However, in the past few days, security seems to have taken a complete back seat for the hugely vulnerable OS. After Stagefright enabled hackers to attack via a simple text message, we now new threat which can potentially be greater than Stagefright and is looming over hundreds of millions of android devices.
The new threat, dubbed “Certifi-gate” was revealed by security firm Check Point at the Black Hat Cyber security conference in Las Vegas.
Hundreds of millions of Android smartphones may be at risk from a security flaw that allows hackers to hijack a handset without a victim’s knowledge. Devices made by Samsung, HTC, LG and ZTE, including those running the latest version of Android, are potentially vulnerable,
said the researchers of Check Point.
According to the Checkpoint, it could allow the hackers to “gain unrestricted device access, allowing them to steal personal data, track device locations, turn on microphones to record conversations and more”.
This new vulnerability can allow the attacker to take advantage of the apps which come pre-installed by OEMs or installed by the user and generally use the mobile Remote Support Tool (mRST) apps security certificates. These apps often have root access to the system thus allowing the attacker to gain complete and illegitimate access to the system. “This vulnerability is very easily exploited, and can lead to the loss and dissemination of a user’s personal data,” said Dorit Dor, vice president of products at Check Point.
The researchers have reported their findings to the respective vulnerable OEMs and Google but have warned that no patch can fix this bug as existing Android systems cannot revoke the security certificates and permissions of the suspected apps and only a new software build will resolve the issue. Unfortunately it is often a “notoriously slow process” as it has always been the case with Android devices.
In the meanwhile, following the discovery of a similar threat Stagefright last week, Google, Samsung and LG separately announced to provide consistent monthly updates for Android devices. In fact, Adrian Ludwig, lead engineer for Android Security said at the Black Hat conference, “My guess is that this is the single largest software update the world has ever seen.”
A Google spokesperson said:
We want to thank the researcher for identifying the issue and flagging it for us. The issue they’ve detailed pertains to customizations original equipment manufacturers make to Android devices and they are providing updates which resolve the issue. Nexus devices are not affected and we haven’t seen attempts to exploit this.
We have contacted Google for more info, and will update this story if we receive additional updates.