Just when the world was starting to chill out about Stagefright, some Israeli hackers announced more bad news. Just like Stagefright, there’s another Android vulnerability that lets hackers take control of a phone with a single text. What’s worse is that there’s not an easy fix.
Announced today at the Black Hat security conference in Las Vegas, it’s called Certifi-gate. The research team from Check Point that found the vulnerability explained the details to a half confused audience in Las Vegas on Thursday morning. I say half-confused because the session’s title — “Front Door Access to Pwning Million of Androids” — sounds so familiar to the Stagefright scare that captured headlines at the end of July. However, the Check Point team’s findings reveal a more complicated issue with Android security that revolves around how the operating system fails to verify apps with privileged permissions. This means that it’s easy for a hacker to take over almost any Android phone with a fake app or even an SMS.
The apps in question are known as mobile remote support tools (mSRTs). These often come pre-installed by the manufacturer or carrier and enable support teams to access and control devices remotely, mainly for fixing problems. You might not know it, but you probably have an mSRT installed on your Android phone. It probably doesn’t even have an icon in your launcher. Google doesn’t ship these apps with stock Android, and there’s no native way to verify certificates, even though they’re often granted privileged permissions like the ability to install new apps, access the screen, or mimic user input.
Long story short, the Check Point team figured out a pretty straightforward way to create fake certificates and gain full access to an Android device with an mSRT installed. In the Black Hat demo, Check Point’s Ohad Bobrov and Avi Bashan demonstrated two ways of gaining access. One involved installed a fake flashlight app that requested very few permissions but actually gave them full control over the device thanks to the vulnerability. The other involved sending a single text message that could force the remote access tool to issue any command. The hack is pretty scary-looking in action.
It’s not all bad news. The Check Point team reported the vulnerability to Google as well as a number of device manufacturers (LG, Samsung, HTC, Huawei, etc.) as well as carriers. Many of them have already addressed it, but the researchers warned that there are still millions of devices that could still be vulnerable. Handily enough, Check Point built a scanner app that you can download from the Google Play Store to see if your phone is one of them.
All that said, two big Android vulnerabilities in as many weeks serves as more evidence that the state of Android security seems doomed. When so many different actors are contributing to the development of the open source operating system, there are inevitably just as many opportunities to overlook things. And when bad vulnerabilities are found, Google can’t always release a software update and fix everything at once. Apple devices don’t quite have that problem, but they can be hacked, too.
The solution? Never use a smartphone, I guess.