Certifi-gate flaw in Android remote support tool exploited by screen recording app

An app developer found that he could trick TeamViewer to enable screen recording on Android.

An application available in the Google Play store until yesterday took advantage for months of a flaw in the TeamViewer remote support tool for Android in order to enable screen recording on older devices.

The app's developer discovered the vulnerability independently from security researchers from Check Point Software Technologies who presented it earlier this month at the Black Hat security conference along with similar flaws in other mobile remote support tools.

The Check Point researchers dubbed the issues Certifi-gate because they stem from failures to properly validate the digital certificates of remote support apps that are supposed to communicate with privileged plug-ins installed in the system.

Companies that create remote support tools for Android devices, like TeamViewer and Rsupport, have convinced device manufacturers to sign some of their software components with their OEM (original equipment manufacturer) digital certificates. This gives those components, which are known as plug-ins or add-ons, system level privileges and access to powerful functionality that is not normally available through the Android APIs (application programming interfaces).

In some cases, these remote support plug-ins come preloaded on devices, but they can also be installed later from Google Play. Both TeamViewer and Rsupport distribute versions of their plug-ins for individual manufacturers through Google's app store.

The plug-ins are supposed to only allow the official remote support tools from those software companies to access their functionality. However, because of flaws in how certificate checking was implemented, any rogue app with no special permissions could masquerade as an official tool and gain control over devices.

The Check Point researchers notified Google and the affected phone vendors months before they publicly disclosed the issue. After their presentation at Black Hat, a Google representative said in a statement that OEMs were providing updates to resolve the issue and that the company hadn't seen any exploit attempts.

The representative also said that Google is constantly monitoring for potentially harmful applications through Android services like Verify Apps and SafetyNet and advised users to only download applications from trusted sources like Google Play.

TeamViewer also announced that it had released patched versions of its remote support tool and plug-in in advance of Check Point's report.

That's why it came as a surprise to Check Point when the company recently found a popular app called Recordable Activator in Google Play that appeared to take advantage of the Certifi-gate bug.

The app was found thanks to a free tool released by Check Point that was used by over 30,000 Android users to scan if their devices were vulnerable to the Certifi-gate issues. The scans submitted anonymously to Check Point revealed that nearly 15 percent of devices had a vulnerable remote support tool plug-in installed; 42 percent were technically vulnerable, but didn't have a plug-in installed yet; and 0.01 percent had already been exploited.

The active exploitation reports were mostly triggered by the presence of an app called Recordable Activator on the scanned devices, the Check Point researchers said in a report scheduled to be released Tuesday.

Recordable Activator, which was still present in Google Play Monday, but has since been removed, had over 500,000 installations. It enabled another application called Recordable to allow screen recording, a functionality that was not available through the standard Android APIs before Android 5.0 (Lollipop).

According to the Check Point researchers, Recordable Activator installed an older version of the TeamViewer plug-in on users' devices then exploited the Certifi-gate authentication flaw to create a bridge between Recordable and TeamViewer. The TeamViewer plug-in had the necessary permissions to access the device screen because of its system privileges.

One interesting aspect is that Recordable Activator was last updated on Aug. 3, before Check Point's public presentation at Black Hat. This suggests that the app's developer -- a company called Invisibility Ltd -- discovered the issue independently.

The app's support website, recordable.mobi, is registered to a man named Christopher Fraser from London. Reached via email Monday, Fraser confirmed that he found the certificate validation flaw in TeamViewer on his own.

He began taking advantage of it in his app in April because it provided a simple alternative to an older and more complex method of enabling screen recording that involves connecting the phone to a computer and enabling USB debugging.

"When I looked at the other plugins available within about 10 minutes I noticed that none of them correctly implemented certificate checking and therefore allowed 3rd party apps to use them," Fraser said Monday via email. "TeamViewer's was freely distributable so I used that."

According to Fraser, he emailed Android device manufacturers in the past asking if they would be willing to sign his own plug-in, like they did for TeamViewer and other vendors, but he received no response.

"I'd really like to do a correctly implemented, secure plugin for screen recording, but at the moment I can't get a foot in the door," he said.

According to Fraser, screen recording is a functionality that a lot of users desire, especially on older devices. His Recordable app has been downloaded around 3 million times so far, "mostly by people wanting to record gameplay in games like Minecraft."

The Recordable Activator app does not appear to have been malicious in nature, but according to the Check Point researchers there was "no security on the Recordable plug-in service to make sure third parties cannot connect to it" and, therefore, access the vulnerable TeamViewer plug-in.

However, it's not clear how much that adds to the problem, since attackers could also distribute an older version of the TeamViewer plug-in themselves and then exploit the Certifi-gate issue directly, just like Fraser did in his app.

In fact, this incident proves that even if TeamViewer released a fixed version of its plug-in, attackers could still abuse old versions, the Check Point researchers said in their report. It also shows that such apps could be present in Google Play despite Google's security checks.

According to Michael Shaulov, the head of mobility product management at Check Point, the company reported the application to Google on Thursday.

A Google representative confirmed via email that the application was suspended Monday.

Despite Google's previous statement that it is monitoring for attempts to exploit this issue, the company failed to detect Recordable Activator, Shaulov said. While this particular app is not malicious, it exploits the flaw to implement its screen recording workaround. This leaves users with no guarantee that there are no malicious apps in Google Play right now that do the same; or that there won't be any in the future.

The only real fix would be for phone manufacturers to release firmware updates that would revoke the certificates used to sign the old and vulnerable remote support plug-ins, the Check Point researchers said in their report. "As far as we know today, no device manufactures have delivered a patch."

Fraser, who is unhappy that his app was suspended, believes that this is not Google's problem and that expecting the company to clean up the mess after device manufacturers who decided to sign those plug-ins is a "a bit much to expect."

"If there's an angle to this story I would like to see told it's that hundreds of thousands of kids were using the plug-ins to run their YouTube channels, and can't any more," he said. "Google's not interested because they want people to move to Android 5."

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?