Android 'Certifi-gate' flaw leaves millions of devices at risk

Manufacturers' update systems open to attack

Yet another major Android flaw has been uncovered that affects handsets from the likes of Samsung, LG, HTC and ZTE.

The flaw, uncovered by security firm Check Point and dubbed ‘Certifi-gate', resides in the mobile Remote Support Tools (mRSTs) installed in Android by device manufacturers and network operators to provide technical assistance to users.

Check Point unveiled its findings at the Black Hat security conference in Las Vegas and in a blog post, explaining how the flaw can work.

"mRSTs allow remote personnel to offer customers personalised technical support for their devices by replicating a device's screen and simulating screen clicks at a remote console," the firm said.

"If exploited, Certifi-gate allows malicious applications to gain unrestricted access to a device silently, elevating their privileges to allow access to the user data and perform a variety of actions usually only available to the device owner."

These actions include tracking device locations, turning on microphones to record conversations, and siphoning personal data from the device, Check Point said.

Making matters worse is the fact that Android device owners have no way to revoke the certificates used to provide the updates, so that, while the flaw is unpatched, there are no ways to mitigate the threat.

"Android offers no way to revoke the certificates that are providing privileged permissions. Left unpatched, and with no reasonable workaround, devices are exposed right out of the box," Check Point added.

The firm said it has notified manufacturers of the flaw and that updates are being worked on, but given how long it can take for updates to arrive on devices this could be some time.

The flaw is the third major problem affecting Android to come to light in recent weeks, following the major Stagefright flaw that was predicted to expose some 950 million devices simply by sending an MMS that would render them unusable.

A few days after this, Trend Micro revealed that it had found a flaw that could ‘brick' a device by forcing it to load a dodgy file extension that continually crashes the device.

These flaws forced Google, and its major partner Samsung, into creating a monthly Android patch release cycle to try to fix flaws more promptly. However, this will cover only Google's Nexus devices and Samsung's models.

Other manufacturers have no such processes, so any fixes for these flaws, or the new Certifi-gate problem, could take a long time to reach handsets.