Engadget has been testing and reviewing consumer tech since 2004. Our stories may include affiliate links; if you buy something through a link, we may earn a commission. Read more about how we evaluate products.
Researchers can take complete control of Android phones
The wave of security issues with devices, cars and even skateboards continues as Check Point researchers presented a vulnerability at the Black Hat conference that could potentially open millions of Android up to hackers. Dubbed Certifi-gate, the researchers say that vulnerabilities in the OEM (manufacturers of Android devices like Samsung, LG and Sony) implementation of Remote Support allows a third party app's plugins to access a device's screens and actions using an OEMs own signed certificates.
That means a nefarious individual could see what you're doing and control your phone or tablet. And according to the researchers, there's no reasonable way to revoke the certificates as an end user. Check Point noted that the devices that could suffer from Certifi-gate are from LG, Samsung, HTC and ZTE and that these OEMs have released updates to mitigate the issue. Both Check Point and Google have noted that Nexus devices are not prone to the vulnerability.
Check Point's Technology Leader of Mobile Threat Detection, Avi Bashan told Engadget that the vulnerability stems from an issue in Android's security architecture and that OEMs created flawed implementations of the remote support tools to get round the Android issue. The companies just didn't do a very good job at it. Bashan also noted that for many, the vulnerability may not go away any time soon because of the long update time associated with Android devices.
Concerning the vulnerability Samsung issued the following statement: "At Samsung, we understand that our success depends on consumers' trust in us, and the products and services that we provide. We are aware of Check Point's alleged claims, and Samsung has addressed this issue. Samsung encourages users not to execute unsecure apps."
A Google spokesperson told Engadget: "We want to thank the researcher for identifying the issue and flagging it for us. The issue they've detailed pertains to customizations OEMs make to Android devices and they are providing updates which resolve the issue."
Like Samsung, Google urged Android users to get their apps from the trusted sources, "in order for a user to be affected, they'd need to install a potentially harmful application which we continually monitor for with VerifyApps and SafetyNet. We strongly encourage users to install applications from a trusted source, such as Google Play."
Bashan said that it's possible for an app that exploits the vulnerability to get through the Google Play verification service because the app can look perfectly legit while its associated plugin could lead to the device being compromised. Either way, until your phone gets the update, it's probably a good idea to skip side-loading apps.
Check Point has made the full report of their findings available online and has created a free app that scans for apps that use the Certifi-gate vulnerability.
