Google whack-a-mole continues as more Android flaws are uncovered

Beware fingerprint thieves on Android. Photo: Killian Bell/Cult of Mac

Beware fingerprint thieves on Android. Photo: Killian Bell/Cult of Mac

Just one day after Google announced the “world’s largest” Android update was coming to eliminate the Stagefright vulnerability, two more flaws have been discovered in its platform.

One allows “hundreds of millions” of devices to be hacked without the owner’s knowledge, while the other allows fingerprint data to be stolen remotely.

A team of researchers at security firm Check Point today published a report on a new vulnerability dubbed “Certifi-gate,” which can allow attackers to gain access to all kinds of personal data, including contacts and photos, and even access to the microphone for recording sound.

The vulnerability can be found on an alarmingly large number of handsets made by HTC, LG, Samsung, Lenovo, and others, and it stems from pre-installed software that cannot be removed by the user. So far, Check Point has found the TeamViewer, RSupport, AnySupport, and CommuniTake apps to be at risk.

These apps are described as Mobile Remote Support Tools (mRSTs), and they are designed to provide users with remote support when they need it. Like Remote Desktop on your PC, they can allow a support agent to access your device and troubleshoot problems.

But thanks to certificate verification vulnerabilities in these apps, they can also allow attackers to gain access, too.

A number of different methods can be used, one of which is generating a certificate with a serial number that matches that of the plugin within the official app, then using it to sign a malicious app that’s also designed to interact with that plugin.

“In order to support advanced usages such as remote support, vendors and OEMs may abuse Android’s privileged permissions mechanism,” explains Check Point.

“OEMs could sign third party apps with their certificate to let it obtain privileged permissions. This means that third party code that doesn’t go over scrutinized code review could gain access to sensitive system resources. ”

What makes this problem worse is that vulnerable apps cannot be completely revoked. Check Point adds that even after they’ve been updated, an attacker could still use an old version of the app to gain control of a device.

Separate research from Tao Wei and Yulong Zhang of FireEye has found ways in which hackers can use “fingerprint spying attacks” to steal fingerprint data from Android devices remotely. Any handset with a fingerprint scanner is at risk, such as those from Huawei, HTC, and Samsung.

The problem isn’t really Google’s fault, but rather the handset manufacturers’, because they don’t “fully lock down the sensor,” ZDNet explains. “Making matters worse, the sensor on some devices is only guarded by the “system” privilege instead of root, making it easier to target.”

With native support for fingerprint scanners baked into the Android M update that will rollout this fall, handsets with this technology built-in will get a lot safer. But in the meantime, FireEye recommends you avoid apps from untrusted sources, which is always a pretty sensible rule.