Things are not going very well for Android, with the past two weeks revealing at least two particularly dangerous exploits that could allow for a total hijack of an Android device. While the Stagefright exploit has been become well known by now, another similar exploit - dubbed Certifi-gate - that didn't receive much publicity has been discovered by security firm Check Point.
Researchers Ohad Bobrov and Avi Bashan discovered that Mobile Remote Support Tools (mRSTs) function in a manner very similar to a breed of malware called Mobile Remote Access Trojans (mRATs), with almost the same capabilities - except that they are benign and not created for nefarious purposes. Example of mSRTs include LogMeIn and TeamViewer, programs routinely used for troubleshooting and so on.
These tools can remotely access a phone, record user inputs and capture what is being displayed on the screen. While mRATs are, of course, malware that would need to be installed by a malicious party, mSRTs are routinely preloaded by OEMs. Such total control requires OEM certification and that's how researchers performed the exploit. Since the list of manufacturers that include such software on their devices includes Samsung, HTC, LG, Huawei and Lenovo, millions could possibly be at risk, making this vulnerability potentially just as dangerous as Stagefright.
Coming back to how the exploit actually works, we need to understand how mSRTs work. Given that their functionality consists of particularly invasive and powerful abilities, these apps need special permissions and need to be signed by the OEM itself. As such, the tool is divided into two parts: the actual app that you see and interact with and a backend plugin that provides all these permissions. When the app requires special privileges, it connects to the plugin and is given the necessary permissions. Even phones that do not have the app installed might contain the plugin.
In order to verify that the app sending the requests to the plugin and asking for these special permissions is the official mSRT app, vendors create their own authentication tools on top of Android's Binder, which has no certification process of its own. And, that's where the problem comes in. By using this duality, the researchers were able to exploit the plugin's god-like powers and gain total access to the device, in some cases with just a text message.
In the case of TeamViewer, for example, the only authentication consists of checking the serial number of a program certificate, a piece of information that is readily available to anyone. Therefore, anyone, even someone with no hacking skills, could simply create an application with the same serial number and trick the plugin into providing it total control over the device - something the researchers demonstrated with an otherwise innocent looking flashlight app. In another instance, with another program, all it required was a simple text message and the device was hijacked.
What further aggravates the problem is the fact that the plugin is signed by the OEM. Blocking the problematic certificate, which would be the obvious and simple solution, would almost certainly brick the entire phone. As such, the best way of solving the problem, at the moment, is to create better authentication systems between the plugin and the application - or find a new solution altogether. As researchers pointed out with Stagefright, however, Android is deeply fragmented; almost a year after launch, only 18% of devices have upgraded to Lollipop. Therefore, even if solutions were found and updates were made regularly, the chances of these fixes actually making it to end users are pretty slim.