With the Android world still reeling from the Stagefright vulnerability, Check Point has released details of an unknown vulnerability in the OS called Certifi-gate.
Certifi-gate is a set of vulnerabilities in the authorisation methods between mobile Remote Support Tool applications and system-level plugs.
The Remote Support applications, pre-installed on some Android devices, allow support staff to remotely take over devices to resolve issues.
Due to "numerous faulty exploitable implementations of this logic," the function could be used by malicious applications to gain unrestricted access to the device without detection, increasing their privileges to gain access to user data and even perform user functions.
The problem was seen in apps such as TeamViewer, with over 5 million downloads in Google Play, RSupport with over 10 million downloads, and CommuniTake.
"Our team’s research demonstrates how some aspects of the Android ecosystem architecture are potentially flawed," said the accompanying report. "These flaws could expose sensitive information on devices, including both personal and enterprise content.
"In order to support advanced usages such as remote support, vendors and OEMs may abuse Android’s privileged permissions mechanism. OEMs could sign third party apps with their certificate to let it obtain privileged permissions.
"This means that third party code that doesn’t go over scrutinised code review could gain access to sensitive system resources. The problem is further intensified because vulnerable apps cannot be completely revoked."
Bob Tarzey, Analyst at Quocirca, explained to CBR the implications of the findings for Android.
"All software contains vulnerabilities, many can go undiscovered for years (such as these two), until someone finds the vulnerability and either uses if it for bad purposes or publicises it through responsible disclosure (such as Check Point has in this case).
"Until discovered vulnerabilities are mostly harmless, only when someone develops the means to use the vulnerability (an exploit kit) does it become an exploit. Neither of these two recent vulnerabilities seems to have been exploited as yet.
"The fact Check Point and others are pro-actively researching Android is good, it is better they find vulnerabilities before the Blackhats do.
"That said, who knows what the Blackhats have found in Android and are working on; they will not seek the same publicity, but aim to keep things quiet to achieve their nefarious goals.
"The real message here is that Android, like all software, has vulnerabilities and the Android community, led by Google, needs to up its game."