The Recordable Activator app was taken off Google Play following Check Point's Certifi-gate findings

Aug 26, 2015 13:15 GMT  ·  By

Certifi-gate, the Android vulnerability discovered by Check Point security researchers has been found actively exploited by an app available for download from the Google Play app store.

The vulnerability, which allows an attacker to get remote control over an Android device using its mobile Remote Support Tools (mRSTs), can be exploited using support applications from vendors like AnySupport, CommuniTake, RSupport, and TeamViewer.

Check Point, the security company which found this bug and presented it at the Black Hat USA 2015 conference in Las Vegas, also released an app to scan an Android phone and tell the user if his phone is vulnerable to the Certifi-Gate bug.

This scanner has been downloaded between 50,000 and 100,000 times, and includes a phone-home system which reports its findings to the Check Point staff.

16% of scanned Androids are vulnerable

According to the security team that has aggregated all the data, they have found 15.84% of the scanned smartphones to have a vulnerable plugin (from the ones mentioned above) installed on the user's phone.

Additionally, 42.09% of phones were also vulnerable, but had yet to have a vulnerable support application plugin installed on the device.

0.01% of the scanned phones, which represent 3 phones, have been found to be actively exploited.

Breakdown of vulnerability status across all devices
Breakdown of vulnerability status across all devices

Taking a closer look at the infected phones, the Check Point staff have identified that the Recordable Activator Android app was to blame, an app which was being distributed through the official Google Play Store.

The app has been downloaded between 100,000 and 500,000 times, and in the meantime, has been taken down from Google Play.

The app is a simple screen recorded like many others, and came with four methods of recording the user's screen: via USB, Android 5 projection, root user, and the TeamViewer plugin.

Recordable Activator actively exploited the Certifi-gate vulnerability

According to Check Point researchers, "the Recordable Activator app bypassed the Android permission model to use the TeamViewer’s plug-in to access system level resources and to record the device screen."

Contacted by The Register, the app's creators, UK-based Invisibility Ltd., had the following to say, "Recordable is primarily used by games wanting to recording their gameplay and upload it to YouTube. Hundreds of thousands of kids use it to run their YouTube channels."

"Recordable Activator used the older versions of the TeamViewer plugin in exactly the same way that TeamViewer did. It did this in response to a user requesting it ... and would notify the user in the same way that TeamViewer would," said Christopher Fraser, Invisibility Ltd. representative.

The app doesn't seem to have exploited a user's private data for its own gain, but it looks that it utilized the Certifi-gate vulnerability to boost its own capabilities without scaring users away with privacy popups.

LG devices are the most vulnerable

Going back to the Check Point data collected by their scanner app, we also see that LG devices were the most vulnerable, followed by Samsung and HTC.

The three exploited phones were Samsungs, but there are generally more LG phones vulnerable to Certifi-gate.

Sony devices were the least vulnerable out of all scanned brands.

Breakdown of vulnerability status across each manufacturer
Breakdown of vulnerability status across each manufacturer

Certifi-gate scanner report (5 Images)

Certifi-gate exploitation by Recordable Activator app
Recordable Activator details on Google PlayBreakdown of vulnerability status across all devices
+2more