TeamViewer's remote control plug-in, pre-installed by some phone OEMs and phone carriers for support, offers an exploitable backdoor for attackers (and even some legitimate apps) to gain root-level access to devices.

    Based on anonymized data collected from users of an app designed to check for a newly revealed vulnerability in many Android devices, Check Point discovered that one application in the Google Play store is exploiting the vulnerability to gain a high level of access to the Android OS, bypassing user permissionsand bypassing Googles security scans of Play applications to do so.Update:A Google spokesperson told Ars that the offending app has been suspended in the Play store.
Further ReadingWaiting for Androids inevitable security ArmageddonEditorial: Android's update strategy doesn't scale, and that's recipe for disaster. While the app was discovered installed on an infinitesimal percentage of devices checked by Check Point, it shows that the vulnerability caused by insecure OEM and cell carrier software meant to provide remote access to devices for customer service engineers has already been exploited by legitimate phone applicationsand the method used to bypass Googles security checks could be used for more malicious purposes on millions of devices. And theres no easy way for Google or phone manufacturers alone to patch the problem.
At the Black Hat security conference in Las Vegas earlier this month, Check Points Ohad Bobrov and Avi Bashan presented research into an Android vulnerability introduced by software installed by phone manufacturers and cellular carriers that could affect millions of devices. Labeled by Bobrov and Bashan as Certifi-Gate," the vulnerability is caused by insecure versions of remote administration tools installed by the manufacturers and carriers to provide remote customer serviceincluding versions of TeamViewer, CommuniTake Remote Care, and MobileSupport by Rsupport. These carry certificates that give them complete access to the Android operating system and device hardware. The applications are commonly pre-installed on Samsung, LG, and HTC handsets.
Check Point has provided a free scanning application to allow individuals to determine if their Android device was vulnerable. Michael Shaulov, Check Points head of mobility product management, told Ars that there had been more than 100,000 downloads of the scanning app from Google Play, and more than 30,000 users had opted to provide anonymous scan results from their products. In a blog post published today, Check Point researchers sharea summary of that dataa majority (about 58 percent) of the Android devices scanned were vulnerable, with 15.84 percent actually having a vulnerable version of the remote access plug-in installed. The brand with the highest percentage of devices already carrying the vulnerable plug-in was LGover 72 percent of LG devices scanned in the anonymized pool had a vulnerable version of the plug-in.

              Check Point

          More than half of the devices in the 30,000 results shared with Check Point were vulnerable, with 15 percent already having a vulnerable remote "plug-in" app installed.

                        Check Point

                      More than half of the devices in the 30,000 results shared with Check Point were vulnerable, with 15 percent already having a vulnerable remote "plug-in" app installed.

                        Check Point

                      Samsung, LG, and HTC devices are the most vulnerable amongst those covered in the data.

                        Check Point

                      Recordable Activator, a Google Play store app,  downloads a vulnerable version of the TeamViewer plug-in on demand.

In a small fraction of devices scanned, Check Point researchers found an app that wasactivelyexploiting the vulnerability. A tool called Recordable Activator from UK-based Invisibility Ltd was advertised as an EASY screen recorder that doesnt require root access to the device. But in fact once installed from the Google Play store, the app downloaded a vulnerable version of the TeamViewer plug-in from another source, Shaulov told Ars. Because the plug-in is signed by various device manufacturers, Check Point researchers wrote in their blog post, its considered trusted by Android, and is granted system-level permissions. From this point Recordable Activator exploits the authentication vulnerability and connects with the plug-in to record the device screen.
While its possible for device owners to uninstall vulnerable plug-ins, the vulnerability that allows the plug-in to be installed in the first place without the users knowledge cant be fixed so easilybecause the permissions for remote access are burned into the ROM of the device itself. And in some cases, as Bobrov said at Black Hat, the tool is pre-installed and unreachable by the customer. To get rid of it, you need an upgrade of Android OS, he explained.
In some scenariosnot with TeamViewer, but another of the vulnerable tools Bobrov said, you can trick this tool with SMS to respond and get it to work with a malicious command and control server. The user doesnt see any of this. While most of the third-party developers have issued patches to their tools to the Play store, he added, the issue is more problematicits not just the bug itself, it's the architecture. The vendors themselves signed this tool with their certificate, and there is no way to patch this problem currently. If someone a year from now can trick you into installing a vulnerable version, theyll still be able to take control.
Based on Check Points findings, thats exactly what Invisibility Ltd is doing for what is advertised as a legitimate application. Given how easily the developer was able to bypass Google Plays security scans, its possible there are already more malicious applications already out there.