\n

Introduction

\n

Recently, Check Point researchers spotted a targeted attack against officials within government finance authorities and representatives in several embassies in Europe. The attack, which starts with a malicious attachment disguised as a top secret US document, weaponizes TeamViewer, the popular remote access and desktop sharing software, to gain full control of the infected computer.

\n

By investigating the entire infection chain and attack infrastructure, we were able to track previous operations that share many characteristics with this attack’s inner workings. We also came across an online avatar of a Russian speaking hacker, who seems to be in charge of the tools developed and used in this attack.

\n

In this article, we will discuss the infection chain, those targeted, the tools used and a possible attribution to one of the hackers behind the attack.

\n

 

\n

The Infection Chain

\n

\"\"

\n

The infection flow starts with an XLSM document with malicious macros, which is sent to potential victims via e-mail under the subject “Military Financing Program”:

\n

Email subject: military financing program

\n

File name: “Military Financing.xlsm”

\n

SHA-256:
\nefe51c2453821310c7a34dca30540
\n21d0f6d453b7133c381d75e3140901efd12

\n

 

\n

 

\n

 

\n

 

\n

 

\n

 

\n

 

\n

 

\n

 

\n

Fig 1: Decoy document

\n

 

\n

The well-crafted document bears the logo of the U.S Department of State, and is marked as Top Secret. Although the attackers have worked hard to make the document appear convincing, they seem to have overlooked some Cyrillic artifacts (such as the Workbook name) that were left in the document, and could potentially reveal more information about the source of this attack.

\n

\"\"

\n

Fig 2: The infection chain

\n

 

\n

Once the macros are enabled, two files are extracted from hex encoded cells within the XLSM document:

\n
    \n
  1. A legitimate AutoHotkeyU32.exe program.
  2. \n
  3. AutoHotkeyU32.ahk→an AHK script which sends a POST request to the C&C server and can receive additional AHK script URLs to download and execute.
  4. \n
\n\n

The malicious TeamViewer DLL (TV.DLL) is loaded via the DLL side-loading technique, and is used to add more “functionality” to TeamViewer by hooking windows APIs called by the program.

\n

 

\n

Modified functionality includes:

\n\n

 

\n

\"\"

\n

Fig 3: MoveFileW function hook: adds payload “execute” and “inject” functionality.

\n

 

\n

The following is a demonstration of how it actually works:

\n

\"\"

\n

Fig 4: Remote payload execution demo

\n

 

\n

 

\n

Victims

\n

As described in the infection flow, one of the first uses of the AutoHotKey scripts is to upload a screenshot from the compromised PC.

\n

The directory which those screenshots were uploaded to was left exposed, and could have been viewed by browsing to the specific URL:

\n

\"\"

\n

Fig 5: Open directory with victims’ screenshots

\n

 

\n

However, those screenshot files were deleted periodically from the server, and eventually the “open directory” view was disabled.

\n

Until that time, we were able to ascertain some of the victims of these attacks, as most of the screenshots included identifying information.

\n

From the targets we have observed in our own telemetry, as well as the information we have gathered from the server, we were able to compose a partial list of countries, where officials were targeted:

\n\n

It is hard to tell if there are geopolitical motives behind this campaign by looking solely at the list of countries it was targeting, since it was not after a specific region and the victims came from different places in the world.

\n

Nevertheless, the observed victims list reveals a particular interest of the attacker in the public financial sector, as they all appear to be handpicked government officials from several revenue authorities.

\n

 

\n

Previous Campaigns

\n

While all campaigns observed from this threat actor utilized a trojanized version of TeamViewer, the features of the malicious DLL have changed, and the first stage of the infection has evolved over time.

\n

Delivery

\n

The initial infection vector used by the threat actor also changed over time, during 2018 we have seen multiple uses of self-extracting archives instead of malicious documents with AutoHotKey, which displayed a decoy image to the user.

\n

For example, the self-extracting archive “Положение о прокуратуре города(приказом прокурора края)_25.12.2018.DOC.exe” (translated into “Regulations on the city prosecutor’s office (by order of the regional prosecutor)_25.12.2018.DOC.exe”) displays the following image:

\n


\n\"\"

\n

Fig 6: SFX archive decoy image

\n

 

\n

This image shows officials from Kazakhstan, and was taken from the website of Kazakhstan’s Ministry of Foreign Affairs. The original name of the executable and the decoy content it displays seem to suggest that it was targeting Russian speaking victims.

\n

There were also other instances in which related campaigns were after Russian speakers, one of the weaponized Excel documents had instructions on how to enable content for the macros to run in fluent Russian:

\n

\"\"

\n

Fig 7: Russian decoy document

\n

 

\n

SHA-256: 67d70754c13f4ae3832a5d655ff8ec2c0fb3caa3e50ac9e61ffb1557ef35d6ee

\n

Afterwards, it would display finance-related Russian content:

\n

\"\"

\n

Fig 8: Russian decoy document – after macros are enabled

\n

 

\n

Although both examples of the different delivery methods described above show an exclusive targeting of Russian speakers, the recurring financial and political themes that they use highlight the attacker’s interest in the financial world once more.

\n

 

\n

The Payload

\n

Throughout the campaigns multiple changes to the functionality of the malicious TeamViewer DLL, were introduced. Below are the feature highlights of each version:

\n

First Variant (?-2018)

\n\n

 

\n

Second Variant (2018)

\n\n

\"\"Fig 9: Help commands found in malicious DLL

\n

 

\n\n

 

\n

Third Variant – as observed in the current campaign (2019)

\n\n

 

\n

Attribution

\n

Although in such campaigns it is usually unclear who is behind the attack, in this case we were able to locate a user who appears to be behind the aforementioned activity active in several online forums, or is at least the creator of the tools used in the attack.

\n

By following the trail from the previous campaigns we were able to find a `CyberForum[.]ru` user that goes by the name “EvaPiks”.

\n

In multiple instances, the user would suggest, or be advised by other users to use, some of the techniques we witnessed throughout the campaigns.

\n

The following are translated snippets from some of the threads in the forum:

\n

\"\"

\n

Fig 10: EvaPiks – suggested macro code

\n

 

\n

The macro code suggested by EvaPiks in the above thread was actually used in the latest attack, and some of the variable names such as “hextext” were not even changed.

\n

In the following screenshot, we see EvaPiks suggesting a Delphi code snippet that “works great”:

\n

\"\"

\n

Fig 11: EvaPiks – suggested PHP code

\n

 

\n

\"\"

\n

Fig 12: Panel URL found in DLL code

\n

 

\n

In addition to the similar Delphi usage, the URL mentioned in the forum `(newpanel_gate/gate.php)` was used in one of the attacks.

\n

Back in 2017, EvaPiks was the one seeking advice on the forum, with questions about API function call interception:

\n

 

\n

\"\"

\n

Fig 13: EvaPiks – seeking Delphi hooking advise on the forums

\n

 

\n

\"\"

\n

Fig 14: Hooks found in DLL code

\n

 

\n

The same hooking technique of `CreateMutexA` and `SetWindowTextW` functions was utilized in the sample we have observed as well.

\n

An additional screenshot from the forum reveals how EvaPiks is experimenting with new features, some of which were integrated into the malicious DLLs:

\n

\"\"

\n

Fig 15: EvaPiks – development PC screenshot from the forums

\n

 

\n

Besides `CyberForum[.]ru`, we also found out that this avatar was active on an illegal Russian carding forum, strengthening the notion that their forum activity is not for “educational purposes” only:

\n

\"\"

\n

Fig 16: EvaPiks – complaining about a fellow user on a carding forum

\n

 

\n

The Attack Infrastructure

\n

At one point or another, all the samples observed utilized the same web hosting company: HostKey, except some of the samples from the first variant. [see appendix B for a list of URLs]

\n

Additionally, we observed the following login panels, on the C&C servers utilized by the malicious DLLs:

\n

\"\"

\n

Fig 17: “Cyber Industries” login panel hosted on 193.109.69[.]5

\n

 

\n

\"\"

\n

Fig 18: login panel hosted on 146.0.72[.]180

\n

 

\n

Summary

\n

On the one hand, from the findings we have described, this appears to be a well thought-out attack that carefully selects a handful of victims and uses tailored decoy content to match the interests of its target audience.

\n

On the other hand, some aspects of this attack were carried out with less caution, and have exposed details that are usually well disguised in similar campaigns, such as the personal information and online history of the perpetrator, as well as the outreach of their malicious activity.

\n

The malicious DLL allows the attacker to send additional payloads to a compromised machine and remotely run them. Since we were not able find such a payload and know what other functionalities it introduces besides the ones provided in the DLL, the real intentions of the latest attack remain unclear.

\n

However, the activity history of the developer behind the attack in underground carding forums and the victim’s characteristics may imply that the attacker is financially motivated.

\n

———————————————————————————————————————————————————————————————————————-

\n

Check Point’s SandBlast

\n

The malware used in this attack was caught using Check Point’s Threat Emulation and Threat Extraction.

\n

Threat Emulation is an innovative zero-day threat sandboxing capability, used by SandBlast Network to deliver the best possible catch rate for threats, and is virtually immune to attackers’ evasion techniques. As part of the Check Point SandBlast Zero-Day Protection solution, Threat Emulation prevents infections from new malware and targeted attacks. The Threat Extraction capability removes exploitable content, including active content and embedded objects, reconstructs files to eliminate potential threats, and promptly delivers sanitized content to users to maintain business flow.

\n

 

\n

IOCs

\n

DLLs

\n

`013e87b874477fcad54ada4fa0a274a2
\n799AB035023B655506C0D565996579B5
\ne1167cb7f3735d4edec5f7219cea64ef
\n6cc0218d2b93a243721b088f177d8e8f
\naad0d93a570e6230f843dcdf20041e1e
\n1e741ebc08af09edc69f017e170b9852
\nc6ae889f3bee42cc19a728ba66fa3d99
\n1675cdec4c0ff49993a1fcbdfad85e56
\n72de32fa52cc2fab2b0584c26657820f
\n44038b936667f6ce2333af80086f877f`

\n

Documents

\n

`4acf624ad87609d476180ecc4c96c355
\n4dbe9dbfb53438d9ce410535355cd973`

\n

C&Cs

\n

`1c-ru[.]net/check/license
\nintersys32[.]com/3307/
\n146.0.72[.]180/3307/
\n146.0.72[.]180/newcpanel_gate/gate.php
\n185.70.186[.]145/gate.php
\n185.70.186[.]145/index.php
\n193.109.69[.]5/3307/gate.php
\n193.109.69[.]5/9125/gate.php`

\n

 

\n

Appendix A: Yara Rule

\n
`rule \"TeamViwer_backdoor\"\n{\n\nmeta:\ndate = \"2019-04-14\"\ndescription = \"Detects malicious TeamViewer DLLs\"\n\nstrings:\n\n// PostMessageW hook function\n$x1 = {55 8b ec 8b 45 0c 3d 12 01 00 00 75 05 83 c8 ff eb 12 8b 55 14 52 8b 55 10 52 50 8b 45 08 50 e8}\n\ncondition:\nuint16(0) == 0x5a4d and $x1\n}`\n
\n

 

\n

Appendix B: Online services of interest

\n

Banks

\n

`bankofamerica.com,pacwestbancorp.com,alipay.com,cbbank.com,firstrepublic.com,chase.com
\ncitibank.com,bankamerica.com,wellsfargo.com,citicorp.com,pncbank.com,us.hsbc.com,bnymellon.com
\nusbank.com,suntrust.com,statestreet.com,capitalone.com,bbt.com,tdbank.com,rbs.com,regions.com
\n53.com,ingdirect.com,keybank.com,ntrs.com,www4.bmo.com,usa.bnpparibas.com,mufg.jp,aibgroup.com
\ncomerica.com,zionsbank.com,mibank.com,bbvabancomerusa.com,huntington.com,bank.etrade.com,synovus.com
\nbancopopular.com,navyfcu.org,schwab.com,rbcbankusa.com,colonialbank.com,hudsoncitysavingsbank.com,db.com
\npeoples.com,ncsecu.org,associatedbank.com,bankofoklahoma.com,mynycb.com,firsthorizon.com,firstcitizens.com
\nastoriafederal.com,firstbankpr.com,commercebank.com,cnb.com,websterbank.com,fbopcorporation.com
\nfrostbank.com,guarantygroup.com,amtrust.com,nypbt.com,wbpr.com,fult.com,penfed.org,tcfbank.com,lehman.com
\nbancorpsouthonline.com,valleynationalbank.com,thesouthgroup.com,whitneybank.com,susquehanna.net,citizensonline.com
\nucbh.com,raymondjames.com,firstbanks.com,wilmingtontrust.com,bankunited.com,thirdfederal.com,wintrustfinancial.com
\nsterlingsavingsbank.com,boh.com,arvest.com,eastwestbank.com,efirstbank.com,theprivatebank.com,flagstar.com
\nbecu.org,umb.com,firstmerit.com,corusbank.com,svb.com,prosperitybanktx.com,washingtonfederal.com
\nucbi.com,metlife.com,ibc.com,cathaybank.com,trustmark.com,centralbancompany.com,umpquabank.com
\npcbancorp.com,schoolsfirstfcu.org,mbfinancial.com,natpennbank.com,fnbcorporation.com,fnfg.com,golden1.com
\nhancockbank.com,firstcitizensonline.com,ubsi-wv.com,firstmidwest.com,oldnational.com,ottobremer.org
\nfirstinterstatebank.com,northwestsavingsbank.com,easternbank.com,suncoastfcu.org,santander.com
\neverbank.com,bostonprivate.com,firstfedca.com,english.leumi.co.il,aacreditunion.org,rabobank.com
\nparknationalbank.com,provbank.com,alliantcreditunion.org,capitolbancorp.com,newalliancebank.com
\njohnsonbank.com,doralbank.com,fcfbank.com,pinnaclebancorp.net,providentnj.com,oceanbank.com
\nssfcu.org,capfed.com,iberiabank.com,sdccu.com,americafirst.com,hncbank.com,bfcfinancial.com
\namcore.com,nbtbank.com,centralpacificbank.com,banksterling.com,bannerbank.com,firstmerchants.com,communitybankna.com
\nhsbc.com,rbs.co.uk,bankofinternet.com,ally.com,bankofindia.co.in,boi.com.sg,unionbankofindia.co.in,bankofindia.uk.com
\nunionbankonline.co.in,hdfcbank.com,axisbank.com,icicibank.com,paypal.com,pnm.com,wmtransfer.com,skrill.com,neteller.com
\npayeer.com,westernunion.com,payoneer.com,capitalone.com,moneygram.com,payza.com`

\n

 

\n

Crypto Markets

\n

`blockchain.info,cryptonator.com,bitpay.com,bitcoinpay.com,binance.com,bitfinex.com,okex.com
\nhuobi.pro,bitflyer.jp,bitstamp.net,kraken.com,zb.com,upbit.com,bithumb.com,bittrex.com,bitflyer.jp
\netherdelta.com,hitbtc.com,poloniex.com,coinone.co.kr,wex.nz,gate.io,exmo.com,exmo.me,yobit.net
\nkorbit.co.kr,kucoin.com,livecoin.net,cex.io,c-cex.com,localbitcoins.net,localbitcoins.com,luno.com
\nallcoin.com,anxpro.com,big.one,mercatox.com,therocktrading.com,okcoin.com,bleutrade.com,exchange.btcc.com
\nbitkonan.com,coinbase.com,bitgo.com,greenaddress.it,strongcoin.com,xapo.com
\nelectrum.org,etherscan.io,myetherwallet.com,bitcoin.com`

\n

 

\n

Online Shops

\n

`ebay,amazon,wish.com,aliexpress,flipkart.com,rakuten.com,walmart.com
\ntarget.com,bestbuy.com,banggood.com,tinydeal.com,dx.com,zalando,jd.com
\njd.id,gearbest.com,lightinthebox.com,miniinthebox.co`

\n

 

\n

 

\n

 

\n","status":"PUBLISHED","fileName":null,"link":"https://research.checkpoint.com/2019/finteam-trojanized-teamviewer-against-government-targets/","tags":[],"score":2.4921164512634277,"topStoryDate":null},{"id":"31","type":"Blog_Publication","name":"Certifi-gate Found in the Wild on Google Play","author":"Jeff Zacuto","date":1440534031000,"description":"New Insights on the Extent, Exploitation, and Mitigation of This New Threat, Three weeks ago, Check Point publicly disclosed Certifi-gate, a new vulnerability on Android. Using anonymous data collected from the Certifi-gate scanner, an app that tells users if their devices are vulnerable, Check Point","content":"

New Insights on the Extent, Exploitation, and Mitigation of This New Threat

\n

Three weeks ago, Check Point publicly disclosed Certifi-gate, a new vulnerability on Android. Using anonymous data collected from the Certifi-gate scanner, an app that tells users if their devices are vulnerable, Check Point uncovered some startling new information:

\n\n

In this blog, the research team presents its analysis of Recordable Activator, an in-the-wild exploitation of Certifi-gate, and shares new insights on the extent of the threat and recommendations for mitigation.

\n

In-The-Wild Certifi-gate Exploitation

\n

Recordable Activator

\n

Recordable Activator, an app developed by UK-based Invisibility Ltd., and which has between 100,000 and 500,000 downloads on Google Play, exploited the Certifi-gate vulnerability successfully on three devices evaluated by our Certifi-gate scanner app. The Recordable Activator app bypassed the Android permission model to use the TeamViewer’s plug-in to access system level resources and to record the device screen.

\n

<UPDATE: At August 25, 2015 @ 730AM PDT, the Check Point Mobile Research Team noticed that Google had removed Recordable Activator from Google Play. No further communication was received by Check Point from Google beyond notification that it was investigating the issue.>

\n

Check Point reached out to both TeamViewer and Google regarding Recordable Activator. TeamViewer said that the way this app uses its plug-in is a violation of the code’s use and that it does not allow any third parties to use their code. Google said that it is investigating the issue, but it has not yet removed Recordable Activator from Google Play.

\n

Our in-depth analysis of Recordable Activator highlights the unusual attributes of the Certifi-gate vulnerability.

\n

Overview

\n

A subcomponent in a multi-component utility called “EASY screen recorder NO ROOT” is designed to assist users with capturing the device screen. It’s described on Google Play as:

\n

Recordable is the easy way to create high-quality screen recordings on Android.

\n\n

Android restricts ordinary, non-system apps from interacting with screen capturing functionality, as this introduces significant security and privacy risks. Therefore, this functionality is usually available only to trusted, system-level apps or to apps on rooted devices.

\n

To achieve this functionality, “EASY screen recorder NO ROOT” and its subcomponent Recordable Activator installs a vulnerable version of the TeamViewer plug-in on-demand. Because the plug-in is signed by various device manufacturers, it’s considered trusted by Android and is granted system-level permissions.

\n

From this point, Recordable Activator exploits the authentication vulnerability and connects with the plug-in to record the device screen.

\n

\"Recordable

\n

\"Recordable

\n

\"Recordable

\n

From our research team’s perspective, the developer did a poor job of protecting the interaction with subcomponents. The communication with the Recordable Activator component can be spoofed without any authentication, thus allowing any malicious app to record the screen of the device.

\n

Recordable Activator demonstrates the following inherent issues related to Certifi-gate:

\n
    \n
  1. Unprivileged apps can leverage a vulnerability to take full control of a device without having to request permissions from Android to do so.
  2. \n
  3. Even after TeamViewer fixed its official version, malicious parties can still abuse old versions of the plug-in to conduct malicious acts.
  4. \n
  5. Mobile devices can be exploited even if a vulnerable plug-in was not pre-installed on a device.
  6. \n
  7. Apps that can exploit these vulnerabilities can be found today on Google Play.
  8. \n
  9. The only fix is for manufacturers to push updated ROMs to affected devices.
  10. \n
\n

 In-Depth Analysis

\n

Structure:

\n

The utility contains two main components: the Recording app (uk.org.invisibility.recordable or uk.org.invisibility.recordablefree) and a Recordable plug-in (uk.org.invisibility.activator)

\n

Vulnerable plug-in download:

\n

The main app supports installing the plug-in or using root / adb shell to enable screen recording through other means. If the user decides to install the plug-in, when the plug-in runs it downloads the TeamViewer plug-in APK, based on the relevant certificate of the device manufacturer.

\n

The download takes place from http://pool.apk.aptoide.com, a third-party APK marketplace. (Note that the User must enable “Unknown sources” for installation.)

\n

\"Recordable

\n

Recordable Activator Flow

\n

Operation:

\n

The Recordable plug-in exports a service that wraps around the TeamViewer plug-in service and authenticates with the spoofed certificate field. Next, the Recording app binds to the Recordable plug-in service, which then binds to the TeamViewer plug-in, and returns that binder object back to the Recording app. From this point, the main recording app can communicate with the TeamViewer plug-in directly. There is no security on the Recordable plug-in service to make sure third parties cannot connect to it.

\n

The Recordable plug-in only provides screen recording functionality.

\n

\"Spoofing

\n

Spoofing the TeamViewer Certificate

\n

Scanner Results & Mitigation

\n

A Look at the Numbers

\n

\"Breakdown

\n

\"Breakdown

\n

\"Breakdown

\n

Exposure & Mitigation

\n

There are three main exposures a user may experience:

\n

\"Exploited\"   An exploited device

\n

The device is affected by the Certifi-gate vulnerability, a vulnerable mRST plug-in is installed, and a third-party application is exploiting the plug-in to gain elevated access to the device and its sensitive resources. (i.e. the screen or keyboard, etc.).

\n

Mitigation

\n

If your device already has the vulnerable plug-in installed, and there is also a 3rd party application that is exploiting the plug-in:

\n
    \n
  1. Try to remove the vulnerable plug-in using the following steps: Settings –> Apps –> Locate the vulnerable plug-in and click it –> Click Uninstall
  2. \n
  3. Try to locate the exploiting app and uninstall it.
  4. \n
  5. If the plug-in was pre-installed on the device, you will most likely not be able to uninstall it. In this case, contact your device manufacturer and ask for a fix.
  6. \n
\n

\"Vulnerable

\n

\"Vulnerable   A device with vulnerable plug-in installed

\n

The device is affected by the Certifi-gate vulnerability and a vulnerable mRST plug-in is installed on the device. Any malicious application can take full control of the device by exploiting the installed plug-in.

\n

Mitigation

\n

If your device already has the vulnerable plug-in installed:

\n
    \n
  1. Try to remove the vulnerable plug-in using the following steps: Settings –> Apps –> Locate the vulnerable plug-in and click it –> Click Uninstall
  2. \n
\n
    \n
  1. If the plug-in was pre-installed on the device, you will most likely not be able to uninstall it. In this case, contact your device manufacture and ask for a fix.
  2. \n
\n
    \n
  1. Download only trustworthy apps, and run the Certifi-gate scanner app after you install questionable apps.
  2. \n
\n

\"Vulnerable

\n

\"Vulnerable   Vulnerable device identified

\n

The device is affected by the Certifi-gate vulnerability. A malicious application will need to install a vulnerable plug-in before proceeding with exploitation.

\n

Mitigation

\n

If your device is in a vulnerable state, and you should consider reaching out to your mobile carrier or device manufacturer (Samsung, LG, etc.) to ask when a patch or fix will be delivered.

\n\n

The post Certifi-gate Found in the Wild on Google Play appeared first on Check Point Blog.

\n","status":"PUBLISHED","fileName":"103173644","link":"http://blog.checkpoint.com/2015/08/25/certifigate-statistics-exploitation-mitigation/","tags":["Android"],"score":0.03505370765924454,"topStoryDate":null},{"id":"35","type":"Blog_Publication","name":"Certifi-gate: Hundreds of Millions of Android Devices Could Be Pwned","author":"Jeff Zacuto","date":1438904762000,"description":"(This post was edited to include additional remediation advice on August 10, 2015.) Check Point today released details about Certifi-gate, a previously unknown vulnerability in the architecture of popular mobile Remote Support Tools (RSTs) used by virtually every Android device manufacturer and network","content":"

(This post was edited to include additional remediation advice on August 10, 2015.)

\n

Check Point today released details about Certifi-gate, a previously unknown vulnerability in the architecture of popular mobile Remote Support Tools (RSTs) used by virtually every Android device manufacturer and network service provider. The Check Point mobile threat research team disclosed its findings at a briefing session at Black Hat USA 2015 in Las Vegas, NV this morning.

\n

What is Certifi-gate?
\n
Certifi-gate is a set of vulnerabilities in the authorization methods between mobile Remote Support Tool (mRST) apps and system-level plugs on a device. mRSTs allow remote personnel to offer customers personalized technical support for their devices by replicating a device’s screen and by simulating screen clicks at a remote console. If exploited, Certifi-gate allows malicious applications to gain unrestricted access to a device silently, elevating their privileges to allow access to the user data and perform a variety of actions usually only available to the device owner.

\n

How does Certifi-gate make my device vulnerable?
\n
Check Point researchers examined the verification methods by which trusted components of the mRSTs validate remote support applications, and discovered numerous faulty exploitable implementations of this logic. This allows mobile platform attackers to masquerade as the original remote supporter with system privileges on the device. This allows an attacker to install malicious applications to gain unrestricted access to a device silently, gain full control of the mobile device including access to the sensitive user and corporate data.

\n

What devices are at risk?
\n
Vulnerable components of these 3rd party mRSTs are often pre-loaded on devices or included as part of a manufacturer or network provider’s approved software build for a device. This creates significant difficulty in the patching process and makes affected components impossible to remove or to work around.

\n

Check Point has also made available a scanner app that can determine whether your device is vulnerable to Certifi-gate. Click here to download the scanner app from Google Play.

\n
\n
\n
Above: Example of Check Point-built “malicious app” using Team Viewer plugin to gain access to an Android device;
\n

How can I protect myself?
\n
Device manufacturers and wireless service providers need to provide a security update that would fully protect your device from vulnerabilities like Certifi-gate. Until an update is received, Check Point recommends taking several steps to mitigate the risk:

\n\n

What other solutions are available to help mitigate these risks?
\n
Also announced Thursday was Check Point Mobile Threat Prevention, an innovative mobile security solution enterprises can use to battle today’s mobile threat environment effectively, including new and previously unknown threats like Certifi-gate. The solution delivers a complete platform for stopping mobile threats on iOS and Android, and delivers real-time threat intelligence into an organization’s existing security and mobility infrastructures for even greater visibility.

\n

Learn more about Mobile Threat Prevention at http://www.checkpoint.com/mobilesecurity.

\n

How can I learn more about Certifi-gate?
\n
The Check Point mobile threat research team has compiled a report that includes a detailed analysis of Certifi-gate, how it works, and how you can protect your data. Click here to download the report.

\n

The post Certifi-gate: Hundreds of Millions of Android Devices Could Be Pwned appeared first on Check Point Blog.

\n","status":"PUBLISHED","fileName":"223485133","link":"http://blog.checkpoint.com/2015/08/06/certifigate/","tags":["Android"],"score":0.03135298937559128,"topStoryDate":null}],"mapData":null,"topMalwareFamilies":null};