Hundreds of millions of Android smartphones may be at risk from a security flaw that allows hackers to hijack a handset without a victim’s knowledge.
Devices made by Samsung, HTC, LG and ZTE, including those running the latest version of Android, are potentially vulnerable, according to researchers at security firm Check Point, who have dubbed the flaw “Certifi-gate”
The company said that software installed on smartphones by the manufacturers, which cannot be disabled by users, could be exploited by malicious apps, giving them privileged access to the device.
This means hackers could steal contact information and other personal data, track a user’s location, and remotely activate the smartphone’s microphone without the user’s knowledge. “It would make it a remote spying device,” said Gabi Reish, Check Point’s vice president of product management.
Phone manufacturers install plugins on smartphones before they are sold that allow them, or a network operator, to remotely access the phone using remote support tools such as RSupport or TeamViewer.
However, if malware happens to infect a smartphone, Check Point said it can masquerade as one of these tools using fake security certificates, gaining control of the device.
Phones from Samsung, LG and HTC are among those vulnerable Photo: Bloomberg
“There’s no way [for the plugin] to verify their identity,” said Reish. “The manufacturers have implemented the plugin’s custom verification system in a flawed manner and once it’s connected to the malicious app it gets privileged access.”
Users have no way to deactivate the software that allows these apps to gain access, and Check Point said a huge range of smartphones, up to those running Android Lollipop, the latest and most secure version of the operating system, could be vulnerable.
It notified manufacturers several months ago, who have started to roll out patches, although Reish said many models may still be vulnerable. “It’s not trivial to resolve this,” he said.
Check Point has developed a scanner app that it claims can see if they are vulnerable to the flaw.
Separately, both Google and Samsung said on Thursday that they would release regular security updates for Android phones after hundreds of millions were found to be susceptible to hackers, simply by receiving a message.
A Google spokesperson said: “We want to thank the researcher for identifying the issue and flagging it for us. The issue they’ve detailed pertains to customisations original equipment manufacturers make to Android devices and they are providing updates which resolve the issue. Nexus devices are not affected and we haven’t seen attempts to exploit this.
“In order for a user to be affected, they’d need to install a potentially harmful application which we continually monitor for with VerifyApps and SafetyNet. We strongly encourage users to install applications from a trusted source, such as Google Play.”
Full list of affected manufacturers
- Archos
- BenQ
- Broadcom
- Bullitt
- CloudProject
- Gigaset
- Hisense
- HTC
- Huaqin
- Huawei
- Intel
- Lenovo
- LGEMC
- Longcheer
- Medion
- Oppo
- Pantech
- Positivio
- Prestigio
- Quanta
- Samsung
- TCL
- TCT
- Unitech