Threat Research

Dark times for Android: Examining Certifi-gate and the newest Stagefright updates

Gracie Roberts, 19 August 2015

Dark times for Android: Examining Certifi-gate and the newest Stagefright updates

Certifi-gate and Stagefright are two recent threats that have put many Android devices at risk. Photo via Ars Technica.

When it comes to security, it seems that Android has seen better days. A slew of vulnerabilities and threats have been cropping up recently, putting multitudes of Android users at risk. Certifi-gate and Stagefright are two threats that, when left unprotected against, could spark major data breaches.

Certifi-gate leaches permissions from other apps to gain remote control access

Certifi-gate is a Trojan that affects Android’s operating system in a scary way. Android devices with Jelly Bean 4.3 or higher are affected by this vulnerability, making about 50% of all Android users vulnerable to attacks or to their personal information being compromised.

What’s frightening about this nasty bug is how easily it can execute an attack – Certifi-gate only requires Internet access in order to gain remote control access of your devices. The attack takes place in three steps:

  1. A user installs a vulnerable app that contains a remote access backdoor onto their Android device
  2. A remotely-controlled server takes control of this app by exploiting its insecure backdoor
  3. Using remote access, Certifi-gate obtains permissions from others apps that have previously been granted higher privileges (i.e. more permissions) by the user and uses them to exploit user data. A good example of an app targeted by Certifi-gate is TeamViewer, an app that allows you to control your Android device remotely.

The good news here is that Avast Mobile Security blocks the installation packages that make it possible for Certifi-gate to exploit the permissions of your other apps. Breaking this down further, Avast Mobile Security would block the package before the action in Step 2 is carried out, making it impossible for a remotely-controlled server to take control of an insecure app that contains a vulnerable remote access backdoor.

Google’s Stagefright patch can be bypassed

We’ve already told you about the Stagefright bug, which has exposed nearly 1 billion Android devices to malware. Whereas Certifi-gate uses Internet access to control your device, Stagefright merely needs a phone number in order to infect users.

Due to the scope and severity of this threat, Google quickly put out a security patch that was intended to resolve the Stagefright issue once and for all. Unfortunately, it hasn’t been fully successful -- it’s possible for the patch to be bypassed, which leaves Android users with a false sense of security and a vulnerable device.

As Avast security researcher Filip Chytry explains in his original post examining Stagefright, Avast encourages users to disable the “auto retrieve MMS” feature within their default messaging app’s settings as a precautionary measure. You can read our full set of instructions for staying safe against Stagefright in the post.


Follow Avast on Facebook, Twitter, YouTube, and Google+ where we keep you updated on cybersecurity news every day.