Millions of Android Phones May Have Built-In Back Doors

Updated Sat., Aug. 8 to include statement from TeamViewer.

LAS VEGAS — Hundreds of millions of Android phones made by Samsung, LG, HTC and other top brands come pre-installed with plugins that could let hackers remotely take over the devices, two researchers demonstrated here at the Black Hat security conference today (Aug. 6).

The plugins often cannot be uninstalled because they are part of a handset's system image, explained Avi Bashan and Ohad Bobrov of Israeli security company CheckPoint, adding that some handset makers are pushing out patches to fix the problem. For the rest, the researchers have created a free app that can tell whether a phone is vulnerable.

MORE: Best Android Antivirus Apps

These risky plugins are not intentionally malicious. They are the back ends of mobile remote support tools (MRSTs), which are used by tech-support staffers to troubleshoot customers' problematic phones over the air.

Some MRSTs are deployed by handset makers and cellular carriers, which pre-install the tools before selling the phones to customers; others are used by IT departments in large enterprises that hand out company phones to employees.

The plugins work in conjunction with front-end apps that have regular, i.e. very limited, access to the operating system and to other apps.

Yet for an MSRT to work, it needs full control over a device. That's where the plugin, which is tailored for a specific brand of handset and has privileges normally reserved for Android system tools, comes in. It acts as a conduit for the main MRST app to take control of the device.

The leading MRSTs are made by some of the same companies that create remote-access tools for Windows PCs: Citrix, LogMeIn, RSupport and TeamViewer. Both the front and back ends of many MRSTs can be found in the Google Play store.

The problem, Bashan and Bobrov said, is that the two parts of an MSRT must communicate using an insecure Android "binder." Hence, they must verify their authenticity to each other — and the verification process varies from one brand of MRST to another, with mixed results.

For example, the researchers said, TeamViewer, which makes plug-ins for Samsung, LG, ZTE and Alcatel devices, uses digital certificates to verify the two halves of an MRST — but those certificates can be duplicated.

To demonstrate the issue, Bashan and Bobrov wrapped a fake MRST "front end" in an innocuous-seeming flashlight app installed on an emulated Samsung Galaxy S4 smartphone.

The TeamViewer back end handed control of the phone to the flashlight app, which in turn passed control to Bashan's laptop, from which he was able to see the phone's screen and operate the device as if he was holding it in his hand.

"I can bypass almost every Android security mechanism," said Bashan as he operated the virtual phone from his laptop, "because I'm the user."

Another line of MRSTs is made by RSupport, which has plugins for Samsung, LG, Huawei, Oppo, Hisense and BenQ, among others. RSupport uses encrypted hashes to verify its front and back ends — but the hashes are relatively short, and Bashan and Bobrov said they cracked them in a few hours.

A simpler approach worked on an enterprise MRST called Remote Care, Bobrov said. That tool lets IT staffers change settings of on-device installations via text messages, and Bobrov used this technique to make a Remote Care app "phone home" to a domain under his control.

Bashan and Bobrov didn't examine all the leading MRST vendors, but said they notified those that had problems, as well as Google and the affected handset manufacturers, in mid-April of this year. Some of the contacted parties responded positively and were actively fixing the problems, the researchers said without naming names, while others had not responded at all.

To test a handset for vulnerabilities in deployed MRSTs, Bashan and Bobrov created a free app called Certifi-Gate Scanner, now available in Google Play. Their research paper, entitled "Certifi-Gate: Front Door Access to Pwning Millions of Android Devices," has been posted online.

UPDATE: A TeamViewer representative informed us that the company's software has been patched.

"The updated version of TeamViewer QuickSupport for Android includes an improved security mechanism to ensure safe communication between internal app components," an official TeamViewer statement reads in part.

"This enhancement prevents potential misuse of the QuickSupport app and its Add-On on compromised devices. The updated TeamViewer apps are already widely deployed and automatically updated for most device partners, and in fact were made available to the entire community of TeamViewer partners in advance of CheckPoint’s report publication on Aug. 7."

Paul Wagenseil is a senior editor at Tom's Guide focused on security and gaming. Follow him at @snd_wagenseilFollow Tom's Guide at @tomsguide, on Facebook and on Google+.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.