How to hack android smartphone using "Certifi-Gate" Android Vulnerability

After Stagefright Vulnerability in android smartphone,Israeli researchers Ohad Bobrov and Avi Bashan discoverd "Certifi-Gate" vulnerability,which give remote control of android smartphone to hackers.This vulnerability allow the hackers to take complete control of smartphone and extract the Information like Contacts,call logs,Photo,location,Installed application etc..Even it allow the attacker to install the malware or malicious application in smartphone. Worse part is almost all the android smartphone is vulnerable to "Certifi-Gate" Android Vulnerability.

Research team from Check Point found the flaw in Pre-installed mobile remote support tools plugin.Mobile Remote support tool plugin allow the user to connect to device remotely like Chrome Remote Desktop,Real VNC. As per Researchers published paper,Google use certificate to sign remote support tool which show the authenticity of applications and allow the access to Android smartphone.The bad part is Those certificate can be cloned and integrate the cloned certificate in malicious app to take over control of android smartphone.

Hack android using "Certifi-Gate" Vulnerability

Researchers, Ohad Bobrov and Avi Bashan, explained the two method to exploit the android smartphone given below:

Method 1

Build an android application with forged certificate and install the similer application in android smartphone using social engineering technique or directly from play store.

Method 2

Send a special crafted text message in android smartphone which execute the remote access tool in android smartphone without user interface.

Researchers submitted the vulnerability to google as well as  number of device manufacturer like LG,Samsung,Huawei etc...but google has not rolled out the official patches for "Certifi-Gate".

Check weather your smartphone is vulnerable to "Certifi-Gate"

Checkpoint released an app that detects if your Android device is vulnerable to the Certifi-Gate exploits and also reveals if any attacks have already been launched on the user’s phone.

Post a Comment