Skip to main content

Certifi-Gate might be the reason behind the massive Android patch

There's a sense of urgency among Google employees, following the revelation of the Stagefright bug. For those unfamiliar with Stagefright, it's a recently revealed bug which allows a hacker to take control of an Android device by sending a video message to the victim.

During the Black Hat conference in Las Vegas, lead engineer of Android security at Google, Adrian Ludwig said that his company will, together with Samsung, LG, Sony and other high-profile partners, in the next few days roll out a security patch that Ludwig described as "the single largest software update the world has ever seen".

According to a report by IB Times, "hundreds of millions of devices would be updated within a few days“.

While some believe this urgent and incredibly large undertaking was the result of Stagefright, the reality might be somewhat different.

Security researchers from Check Point have discovered a vulnerability, which they have dubbed Certifi-Gate, that allows hackers to gain what they call "illegitimate privileged access rights" and take full control of your smartphone or tablet though apps installed on your Android devices by manufacturers and mobile phone networks.

Check Point says that all versions of Android 5.0 (Lollipop) and 4.4 (KitKat) are vulnerable to Certifi-Gate, meaning more than 50 per cent of all Android phones are vulnerable.

Google lays the blame on manufacturers, saying their apps are the cause of the problem. "We want to thank the researcher for identifying the issue and flagging it for us. The issue they've detailed pertains to customisations OEMs make to Android devices and they are providing updates which resolve the issue. Nexus devices are not affected and we haven't seen attempts to exploit this," a Google spokesperson said.

However, for a user to be affected, he or she must install a malicious app. Google says it monitors all apps with VerifyApps and advises users to download apps from a trusted source only.

Check Point says the only way to fix the bug is push new software build to the affected devices, a process it has called "notoriously slow".