More than 70 percent of Android phones from LG have a plugin installed that exposes them to the Certifi-gate remote support app vulnerability, where a rogue application -- or even a text message -- can completely take over a device.
Check Point Software Technologies reported the vulnerability in April to Google, device manufacturers, and the remote support app vendors but, so far, none of the device manufacturers have pushed out updates to their customers.
Although LG devices are most exposed, 18 percent of Samsung devices also have the vulnerable plugin, as well as 9 percent of HTC devices, according to a Check Point scan of around 100,000 smartphones.
But even devices that don't currently have the vulnerable plugin installed are at risk, if an app either maliciously or accidentally installs the plugin. Of Samsung smartphones, an additional 67 percent are at risk of this, as are 19 percent of LG phones, and 86 percent of HTC phones.
Check Point publicly disclosed the problem at Black Hat in Las Vegas earlier this month, and released a vulnerability scanner app that has been installed around 100,000 times.
Overall, 58 percent of all the devices scanned are potentially vulnerable to this exploit, the company said.
How it worksIn order to make it easier for customers to get technical support, some smartphone manufacturers bundle remote support apps that allow techs to take over the handset.
"Most of the new LG devices come with pre-installed support software," said Michael Shaulov, Check Point's head of mobility product management. "And in order to actually operate, you can understand that this software requires very high privileges."
The problem is two-fold. First, the apps have authentication issues that allow unauthorized access. So far, two of the three vendors have fixed the access problems, but the old, insecure versions of the software are still around.
"In the cases where the support tool was pre-installed on the device, if the device manufacturer or carrier is not pushing the update to the users, the users can't update it by themselves," said Shaulov. "And none of the carriers have done the push so far."
Second, while the remote access software is signed with the manufacturer's digital certificates, there is no easy way to revoke those certificates, said Shaulov.
That means that even if the manufacturers and carriers do push out an update of the remote support software -- or the software was never installed on the device in the first place -- a third-party application can install the older, vulnerable version.
That is exactly what an app called "Recordable Activator" did. In order to allow users to record their screens without rooting the devices -- a feature not normally available on Android phones -- the app downloaded one of these remote support tools, and then leveraged the access provided to make screen recordings.
Google has since removed the Recordable Activator app from the Google Play store.
Permanent fixAccording to Check Point, device manufacturers need to push out a patch to their smartphones that revokes the certificates that the old vulnerable remote support tools were signed with.
Until then, users are warned to only download apps from the official stores, and to run the vulnerability scanner after installing any apps that might be questionable.