​Android flaw lets hackers spy on you with your own phone

Researchers at Check Point Software Technologies have identified a vulnerability in Android phones that could let hackers take over devices remotely, steal personal data and even turn phones into spying devices.

The "Certifi-gate" vulnerability takes advantage of preloaded apps that allow mobile carriers and manufacturers to remotely access your phone to troubleshoot problems.

Certifi-gate affects hundreds of millions of devices by top manufacturers running most versions of Android, including Lollipop, the latest and most secure.

"It potentially allows cybercriminals to take complete control of any of these Android devices, enabling them to steal information from contact lists, calendars, location, anything that you have on your device," Check Point VP of product management Gabi Reish, told CBS News.

"More than that, it can turn a victim's mobile device into a spy phone. That means bad guys can activate the microphone at any time they want. I can record anything I want to, in any meeting, any conference room. It's quite problematic."

The vulnerability is based on so-called mobile remote support tools, apps that allow manufacturers or service providers to access phones to fix problems remotely. (Ironic, huh?) If you call customer service because you can't get an app to work, or your calendar won't sync, reps use these tools to take over, fix what's wrong and get you on your way.

They work by accessing small components that come baked into the operating system when you buy your phone. Certifi-gate makes it possible for any app to potentially access those same plug-ins, giving hackers a way in.

If you unwittingly download a malicious app that targets the weakness -- an innocuous-looking flashlight app, say -- whoever made it can now connect to the innards of your phone without your knowledge.

Reish said his company disclosed the vulnerability to a number of manufacturers months ago and that "as far as we know they are taking steps to solve this." CBS News reached out to several manufacturers to confirm whether patches were in the works.

In a statement, HTC said, "Working with Google, HTC has already begun rolling the fix into our software, and we will deliver these updates first to the HTC One M9 and the newest HTC Desire products."

Reish thinks it could be "a while" before security updates are released across all device makers. The best protection in the meantime is to avoid downloading apps from third-party app stores that don't verify the products they sell. But Reish cautioned that theoretically even apps sold on the official Google Play store could be malicious.

His company is offering a free app on Google Play that scans your phone for apps that are exploiting or attempting to exploit the Certifi-gate vulnerability.

This is not the first dangerous Android flaw revealed in recent days. In the lead up to Black Hat, the cybersecurity conference taking place this week in Las Vegas where Check Point made its big reveal (Certifi-gate-gate?) Thursday, another security firm exposed what they called "the mother of all Android vulnerabilities." The Stagefright vulnerability is a set of bugs that could let hackers take over your phone with a picture message.

  • Amanda Schupak

    Amanda Schupak is the science and technology editor at CBSNews.com