Hundreds of millions of Android devices are at risk of being hijacked by a new and previously unknown threat. Certifi-gate is a set of vulnerabilities in the authorization methods between mobile Remote Support Tool (mRST) apps and system-level plugs used by virtually every Android device maker and network service provider. Exploitation gives malicious apps unrestricted device access with elevated privileges they can use to access user data and to perform a variety of actions usually available to the device owner only. In this session, our researchers will walk through the technical root cause of these responsibly-disclosed vulnerabilities including hash collisions, IPC abuse and certificate forging which allow an attacker to grant their malware complete control of a victim’s device. We’ll explain why these vulnerabilities are a serious problem that in some ways can’t be completely eliminated, show a real-world example of an exploiting app found on Google Play, demonstrate an exploit against a live device, and provide remediation advice.