A flaw (CVE-2014-7952) in Android’s backup/restore mechanism can be exploited by knowledgeable developers to “respawn” malicious apps on phones, and make them gain top-level access and potentially dangerous permissions that they didn’t have before.
“Full backup of applications including the private files stored on /data partition is performed by default, but applications can customize this behavior by implementing a BackupAgent class,” Search-Lab researchers explained.
“The backup manager, which invokes the custom BackupAgent does not filter the data stream returned by the applications. While a BackupAgent is being executed during the backup process, it is able to inject additional applications (APKs) into the backup archive without the user’s consent. The BackupAgent needs no Android permissions. Upon restoration of the backup archive, the system installs the injected, additional application (since it is part of the backup archive and the system believes it is authentic) with escalated privileges. So the danger is in a few words: an innocent-looking Android application can install new applications with extra permissions without the user’s consent.”
The backup mechanism works trough the Android Debug Bridge utility, so users who employ it for creating and restoring backups are in danger.
The researchers have shared the bug with the Android security team in July 2014, but it has still not been fixed.
It will be, though, in time. A Google spokesperson told Eduard Kovacs that it’s low on their list of priorities, and explained why: “This issue does not affect Android users during typical device operation, as it requires that the use of a developer-only capability that is not enabled by default and is not frequently used. Exploitation also requires that users install a potentially harmful application.”
Nevertheless, the researchers have decided that sharing this information with the world is important to keep users safe, and so they did. More information and PoC code can be found here.