Closely behind the discoveries of the Stagefright flaw, the hole in Android’s mediaserver service that can put devices into a coma, and the Certifi-gate bug, comes that of an Android serialization vulnerability that affects Android versions 4.3 to 5.1 (i.e. over 55 percent of all Android phones).
The bug (CVE-2015-3825), discovered by IBM’s X-Force Application Security Research Team in the OpenSSLX509Certificate class in the Android platform, can be used to turn malicious apps with no privileges into “super” apps that will allow cyber attackers to thoroughly “own” the victim’s device.
Or Peles, a researcher with the team, says that the attack technique reminds of the one used by Hacking Team – the fake BeNews app that would take advantage of a privilege escalation hole to make itself able to download and execute code from the Internet (i.e. malware).
In a PoC attack demonstrated by the team in the video embedded below, their malware replaces a real app with a fake one, which allows them to do things like exfiltrate sensitive data from the app.
They also found six third-party Android software development kits (SDKs) that sport arbitrary code execution flaws.
“As opposed to vulnerabilities found in final products, such as operating systems or applications where an automatic update mechanism is usually available, the situation is by far worse for SDKs. One vulnerable SDK can affect dozens of apps whose developers are usually unaware of it, taking months to update,” Peles pointed out.
“For example, a recent X-Force study showed that a high-severity vulnerability found in Apache Cordova for Android still affected dozens of Android apps even though it had been patched for months. The situation is most frustrating for apps that use orphan SDKs or ones that no longer receive security updates,” he noted, adding that developers should choose their SDKs wisely.
More in-depth technical details about the vulnerabilities are available in this paper the researchers are set to present at USENIX WOOT ’15.
The vulnerabilities have been responsibly disclosed to Google and the SDK developers, and they have already been patched.