A vulnerability in the design of the Android backup mechanism has been discovered that allows attackers to inject additional applications (APKs) into the backup archive without the user's consent, including those that send premium SMS messages or others with financial implications.
SEARCH-LAB has discovered that the backup manager, which invokes the custom BackupAgent, does not filter the data stream returned by the applications. So, upon restoration of the backup archive, the system installs the injected, additional application (since it is already part of the backup archive).
“One could think that command line applications are used by geeks or programmers only, but not necessarily, there are Windows GUI applications which rely on the same technology behind the scenes when creating backups or restoring them,” the firm noted in an analysis. “The malware might come from an innocent looking game without any suspicion, as it claims to need no permissions at all. As soon as backup was created, the archive is infected.”
The installed malware could gain any (non-system) permissions it wanted without any confirmation dialogs, the firm said. Anyone using the ADB tool for creating and restoring backups of their handsets might be affected.
SEARCH-LAB said that it reported the vulnerability to the Android security team in July of 2014, but the issue is still not fixed, and all current Android versions are affected, including L (5.1.1).