Over Half of Android Devices Hit by Remote Control Bug

Security researchers are warning of yet another major Android vulnerability, this time affecting over half of all devices, which could allow hackers to remotely control a targeted device.

Or Peles of IBM’s X-Force Application Security Research Team explained in a blog post that the flaw has not been exploited in the wild yet, but claimed that “with the right focus and tools, malicious apps have the ability to bypass even the most security-conscious users.”

The Android serialization vulnerability (CVE-2015-3825) apparently affects Android v4.3–5.1 and Android M Preview 1.

Peles explained:

“The PoC exploit we created attacks the highly privileged system_server process. Exploiting system_server allows for privilege escalation to the system user with a rather relaxed SELinux profile (due to system_server‘s many responsibilities), which enables the attacker to cause a lot of damage.

For instance, an attacker can take over any application on the victim’s device by replacing the target app’s Android application package (APK). This can then allow the attacker to perform actions on behalf of the victim. In addition, we were able to run shell commands to exfiltrate data from all applications installed on the device by exploiting the Android Keychain app. We could also change the SELinux policy and, on some devices, also load malicious kernel modules.”

Once the malware is executed it replaces a real app with a fake one, which enables the attacker to either steal sensitive information from the app, or craft a convincing phishing attack.

Peles claimed his team has also found vulnerabilities in several third-party Android SDKs, allowing arbitrary code execution which could enable attackers to steal sensitive information from the affected apps.

“The discovered vulnerabilities are a result of the attacker’s ability to control pointer values during object deserialization in arbitrary apps’ memory space, which is then used by native app code invoked by the runtime’s garbage collector (GC),” he added.

Google has released patches for the flaw. The X-Force research can be found here.

What’s Hot on Infosecurity Magazine?