There’s a severe vulnerability in the way that all versions of Android handle the restoration of backups that can allow an attacker to inject a malicious APK file into the backup archive. The bug is the result of an issue with the ADB command-line tool for Android and the researchers who discovered it say there is no fix for it right now.
ADB (Android debug bridge) is a tool with a variety of functions, including the ability to send commands from a computer to a phone. It also can be used to create full backups of an Android device, and that’s the functionality in which researchers from Search-Lab Ltd. discovered the vulnerability.
“The backup manager, which invokes the custom BackupAgent does not filter the data stream returned by the applications. While a BackupAgent is being executed during the backup process, it is able to inject additional applications (APKs) into the backup archive without the user’s consent. The BackupAgent needs no Android permissions. Upon restoration of the backup archive, the system installs the injected, additional application (since it is part of the backup archive and the system believes it is authentic) with escalated privileges,” an explanation of the vulnerability posted on GitHub says.
Exploiting the vulnerability is a relatively straightforward task.
“The attacker first needs to convince the user to install an application with the malicious BackupAgent class. This application can be innocent-looking, since no Android permissions are needed at all for the exploit. As soon as it is installed, the adb backup command (or the GUI tools rely on it) will create ‘infected’ backup archives. AOSP has a restore intent (window) which displays a short [message] about installed apps during the restore, but its really easy to overlook,” Imre Rad of Search-Lab said in an email.
The company reported the issue to the Android security team at Google in July 2014 and after a year of emails between the two, the vulnerability remains open. Rad said it affects all versions of Android, including Lollipop, and he did not see a good workaround for the vulnerability.
Search-Lab has released to GitHub a proof-of-concept application and source code that exploits the vulnerability.