Bug in Android ADB Backup System Can Allow Injection of Malicious Apps

Author: Dennis Fisher
minute read

There’s a severe vulnerability in the way that all versions of Android handle the restoration of backups that can allow an attacker to inject a malicious APK file into the backup archive.

There’s a severe vulnerability in the way that all versions of Android handle the restoration of backups that can allow an attacker to inject a malicious APK file into the backup archive. The bug is the result of an issue with the ADB command-line tool for Android and the researchers who discovered it say there is no fix for it right now.

ADB (Android debug bridge) is a tool with a variety of functions, including the ability to send commands from a computer to a phone. It also can be used to create full backups of an Android device, and that’s the functionality in which researchers from Search-Lab Ltd. discovered the vulnerability.

“The backup manager, which invokes the custom BackupAgent does not filter the data stream returned by the applications. While a BackupAgent is being executed during the backup process, it is able to inject additional applications (APKs) into the backup archive without the user’s consent. The BackupAgent needs no Android permissions. Upon restoration of the backup archive, the system installs the injected, additional application (since it is part of the backup archive and the system believes it is authentic) with escalated privileges,” an explanation of the vulnerability posted on GitHub says.

Exploiting the vulnerability is a relatively straightforward task.

“The attacker first needs to convince the user to install an application with the malicious BackupAgent class. This application can be innocent-looking, since no Android permissions are needed at all for the exploit. As soon as it is installed, the adb backup command (or the GUI tools rely on it) will create ‘infected’ backup archives. AOSP has a restore intent (window) which displays a short [message] about installed apps during the restore, but its really easy to overlook,” Imre Rad of Search-Lab said in an email.

The company reported the issue to the Android security team at Google in July 2014 and after a year of emails between the two, the vulnerability remains open. Rad said it affects all versions of Android, including Lollipop, and he did not see a good workaround for the vulnerability.

Search-Lab has released to GitHub a proof-of-concept application and source code that exploits the vulnerability.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.

Cybersecurity for your growing business
Cybersecurity for your growing business

Topics

Show all

Authors

Threatpost

InfoSec Insider

Infosec Insider Post

Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Content

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.