Google has patched a severe Android vulnerability that researchers at IBM said impacts more than 55 percent of devices. As with most Android vulnerabilities, users are reliant on handset makers and carriers to push patches downstream to devices, something they’ve not always been diligent about.
IBM characterizes the vulnerability as a serialization flaw in a class called OpenSSLX509Certificate that if exploited allows an attacker complete control over an Android device. The most serious of the vulnerabilities disclosed today at USENIX by researchers Or Peles and Roee Hay affect versions 4.3 to 5.1, Jelly Bean through Lollipop, as well as Android M Preview 1 currently in beta.
“Advanced attackers could exploit this arbitrary code execution vulnerability to give a malicious app with no privileges the ability to become a ‘super app’ and help the cybercriminals own the device,” Peles and Hay said, adding that a similar but unrelated privilege escalation attack was found in the Hacking Team data dump after the vendor was hacked.
Two other vulnerabilities were also disclosed and patched in Android software development kits (SDKs) developed by third parties.
“The vulnerability (CVE-2015-3825) we found can be exploited by malware through the communication channel that takes place between apps or services,” Peles and Hay said. “As the information is broken down and put back together, malicious code is inserted into this stream, exploits the vulnerability at the other end and then owns the device.”
The researchers today published a paper, “One Class to Rule Them All: 0-Day Deserialization Vulnerabilities in Android,” on the vulnerabilities aligning with their USENIX presentation.
In their paper, Peles and Hay explain how the proof of concept exploit they developed targets the system_server process in Android and provides a bridge to the system user and extensive—almost root—privileges. This allows an attacker to not only swap out legit apps with malicious ones in order to steal data, but also change SELinux policy rules and load new kernel modules.
“An attacker can take over any application on the victim’s device by replacing the target app’s Android application package (APK). This can then allow the attacker to perform actions on behalf of the victim,” Peles and Hay said. “In addition, we were able to run shell commands to exfiltrate data from all applications installed on the device by exploiting the Android Keychain app. We could also change the SELinux policy and, on some devices, also load malicious kernel modules.”
The other vulnerabilities found in third-party Android SDKs also facilitate code execution and puts data stored in apps at risk. The researchers analyzed more than 32,000 Android apps looking for vulnerable SDK classes to exploit. A homegrown tool called dexlib performs static analysis of an app’s dex files in 90 minutes. They said they found 358 classes over 176 APKs that were serializable and provided an attacker controllable field in six SDKS: Jumio; MetalO; PJSIP PJSUA2; GraceNote GNSDK; MyScript; and eri ArcGis. Google Play Services APK also makes uses of the vulnerable OpenSSLX509Certificate class, IBM said.
Last week at Black Hat and in the wake of the Stagefright vulnerability disclosure, Google announced that it will begin updating its Nexus Android phones on a monthly schedule, and that other handset makers, including Samsung and LG, are expected to fall in line and provide updates to carriers in a timely fashion.
Stagefright was a vulnerability found by Zimperium researcher Joshua Drake that affected close to 90 percent of Android devices by simply sending a malicious MMS message. Google pushed a Stagefright patch to Nexus users last week.
From this week on, Nexus devices will receive regular OTA updates each month focused on security, in addition to the usual platform updates. The first security update of this kind began rolling out today, Wednesday August 5th, to Nexus 4, Nexus 5, Nexus 6, Nexus 7, Nexus 9, Nexus 10, and Nexus Player. This security update contains fixes for issues in bulletins provided to partners through July 2015, including fixes for the libStageFright issues,” Ludwig wrote in a blog post explaining the changes.