Video Fresh from sorting out the Stagefright flaw, Google has another serious security vulnerability in Android on its hands.
Advertisement
The new flaw discovered by IBM researchers exists in Android versions 4.3-5.1 (Jelly Bean, Kitkat and Lollipop) and a patch is available, but it is up to phone service providers to decide when and if to deploy it. The researchers presented a paper on the flaw today at USENIX WOOT ’15 in Washington, D.C., in which they describe an exploit, but don’t reveal the code to carry it out.
“In a nutshell, advanced attackers could exploit this arbitrary code execution vulnerability to give a malicious app with no privileges the ability to become a “super app” and help the cyber criminals own the device”, IBM said.
In their paper titled One Class to Rule Them All, the two researchers working for IBM’s X-Force Application Security Research Team provided a proof of concept of CVE-2014-3153, a vulnerability they found in Android’s OpenSSLX509Certificate class.
The main vulnerability lies in how a piece of Android’s code (specifically, the OpenSSLX509Certificate class) handles serialization during inter-process communication (IPC).
“An attacker can take over any application on the victim’s device by replacing the target app’s Android application package. This can then allow the attacker to perform actions on behalf of the victim”, Peles said.
What researchers found has not been seen in the wild yet but, they say, “shows that with the right focus and tools, malicious apps have the ability to bypass even the most security-conscious users”. “In addition, we were able to run shell commands to exfiltrate data from all applications installed on the device by exploiting the Android Keychain app. We could also change the SELinux policy and, on some devices, also load malicious kernel modules”. The team discovered six openly vulnerable kits including MyScript, GraceNote and Jumio.
Both Google and the SDK makers have provided patches for their respective software, but as always, updates for non-Nexus devices must go through OEMs and carriers, so there’s no word on when users will actually have fixes for their handsets.
Advertisement
Stagefright was a vulnerability found by Zimperium researcher Joshua Drake that affected close to 90 percent of Android devices by simply sending a malicious MMS message. It us called Stagefright and it might leave you a little scared to use your phone as security experts call it the worst Android flaws ever uncovered.
