Previous Story
New vulnerability puts 55 per cent of Android devices to risk
Tod Beardsley, engineering manager at Rapid7, the firm behind Metasploit, commented: “The acknowledgment from Adrian Ludwig from Google’s security team that Google needs to be more responsive and more transparent about security fixes is great news, and shows that Google is taking the lead on revitalising the patching pipeline for the Android ecosystem”. First it was the Stagefright vulnerability which could allow hackers to crash your smartphone just by sending a multimedia text. “As the information is broken down and put back together, malicious code is inserted into this stream, exploits the vulnerability at the other end and then owns the device”, Peles added.
Ohad Bobrov and Avi Bashan, the two Check Point researchers who discovered the latest vulnerability, noted that their finding “demonstrates how the Android ecosystem architecture is flawed”.
Its researchers have discovered a second exploit deep within the operating system that holds the same potential for harm. For the OpenSSLX509Certificate class, versions 4.3 to 5.11 including the unreleased Android M Preview 1. “Exploiting system_server allows for privilege escalation to the system user with a rather relaxed SELinux profile (due to system_server’s many responsibilities) which enables the attacker to cause a lot of damage”, he said.
For instance, they write, an attacker can take over any application on the victim’s device by replacing the target app’s Android application package (APK). “This can then allow the attacker to perform actions on behalf of the victim”, Peles said. “In addition to this Android serialization vulnerability, the team also found several vulnerable third-party Android software development kits (SDKs), which can help attackers own apps”.
Since they only need to run a small snippet of code to escalate the privileges of an app, they could hide that small piece of code in any game or lesser app they’d like, and even host it on the Play Store.
As they explain, developers use classes within the Android platform and SDKs to provide functionality for apps – for example, accessing the network or the phone’s camera. The targeted app receives a file with objects of the vulnerable OpenSSLX509Certificate class that loosen the access restrictions on the memory space where its bits are stored to allow for override.
The flaw, known by its technical designation of CVE-2015-3825, shares the passive susceptibility to attack that makes Starfright – as its fellow bug is known – so unsafe.
An attacker could easily use this vulnerability to download malicious APKs on the user’s device, and then use them to replace authentic apps, like the Facebook app, seen in the video below. The X-Force research can be found here.
