Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Flaw in Android Backup System Enables Injection of Malicious Apps

A security bug in a backup mechanism of the Android operating system can be exploited to install malicious apps on vulnerable devices, researchers have warned. Google has confirmed the existence of the flaw, but the search giant says it’s a “low severity” issue.

A security bug in a backup mechanism of the Android operating system can be exploited to install malicious apps on vulnerable devices, researchers have warned. Google has confirmed the existence of the flaw, but the search giant says it’s a “low severity” issue.

The vulnerability was reported to Google by researchers at Hungary-based security firm Search-Lab on July 14, 2014. After seeing that Google has not addressed the bug for nearly a year, researchers decided to publicly disclose their findings.

The vulnerability (CVE-2014-7952) is related to the backup/restore functionality in the Android Debug Bridge (adb) command line tool.

“By default, full backup of applications including the private files stored in /data is performed, but this behaviour can be customized by implementing a BackupAgent class. This way applications can feed the backup process with custom files and data. The backup file created is a simple compressed tar archive with some Android specific headers,” Search-Lab explained in an advisory.

The problem, according to researchers, is that the backup manager that’s responsible for invoking the custom BackupAgent does not filter the data stream returned by the app. This allows a malicious BackupAgent to inject APKs into the backup archive without the user’s knowledge or consent. When the backup archive is restored, the injected app is automatically installed and granted any non-system permission it requires.

Experts have warned that the injected APK can be a piece of malware that could carry out all sorts of activities, including starting at boot and sending SMS messages.

Search-Lab has created a proof-of-concept (PoC) that works on all current versions of Android, including the latest 5.1.1 Lollipop. Researchers say all users who rely on the adb tool for creating and restoring backups could be affected.

Google is aware of the vulnerability and it plans on fixing it in a future update, but the company says this is a low priority issue.

Advertisement. Scroll to continue reading.

“We want to thank the researcher for identifying the issue and providing us with information. Per our public severity classifications, we’ve classified this as a low severity issue,” a Google spokesperson told SecurityWeek.

“This issue does not affect Android users during typical device operation, as it requires that the use of a developer-only capability that is not enabled by default and is not frequently used. Exploitation also requires that users install a potentially harmful application,” Google said. “We have observed no evidence of attempted exploitation to date. We will continue to monitor for potential abuse with VerifyApps and SafetyNet, as well as within Google Play. We strongly encourage users to install applications from a trusted source, such as Google Play.”

It’s worth noting that the adb backup functionality is not documented in official documents provided by Google for Android developers.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.