Researchers at IBM have identified vulnerabilities that can be exploited by malicious Android applications to escalate privileges, allowing cybercriminals to take control of affected devices.
One of the issues is a high severity vulnerability affecting Android versions 4.3 Jelly Bean through 5.1 Lollipop and the first preview version of the upcoming Android M. Based on statistics provided by Google, more than 60 percent of smartphones running Android were impacted as of August 3.
According to IBM, the vulnerability (CVE-2015-3825) can be exploited for arbitrary code execution in the context of applications and services, which can lead to privilege escalation. Experts have demonstrated that the flaw can be leveraged to replace legitimate apps installed on the targeted devices with malicious apps, steal data from installed applications, change the SELinux policy and, in some cases, load malicious kernel modules.
The flaw, which IBM calls a “serialization vulnerability” is related to the OpenSSLX509Certificate class found in the Android framework.
Classes found in the Android platform and software development kits (SDKs) are often used by developers because they provide various types of functionality for their apps (e.g. accessing the camera or the network).
Serialization is the process in which an object is converted into a stream of bytes in order to store or transmit that object to memory or a file, and reconstruct it later in a process known as deserialization.
Researchers discovered that the OpenSSLX509Certificate class in Android is serializable and it contains an attacker-controllable field during its finalize method. As the information is broken down and reconstructed, a piece of malware can insert malicious code into the stream and exploit the vulnerability.
IBM designed a proof-of-concept (PoC) malware that can replace the legitimate Facebook app with a rogue application and allow the attacker to steal sensitive data.
Similar vulnerabilities were discovered by researchers in six different SDKs: Jumio (CVE-2015-2000), MetaIO (CVE-2015-2001), PJSIP PJSUA2 (CVE-2015-2003), GraceNote GNSDK (CVE-2015-2004), MyScript (CVE-2015-2020) and esri ArcGis (CVE-2015-2002). Five of these SDKs are vulnerable due to weak code generated by the SWIG interoperability tool.
Researchers noted that the Google Play Services APK also included the vulnerable OpenSSLX509Certificate class.
“As opposed to vulnerabilities found in final products, such as operating systems or applications where an automatic update mechanism is usually available, the situation is by far worse for SDKs. One vulnerable SDK can affect dozens of apps whose developers are usually unaware of it, taking months to update,” explained Or Peles, a member of IBM’s X-Force Application Security Research Team.
Google has patched the vulnerability in Android 4.4, 5.0, 5.1 and M. The developers of the affected SDKs were also notified and released patches. IBM says it hasn’t found any evidence that the vulnerabilities have been exploited in the wild.
The most serious issues discovered so far this year are related to the Stagefright media playback engine. The Stagefright vulnerabilities, identified by researchers at enterprise mobile security firm Zimperium, impact roughly 950 million Android devices and they can be exploited to compromise smartphones simply by sending a specially crafted media file to the target.
A recent study from the Ponemon Institute and IBM showed that organizations find it difficult to secure their mobile apps. An average of $34 million is spent annually on mobile app development, but only 5.5 percent of it is used for app security.