Connect with us

Hi, what are you looking for?



Flaw in Android Backup System Enables Injection of Malicious Apps

A security bug in a backup mechanism of the Android operating system can be exploited to install malicious apps on vulnerable devices, researchers have warned. Google has confirmed the existence of the flaw, but the search giant says it’s a “low severity” issue.

A security bug in a backup mechanism of the Android operating system can be exploited to install malicious apps on vulnerable devices, researchers have warned. Google has confirmed the existence of the flaw, but the search giant says it’s a “low severity” issue.

The vulnerability was reported to Google by researchers at Hungary-based security firm Search-Lab on July 14, 2014. After seeing that Google has not addressed the bug for nearly a year, researchers decided to publicly disclose their findings.

The vulnerability (CVE-2014-7952) is related to the backup/restore functionality in the Android Debug Bridge (adb) command line tool.

“By default, full backup of applications including the private files stored in /data is performed, but this behaviour can be customized by implementing a BackupAgent class. This way applications can feed the backup process with custom files and data. The backup file created is a simple compressed tar archive with some Android specific headers,” Search-Lab explained in an advisory.

The problem, according to researchers, is that the backup manager that’s responsible for invoking the custom BackupAgent does not filter the data stream returned by the app. This allows a malicious BackupAgent to inject APKs into the backup archive without the user’s knowledge or consent. When the backup archive is restored, the injected app is automatically installed and granted any non-system permission it requires.

Experts have warned that the injected APK can be a piece of malware that could carry out all sorts of activities, including starting at boot and sending SMS messages.

Search-Lab has created a proof-of-concept (PoC) that works on all current versions of Android, including the latest 5.1.1 Lollipop. Researchers say all users who rely on the adb tool for creating and restoring backups could be affected.

Advertisement. Scroll to continue reading.

Google is aware of the vulnerability and it plans on fixing it in a future update, but the company says this is a low priority issue.

“We want to thank the researcher for identifying the issue and providing us with information. Per our public severity classifications, we’ve classified this as a low severity issue,” a Google spokesperson told SecurityWeek.

“This issue does not affect Android users during typical device operation, as it requires that the use of a developer-only capability that is not enabled by default and is not frequently used. Exploitation also requires that users install a potentially harmful application,” Google said. “We have observed no evidence of attempted exploitation to date. We will continue to monitor for potential abuse with VerifyApps and SafetyNet, as well as within Google Play. We strongly encourage users to install applications from a trusted source, such as Google Play.”

It’s worth noting that the adb backup functionality is not documented in official documents provided by Google for Android developers.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.