Flaw in Android Backup System Enables Injection of Malicious Apps

A security bug in a backup mechanism of the Android operating system can be exploited to install malicious apps on vulnerable devices, researchers have warned. Google has confirmed the existence of the flaw, but the search giant says it’s a “low severity” issue.

The vulnerability was reported to Google by researchers at Hungary-based security firm Search-Lab on July 14, 2014. After seeing that Google has not addressed the bug for nearly a year, researchers decided to publicly disclose their findings.

The vulnerability (CVE-2014-7952) is related to the backup/restore functionality in the Android Debug Bridge (adb) command line tool.

“By default, full backup of applications including the private files stored in /data is performed, but this behaviour can be customized by implementing a BackupAgent class. This way applications can feed the backup process with custom files and data. The backup file created is a simple compressed tar archive with some Android specific headers,” Search-Lab explained in an advisory.

The problem, according to researchers, is that the backup manager that’s responsible for invoking the custom BackupAgent does not filter the data stream returned by the app. This allows a malicious BackupAgent to inject APKs into the backup archive without the user’s knowledge or consent. When the backup archive is restored, the injected app is automatically installed and granted any non-system permission it requires.

Experts have warned that the injected APK can be a piece of malware that could carry out all sorts of activities, including starting at boot and sending SMS messages.

Search-Lab has created a proof-of-concept (PoC) that works on all current versions of Android, including the latest 5.1.1 Lollipop. Researchers say all users who rely on the adb tool for creating and restoring backups could be affected.

Google is aware of the vulnerability and it plans on fixing it in a future update, but the company says this is a low priority issue.

“We want to thank the researcher for identifying the issue and providing us with information. Per our public severity classifications, we’ve classified this as a low severity issue,” a Google spokesperson told SecurityWeek.

“This issue does not affect Android users during typical device operation, as it requires that the use of a developer-only capability that is not enabled by default and is not frequently used. Exploitation also requires that users install a potentially harmful application,” Google said. “We have observed no evidence of attempted exploitation to date. We will continue to monitor for potential abuse with VerifyApps and SafetyNet, as well as within Google Play. We strongly encourage users to install applications from a trusted source, such as Google Play.”

It’s worth noting that the adb backup functionality is not documented in official documents provided by Google for Android developers.