A security bug in a backup mechanism of the Android operating system can be exploited to install malicious apps on vulnerable devices, researchers have warned. Google has confirmed the existence of the flaw, but the search giant says it’s a “low severity” issue.
The vulnerability was reported to Google by researchers at Hungary-based security firm Search-Lab on July 14, 2014. After seeing that Google has not addressed the bug for nearly a year, researchers decided to publicly disclose their findings.
The vulnerability (CVE-2014-7952) is related to the backup/restore functionality in the Android Debug Bridge (adb) command line tool.
“By default, full backup of applications including the private files stored in /data is performed, but this behaviour can be customized by implementing a BackupAgent class. This way applications can feed the backup process with custom files and data. The backup file created is a simple compressed tar archive with some Android specific headers,” Search-Lab explained in an advisory.
The problem, according to researchers, is that the backup manager that’s responsible for invoking the custom BackupAgent does not filter the data stream returned by the app. This allows a malicious BackupAgent to inject APKs into the backup archive without the user’s knowledge or consent. When the backup archive is restored, the injected app is automatically installed and granted any non-system permission it requires.
Experts have warned that the injected APK can be a piece of malware that could carry out all sorts of activities, including starting at boot and sending SMS messages.
Search-Lab has created a proof-of-concept (PoC) that works on all current versions of Android, including the latest 5.1.1 Lollipop. Researchers say all users who rely on the adb tool for creating and restoring backups could be affected.
Google is aware of the vulnerability and it plans on fixing it in a future update, but the company says this is a low priority issue.
“We want to thank the researcher for identifying the issue and providing us with information. Per our public severity classifications, we’ve classified this as a low severity issue,” a Google spokesperson told SecurityWeek.
“This issue does not affect Android users during typical device operation, as it requires that the use of a developer-only capability that is not enabled by default and is not frequently used. Exploitation also requires that users install a potentially harmful application,” Google said. “We have observed no evidence of attempted exploitation to date. We will continue to monitor for potential abuse with VerifyApps and SafetyNet, as well as within Google Play. We strongly encourage users to install applications from a trusted source, such as Google Play.”
It’s worth noting that the adb backup functionality is not documented in official documents provided by Google for Android developers.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Microsoft’s Verified Publisher Status Abused in Email Theft Campaign
- British Retailer JD Sports Discloses Data Breach Affecting 10 Million Customers
- Meta Awards $27,000 Bounty for 2FA Bypass Vulnerability
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Hive Ransomware Operation Shut Down by Law Enforcement
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
- Dozens of Cybersecurity Companies Announced Layoffs in Past Year
Latest News
- Sentra Raises $30 Million for DSPM Technology
- Cyber Insights 2023: Cyberinsurance
- Cyber Insights 2023: Attack Surface Management
- Cyber Insights 2023: Artificial Intelligence
- Microsoft’s Verified Publisher Status Abused in Email Theft Campaign
- Guardz Emerges From Stealth Mode With $10 Million in Funding
- How the Atomized Network Changed Enterprise Protection
- Critical QNAP Vulnerability Leads to Code Injection
