A security bug in a backup mechanism of the Android operating system can be exploited to install malicious apps on vulnerable devices, researchers have warned. Google has confirmed the existence of the flaw, but the search giant says it’s a “low severity” issue.
The vulnerability was reported to Google by researchers at Hungary-based security firm Search-Lab on July 14, 2014. After seeing that Google has not addressed the bug for nearly a year, researchers decided to publicly disclose their findings.
The vulnerability (CVE-2014-7952) is related to the backup/restore functionality in the Android Debug Bridge (adb) command line tool.
“By default, full backup of applications including the private files stored in /data is performed, but this behaviour can be customized by implementing a BackupAgent class. This way applications can feed the backup process with custom files and data. The backup file created is a simple compressed tar archive with some Android specific headers,” Search-Lab explained in an advisory.
The problem, according to researchers, is that the backup manager that’s responsible for invoking the custom BackupAgent does not filter the data stream returned by the app. This allows a malicious BackupAgent to inject APKs into the backup archive without the user’s knowledge or consent. When the backup archive is restored, the injected app is automatically installed and granted any non-system permission it requires.
Experts have warned that the injected APK can be a piece of malware that could carry out all sorts of activities, including starting at boot and sending SMS messages.
Search-Lab has created a proof-of-concept (PoC) that works on all current versions of Android, including the latest 5.1.1 Lollipop. Researchers say all users who rely on the adb tool for creating and restoring backups could be affected.
Google is aware of the vulnerability and it plans on fixing it in a future update, but the company says this is a low priority issue.
“We want to thank the researcher for identifying the issue and providing us with information. Per our public severity classifications, we’ve classified this as a low severity issue,” a Google spokesperson told SecurityWeek.
“This issue does not affect Android users during typical device operation, as it requires that the use of a developer-only capability that is not enabled by default and is not frequently used. Exploitation also requires that users install a potentially harmful application,” Google said. “We have observed no evidence of attempted exploitation to date. We will continue to monitor for potential abuse with VerifyApps and SafetyNet, as well as within Google Play. We strongly encourage users to install applications from a trusted source, such as Google Play.”
It’s worth noting that the adb backup functionality is not documented in official documents provided by Google for Android developers.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- In Other News: AI Regulation, Layoffs, US Aerospace Attacks, Post-Quantum Encryption
- Evidence Suggests Ransomware Group Knew About MOVEit Zero-Day Since 2021
- Vulnerabilities in Honda eCommerce Platform Exposed Customer, Dealer Data
- Barracuda Urges Customers to Replace Hacked Email Security Appliances
- Google Patches Third Chrome Zero-Day of 2023
- ChatGPT Hallucinations Can Be Exploited to Distribute Malicious Code Packages
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Several Major Organizations Confirm Being Impacted by MOVEit Attack
Latest News
- In Other News: AI Regulation, Layoffs, US Aerospace Attacks, Post-Quantum Encryption
- Blackpoint Raises $190 Million to Help MSPs Combat Cyber Threats
- Google Introduces SAIF, a Framework for Secure AI Development and Use
- ‘Asylum Ambuscade’ Group Hit Thousands in Cybercrime, Espionage Campaigns
- Evidence Suggests Ransomware Group Knew About MOVEit Zero-Day Since 2021
- SaaS Ransomware Attack Hit Sharepoint Online Without Using a Compromised Endpoint
- Google Cloud Now Offering $1 Million Cryptomining Protection
- Democrats and Republicans Are Skeptical of US Spying Practices, an AP-NORC Poll Finds
