Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Serialization Vulnerabilities Put Many Android Devices at Risk

Researchers at IBM have identified vulnerabilities that can be exploited by malicious Android applications to escalate privileges, allowing cybercriminals to take control of affected devices.

Researchers at IBM have identified vulnerabilities that can be exploited by malicious Android applications to escalate privileges, allowing cybercriminals to take control of affected devices.

One of the issues is a high severity vulnerability affecting Android versions 4.3 Jelly Bean through 5.1 Lollipop and the first preview version of the upcoming Android M. Based on statistics provided by Google, more than 60 percent of smartphones running Android were impacted as of August 3.

According to IBM, the vulnerability (CVE-2015-3825) can be exploited for arbitrary code execution in the context of applications and services, which can lead to privilege escalation. Experts have demonstrated that the flaw can be leveraged to replace legitimate apps installed on the targeted devices with malicious apps, steal data from installed applications, change the SELinux policy and, in some cases, load malicious kernel modules.

The flaw, which IBM calls a “serialization vulnerability” is related to the OpenSSLX509Certificate class found in the Android framework.

Classes found in the Android platform and software development kits (SDKs) are often used by developers because they provide various types of functionality for their apps (e.g. accessing the camera or the network).

Serialization is the process in which an object is converted into a stream of bytes in order to store or transmit that object to memory or a file, and reconstruct it later in a process known as deserialization.

Researchers discovered that the OpenSSLX509Certificate class in Android is serializable and it contains an attacker-controllable field during its finalize method. As the information is broken down and reconstructed, a piece of malware can insert malicious code into the stream and exploit the vulnerability.

IBM designed a proof-of-concept (PoC) malware that can replace the legitimate Facebook app with a rogue application and allow the attacker to steal sensitive data.

Advertisement. Scroll to continue reading.

Similar vulnerabilities were discovered by researchers in six different SDKs: Jumio (CVE-2015-2000), MetaIO (CVE-2015-2001), PJSIP PJSUA2 (CVE-2015-2003), GraceNote GNSDK (CVE-2015-2004), MyScript (CVE-2015-2020) and esri ArcGis (CVE-2015-2002). Five of these SDKs are vulnerable due to weak code generated by the SWIG interoperability tool.

Researchers noted that the Google Play Services APK also included the vulnerable OpenSSLX509Certificate class.

“As opposed to vulnerabilities found in final products, such as operating systems or applications where an automatic update mechanism is usually available, the situation is by far worse for SDKs. One vulnerable SDK can affect dozens of apps whose developers are usually unaware of it, taking months to update,” explained Or Peles, a member of IBM’s X-Force Application Security Research Team.

Google has patched the vulnerability in Android 4.4, 5.0, 5.1 and M. The developers of the affected SDKs were also notified and released patches. IBM says it hasn’t found any evidence that the vulnerabilities have been exploited in the wild.

Several vulnerabilities have been identified in Android this year. The list includes privilege escalation, installer hijacking, and denial-of-service (DoS) flaws.

The most serious issues discovered so far this year are related to the Stagefright media playback engine. The Stagefright vulnerabilities, identified by researchers at enterprise mobile security firm Zimperium, impact roughly 950 million Android devices and they can be exploited to compromise smartphones simply by sending a specially crafted media file to the target.

A recent study from the Ponemon Institute and IBM showed that organizations find it difficult to secure their mobile apps. An average of $34 million is spent annually on mobile app development, but only 5.5 percent of it is used for app security.

Related: Popular Android Dating Apps Put Corporate Data at Risk

Related: Dropbox Android SDK Flaw Exposes Mobile Users to Attack

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.