Security Experts:

Connect with us

Hi, what are you looking for?



Serialization Vulnerabilities Put Many Android Devices at Risk

Researchers at IBM have identified vulnerabilities that can be exploited by malicious Android applications to escalate privileges, allowing cybercriminals to take control of affected devices.

Researchers at IBM have identified vulnerabilities that can be exploited by malicious Android applications to escalate privileges, allowing cybercriminals to take control of affected devices.

One of the issues is a high severity vulnerability affecting Android versions 4.3 Jelly Bean through 5.1 Lollipop and the first preview version of the upcoming Android M. Based on statistics provided by Google, more than 60 percent of smartphones running Android were impacted as of August 3.

According to IBM, the vulnerability (CVE-2015-3825) can be exploited for arbitrary code execution in the context of applications and services, which can lead to privilege escalation. Experts have demonstrated that the flaw can be leveraged to replace legitimate apps installed on the targeted devices with malicious apps, steal data from installed applications, change the SELinux policy and, in some cases, load malicious kernel modules.

The flaw, which IBM calls a “serialization vulnerability” is related to the OpenSSLX509Certificate class found in the Android framework.

Classes found in the Android platform and software development kits (SDKs) are often used by developers because they provide various types of functionality for their apps (e.g. accessing the camera or the network).

Serialization is the process in which an object is converted into a stream of bytes in order to store or transmit that object to memory or a file, and reconstruct it later in a process known as deserialization.

Researchers discovered that the OpenSSLX509Certificate class in Android is serializable and it contains an attacker-controllable field during its finalize method. As the information is broken down and reconstructed, a piece of malware can insert malicious code into the stream and exploit the vulnerability.

IBM designed a proof-of-concept (PoC) malware that can replace the legitimate Facebook app with a rogue application and allow the attacker to steal sensitive data.

Similar vulnerabilities were discovered by researchers in six different SDKs: Jumio (CVE-2015-2000), MetaIO (CVE-2015-2001), PJSIP PJSUA2 (CVE-2015-2003), GraceNote GNSDK (CVE-2015-2004), MyScript (CVE-2015-2020) and esri ArcGis (CVE-2015-2002). Five of these SDKs are vulnerable due to weak code generated by the SWIG interoperability tool.

Researchers noted that the Google Play Services APK also included the vulnerable OpenSSLX509Certificate class.

“As opposed to vulnerabilities found in final products, such as operating systems or applications where an automatic update mechanism is usually available, the situation is by far worse for SDKs. One vulnerable SDK can affect dozens of apps whose developers are usually unaware of it, taking months to update,” explained Or Peles, a member of IBM’s X-Force Application Security Research Team.

Google has patched the vulnerability in Android 4.4, 5.0, 5.1 and M. The developers of the affected SDKs were also notified and released patches. IBM says it hasn’t found any evidence that the vulnerabilities have been exploited in the wild.

Several vulnerabilities have been identified in Android this year. The list includes privilege escalation, installer hijacking, and denial-of-service (DoS) flaws.

The most serious issues discovered so far this year are related to the Stagefright media playback engine. The Stagefright vulnerabilities, identified by researchers at enterprise mobile security firm Zimperium, impact roughly 950 million Android devices and they can be exploited to compromise smartphones simply by sending a specially crafted media file to the target.

A recent study from the Ponemon Institute and IBM showed that organizations find it difficult to secure their mobile apps. An average of $34 million is spent annually on mobile app development, but only 5.5 percent of it is used for app security.

Related: Popular Android Dating Apps Put Corporate Data at Risk

Related: Dropbox Android SDK Flaw Exposes Mobile Users to Attack

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet