The Android operating system offers a backup/restore mechanism of installed packages through the ADB utility. Full backup of applications including the private files stored on /data partition is performed by default, but applications can customize this behavior by implementing a BackupAgent class. This way they can feed the backup process with custom files and data. SEARCH-LAB Ltd. discovered a vulnerability in the design of the Android backup mechanism: the backup manager, which invokes the custom BackupAgent does not filter the data stream returned by the applications. A malicious BackupAgent (without any Android permissions) is able to inject additional applications (APKs) through reflection into the backup archive without the user's consent. Upon restoration of the backup archive, the system installs the injected, additional application (since it is already part of the backup archive). The installed malware could gain any (non-system) permissions it wanted without any confirmation dialogs. SEARCH-LAB Ltd. reported the vulnerability to the Android security team on July 14, 2014, but the issue was still not fixed. This means as of today, July 10, 2015 all current Android versions are affected, including L (5.1.1). Further information, technical details and working Proof of Concept code can be found here: http://ift.tt/1MhfciX http://ift.tt/1HTF9oO
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment