CVE-2014-7952, Android ADB backup APK injection vulnerability

[Imre RAD <imre.rad () search-lab hu>]

The Android operating system offers a backup/restore mechanism of
installed packages through the ADB utility. Full backup of applications
including the private files stored on /data partition is performed by
default, but applications can customize this behavior by implementing a
BackupAgent class. This way they can feed the backup process with custom
files and data.

SEARCH-LAB Ltd. discovered a vulnerability in the design of the Android
backup mechanism: the backup manager, which invokes the custom
BackupAgent does not filter the data stream returned by the
applications. A malicious BackupAgent (without any Android permissions)
is able to inject additional applications (APKs) through reflection into
the backup archive without the user's consent. Upon restoration of the
backup archive, the system installs the injected, additional application
(since it is already part of the backup archive). The installed malware
could gain any (non-system) permissions it wanted without any
confirmation dialogs.

SEARCH-LAB Ltd. reported the vulnerability to the Android security team
on July 14, 2014, but the issue was still not fixed. This means as of
today, July 10, 2015 all current Android versions are affected,
including L (5.1.1).

Further information, technical details and working Proof of Concept code
can be found here:
https://github.com/irsl/ADB-Backup-APK-Injection/
http://www.search-lab.hu/about-us/news/110-android-adb-backup-apk-injection-vulnerability


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/