Now, IBM’s X-Force Application Security Research Team has discovered yet another critical vulnerability in Android smartphones and tablets. The flaw, which affects Android OS version 4.3 Jelly Bean to Android 5.1 Lollipop and also the latest Android M Preview 1 version, allows hackers to remotely control a targeted device. Since this flaw is affecting all devices running from Jelly Bean and above, almost half of the smartphones active in the world are affected by this bug. The vulnerability has been dubbed as Android serialization vulnerability and given CVE-2015-3825. The Android serialization vulnerability allows a malicious app with no privileges to gain full control of a device through remote code execution. Which means that hackers can then replace a legitimate, trusted application with a lookalike ‘Super App‘ to fool the user into inputting personal details. Or Peles of IBM’s X-Force Application Security Research Team explained in a blog post that the flaw has not been exploited in the wild yet, but claimed that “with the right focus and tools, malicious apps have the ability to bypass even the most security-conscious users.” Once the malware is executed it replaces a real app with a fake one, which enables the attacker to either steal sensitive information from the app, or craft a convincing phishing attack. For instance, an attacker can take over any application on the victim’s device by replacing the target app’s Android application package (APK). This can then allow the attacker to perform actions on behalf of the victim. In addition, we were able to run shell commands to exfiltrate data from all applications installed on the device by exploiting the Android Keychain app. We could also change the SELinux policy and, on some devices, also load malicious kernel modules.” Peles claimed his team has also found vulnerabilities in several third-party Android SDKs, allowing arbitrary code execution which could enable attackers to steal sensitive information from the affected apps. The X-Force research team has notified Google, which has already released patch for the flaw. The X-Force research can be found here. Developers take advantage of classes within the Android platform and SDKs. These classes provide functionality for apps – for example, accessing the network or the phone’s camera.” “The vulnerability we found can be exploited by malware through the communication channel that takes place between apps or services. As the information is broken down and put back together, malicious code is inserted into this stream, exploits the vulnerability at the other end and then owns the device.”
