lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 10 Jul 2015 10:48:00 +0200
From: Imre RAD <>
Subject: [FD] CVE-2014-7952, Android ADB backup APK injection vulnerability

The Android operating system offers a backup/restore mechanism of
installed packages through the ADB utility. Full backup of applications
including the private files stored on /data partition is performed by
default, but applications can customize this behavior by implementing a
BackupAgent class. This way they can feed the backup process with custom
files and data.

SEARCH-LAB Ltd. discovered a vulnerability in the design of the Android
backup mechanism: the backup manager, which invokes the custom
BackupAgent does not filter the data stream returned by the
applications. A malicious BackupAgent (without any Android permissions)
is able to inject additional applications (APKs) through reflection into
the backup archive without the user's consent. Upon restoration of the
backup archive, the system installs the injected, additional application
(since it is already part of the backup archive). The installed malware
could gain any (non-system) permissions it wanted without any
confirmation dialogs.

SEARCH-LAB Ltd. reported the vulnerability to the Android security team
on July 14, 2014, but the issue was still not fixed. This means as of
today, July 10, 2015 all current Android versions are affected,
including L (5.1.1).

Further information, technical details and working Proof of Concept code
can be found here:

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists