Daniel Divricean, a soft engineer specialising in security has claimed he has a proof of concept for a high threat serious flaw in Google Play’s install mechanism. Daniel says that this vulnerability allows an app to install any number of apps with any type of permissions without user’s explicit consent. Google on the other hand has confirmed to Daniel about the vulnerability and said that a fix is live for 100 percent Android users as of 12.2.2014.
The Apps which are installed on Android Devices through Google Play Store or website normally ask the user for his explicit permission for using various services of Android operating system. But Daniel says that any person can develop a App (possibly a Trojan) and get it installed on any Android device through Google Play as well as the web without any explicit user consent. Daniel says it is based on two things:
1. You can install an App from Google Play using just the browser,
even from PC.
2. An App can embed a browser and automatically login into your
Google account without any notification, using a few permissions.
The brief of his findings are given as follows
Description
————————
A publisher/developer/hacker can build an Android App, which can be a Trojan that requires which can have these permissions:
android.permission.INTERNET – Allows applications to open network sockets.
android.permission.GET_ACCOUNTS – Allows access to the list of
accounts in the Accounts Service.
android.permission.USE_CREDENTIALS – Allows an application to request authtokens from the AccountManager.
Once the App has been built with the above permissions, these are the steps to reproduce it:
1. Trojan app contains a WebView that will automatically login into
user’s Google account by requesting authtokens from the Account
Manager, user will not be notified nor have any way to stop this.
2. The WebView will load the Google Play web site and inject
JavaScript code on page load.
3. The JavaScript code will make a request to get the device
information and CSRF tokens, it will get information about all devices
registered with that account. Remember the browser is logged in with
user’s Google account.
4. Using this information it can issue a request to install ANY app
on Google Play, on EVERY device registered with that Google account.
The Android user or the potential victim will not be prompted at any time for his consent and will not have any way to stop this.
Daniel has also given the likely scenarios once this vulnerability has been exploited by cyber criminals.
– Trojan app could be full screen and the user will not even see the
install notification.
– Trojan app could choose to install the app on a different device,
from the devices registered with the Google account, the user will not
see anything unusual on the current device where the Trojan runs.
– The installed app can have access to ALL permissions (if it
specifies so in the manifest) without the user explicitly approving
that, it could have access to services that cost you money, like
sending SMS or making phone calls, manage accounts, disable your
phone, just look at the permission list.
– Since you have access to all Google data for that account, there
are other scenarios, like accessing emails and more, but the PoC did
not address those.
Daniel who is a Bug Bounty winner ($2000.00) from Google for his bug report No. 93416 Chromium Security Reward says he has already sent Google with his Proof of Concept for this vulnerability. He has said that since the vulnerability is very high risk therefore he is desisting from publishing the same online at the moment.
“I will not release the PoC, I think it would be too easy to cause real damage. However it is not that difficult to implement.”
The timeline of his reporting to Google about this high risk vulnerability is as follows :
2013-12-16 – Contact security(at)google.com.
2013-12-17 – Received reply that the issues was passed to
security(at)android.com.
2013-12-20 – Received reply that they could not reproduce the issue.
2013-12-20 – Sent a stripped down version of the PoC, not much different.
2014-01-16 – Request status update.
2014-01-24 – Received response that the rollout of the fix started last week.
2014-02-12 – Received response that the fix is live for 100% users/devices.
Daniel says that the fix which has been activated now is, to not allow the browser to automatically login. Instead, the user will be prompted with a text that says it would allow the App to have access to all Google data. This however does not inform the user that it will allow automatic installation of any app, potentially causing direct and immediate loss of money.
Resource : CXSecurity
