Over half of Android devices vulnerable to remote control bug through fake lookalike app

This seems to be a bad month for Google and Android security team in particular because ever since the month has started, there have major vulnerabilities reported in Android OS. First it was the Stagefright vulnerability which could allow hackers to crash your smartphone just by sending a multimedia text. Then came the Silent Attack vulnerability which was the extension of Stagefright and could allow hackers remote entry into the Android smartphone without owner’s consent or knowledge.

Now, IBM’s X-Force Application Security Research Team has discovered yet another critical vulnerability in Android smartphones and tablets. The flaw, which affects Android OS version 4.3 Jelly Bean to Android 5.1 Lollipop and also the latest Android M Preview 1 version, allows hackers to remotely control a targeted device.

Since this flaw is affecting all devices running from Jelly Bean and above, almost half of the smartphones active in the world are affected by this bug. The vulnerability has been dubbed as Android serialization vulnerability and given CVE-2015-3825.

The Android serialization vulnerability allows a malicious app with no privileges to gain full control of a device through remote code execution. Which means that hackers can then replace a legitimate, trusted application with a lookalike ‘Super App‘ to fool the user into inputting personal details.

Or Peles of IBM’s X-Force Application Security Research Team explained in a blog post that the flaw has not been exploited in the wild yet, but claimed that “with the right focus and tools, malicious apps have the ability to bypass even the most security-conscious users.”



“The PoC exploit we created attacks the highly privileged system_server process. Exploiting system_server allows for privilege escalation to the system user with a rather relaxed SELinux profile (due to system_server‘s many responsibilities), which enables the attacker to cause a lot of damage.

For instance, an attacker can take over any application on the victim’s device by replacing the target app’s Android application package (APK). This can then allow the attacker to perform actions on behalf of the victim. In addition, we were able to run shell commands to exfiltrate data from all applications installed on the device by exploiting the Android Keychain app. We could also change the SELinux policy and, on some devices, also load malicious kernel modules.”

Once the malware is executed it replaces a real app with a fake one, which enables the attacker to either steal sensitive information from the app, or craft a convincing phishing attack.

Peles claimed his team has also found vulnerabilities in several third-party Android SDKs, allowing arbitrary code execution which could enable attackers to steal sensitive information from the affected apps.

“The discovered vulnerabilities are a result of the attacker’s ability to control pointer values during object deserialization in arbitrary apps’ memory space, which is then used by native app code invoked by the runtime’s garbage collector (GC),” he added.

Developers take advantage of classes within the Android platform and SDKs. These classes provide functionality for apps – for example, accessing the network or the phone’s camera.”

“The vulnerability we found can be exploited by malware through the communication channel that takes place between apps or services. As the information is broken down and put back together, malicious code is inserted into this stream, exploits the vulnerability at the other end and then owns the device.”

The X-Force research team has notified Google, which has already released patch for the flaw. The X-Force research can be found here.