In late November, we sent a customer advisory and published a blog post regarding a new privilege escalation exploit that affects all versions of Android prior to 5.0 (Lollipop). We’d like to update you on the existence of two new Android exploits based on this vulnerability and that were published at the beginning of January.

This new Privilege Escalation vulnerability has recently been exploited in the wild by two rooting tools. At this time, this vulnerability is being exploited on two devices, the Sony Xperia Z3 and Z3C,  but it could be exploited on any device running a version of Android older than Lollipop.

How does the attack work?

There are several ways an attack based on this exploit could be implemented:

  • By using social engineering to convince a user to install a malicious Android application, either from the official Google Play app store or from a third party source. This source could be an unofficial app store or a direct link to another source distributed to the user via email or SMS.
  • By using a web-based attack that leverages a public vulnerability in an existing application, such as in the user’s browser (CVE-2013-6632).
  • By physically connecting the victim’s device to an attacker’s computer.

What are the consequences of an attack?

An attacker can use the vulnerability to do the following:

  • Bypass the Android permission model and obtain full control of the smartphone or tablet.
  • Install a persistent back door on the victim’s device that would enable future access.
  • Run code under system (administrator) privileges.
  • Access data stored and used by banking and financial apps.
  • Access personal files and sensitive information on the device (in some cases including encrypted files). This includes data that is protected by enterprise security solutions such as:
    • Good for Enterprise
    • Checkpoint Mobile Access Software Blade
    • Divide

Which devices are affected?

This vulnerability is currently being exploited on two devices:

  • Sony Xperia Z3
  • Sony Xperia Z3C

However, this vulnerability can be exploited on any device running an Android version older than Lollipop (Android 5.0).

How can enterprises minimize exposure?

  • Users should be instructed to install applications exclusively from reputable sources such as from well-known developers on Google Play.
  • Users should be instructed never to open suspicious or unknown links sent to the device.

Are Lacoon customers protected?

Yes. If an attack does occur, Lacoon will detect the exploitation of this vulnerability regardless of the device type.

Technical Overview

In Android versions older than 5.0 (Lollipop), java.io.ObjectInputStream does not validate whether the object that is being deserialized is actually serializable. This means that when ObjectInputStream is used on untrusted inputs, an attacker can initiate the creation of an instance of any class with a non-private parameterless constructor. All fields of that instance can be set to arbitrary values.

The malicious object will then typically either be ignored or cast to a type to which it doesn’t fit, implying that no methods will be called on it and no data from it will be used. However, when it is collected by the Garbage Collector, it will call the object’s finalize method.

The android system_service runs under UID 1000 and amongst other things (as mentioned above) can change into the context of any app and/or install new applications with arbitrary permissions. Apps can talk to it using Intents with attached bundles. Bundles are transferred as arraymap Parcels and arraymap Parcels can contain serialized data. This means that any app can attack the system_service this way.

By attacking the system_service in this way, an attacker can get permissions to install or remove applications and access any user/application data that the attacker wants to access.

More information