Last week, the first exploit for the HTC One M7 and the brand new HTC One M8 – two of the most popular available smartphones today – was published.
The significance? The vulnerability behind this exploit means that any app, regardless of its permission set, can run the exploitable code in order to gain root access (i.e. remove all of Android’s built-in security mechanisms). In other words, an attacker can take a legitimate app, let’s say Flappy Bird, re-package it with exploit code and distribute it. A victim running the app will unknowingly provide that app, and consequently the attacker, with root permissions on the device.
Seeing that the exploit, and therefore also the vulnerability were released just a few days ago, it’s too early to tell how widespread exploits of this vulnerability are. However, a free downloadable exploit, named WeakSauce which executes with just a single click, has already been circulating in mobile forums.
The source of this issue is with a service that HTC uses in order to integrate with the Android OS. This service enables a severe privilege escalation vulnerability. Worse yet, the vulnerability can be exploited even with Android’s 4.4 new File System Verification system. As a result, the attacker can both modify file permissions and direct malicious files to any location, regardless of the permissions typically needed to create and/or access similar files. Another relevant point is how simple the vulnerability is to exploit.
Here’s a short Q&A we put together based on customer’s inquiries.
We found it useful to share with you in hopes of better understanding
the issue and defending against relevant exploits.
How can the vulnerability be used by an attacker?
- By repackaging a legitimate app and then convincing the victim to install it – either from the official Google Play store, a 3rd party marketplace, or even as an email attachment. Once the app is run, the device is immediately infected.
- Via a web attack leveraging a public vulnerability in an existing application, such as in the user’s mobile web-browser (CVE-2013-6632).
- By physically connecting the device to an attacker’s computer
What are the consequences of an attack?
Following a successful attack, the attacker can:
- Obtain full control of the smartphone by bypassing the Android permission model
- Run malicious code under system (administrator) privileges
- Retrieve various files and sensitive information on the device
- Bypass enterprise data protection applications, including: secure containers, wrappers and hardened apps. Consequently, the attacker can extract encrypted and sensitive corporate information such as emails, confidential documents and passwords
- Insert a persistent backdoor on the device to be later used for further attack activities
Which HTC devices are affected by this vulnerability?
- HTC One M8
- HTC One M7
- Most probably, all older HTC devices
Are other Android-running device manufacturers vulnerable to similar vulnerabilities?
Not that we know of. We know of several previous exploits that have taken advantage of vulnerabilities that existed in services or processes added by the manufacturers. We are constantly researching other devices – both in our labs and by analyzing mobile-related forums. We’ll update you once we have more information.
What mitigation measures should be used?
It is important to note that customers of Lacoon Mobile Security are alerted on any rooting attempt by an unauthorized app on an employee’s device. With Lacoon Mobile Fortress’s behavioural application analysis and on-device network-event and anomaly detection, enterprises will be alerted immediately.
Organizations should also follow these general mitigation best-practices:
- Employees should be instructed to install applications only from reputable sources (trusted and established developers and only from the official Google Play store).
- Employees should be instructed not to open suspicious/unknown links sent to the device
- Employees should be instructed to be vigilant in regards to the physical security of their devices as to prevent the installation of a malicious app
- Detect the rooting of employees’ devices. As mentioned, Lacoon Mobile Fortress detects devices that have been rooted. As mentioned in the response regarding the consequences of an attack, MDMs, Secure Containers and hardened apps cannot detect the rooting of the device.
- Once HTC updates their firmware, ensure employees upgrade to the latest release.
Moving forward, what do we predict in terms of mobile security?
Rootkits (automated and packaged rooting tools) and root vulnerabilities aren’t going to disappear. If anything, it’s likely that they’ll increase in numbers before 2014 is over.