Androids Face Code Execution Woes

Monday, February 16, 2015 @ 10:02 AM gHale

An attacker could exploit vulnerabilities in Google Play and some Android Web browsers to remotely execute arbitrary code on smartphones, researchers said.

One of the problems is Google Play (play.google.com) lacks appropriate X-Frame-Options (XFO) headers, said researchers at security firm Rapid7. These optional HTTP response headers protect against clickjacking and other types of attacks by preventing the web page from displaying other websites in a frame.

RELATED STORIES
Android Wi-Fi Direct DoS Hole
Android Malware Packaged with HTML5 Apps
Mobile RAT Targets iOS, Android
Domain Names Seized

The Google Play Store fails to enforce a proper XFO header on some error pages, said Rapid7 researcher Joe Vennix.

By combining this security flaw with a universal cross-site scripting (UXSS) vulnerability in the Web browser shipped with Android versions prior to 4.4 (KitKat), or an XSS bug in Google Play, an attacker can remotely install arbitrary Android application packages (APKs) on smartphones.

A Metasploit module made available by Rapid7 showed how these two security holes can end up exploited for remote code execution on Android devices.

“[Exploitation of the vulnerabilities] leads to remote code execution through Google Play’s remote installation feature, as any application available on the Google Play store can be installed and launched on the user’s device,” Rapid7’s Tod Beardsley said in a blog post.

Attacks can end up prevented by using a browser that is not vulnerable, such as Firefox and Chrome, or by logging out of the Google account when using an affected browser, Beardsley said.

The XFO header issue first went to Google in December and to CERT/CC in January. UXSS vulnerabilities affecting the WebView component in the browser shipped with Android 4.3 and prior will not end up fixed because Google found it’s not practical due to the size of the code.

“With the advances in Android 4.4, the number of users that are potentially affected by legacy WebKit security issues is shrinking every day as more and more people upgrade or get new devices,” Google officials said last month.

Starting with Android 4.4, OEMs are able to deliver WebView patches from Google to customers. Android 5.0 Lollipop also addresses the issue of patches by pushing out updates directly through Google Play.



Leave a Reply

You must be logged in to post a comment.