A malicious Android app could endlessly respawn itself through the usage of infected backup packages

Jul 10, 2015 13:35 GMT  ·  By
Android backup system can allow malicious apps to replicate themselves through backup packages
4 photos
   Android backup system can allow malicious apps to replicate themselves through backup packages

Security firm SEARCH-LAB Ltd. has discovered a flaw in the Android operating system's backup routine which can be used to inject malicious apps inside the backup files.

The vulnerability makes use of the ADB (Android Debug Bridge) utility, a command-line tool packed with all Android instances, used in many operating system routines and operations, including the backup process.

A weak design of the BackupAgent class allows unfiltered applications to tell the backup process what to store in the backup archive.

This means that an infected phone with a properly designed malicious agent can endlessly save itself to backups and get restored at later points.

Since all restored apps are considered safe and authentic applications, they are also given the permissions detailed in the restore package without going through any user authorization procedures.

So practically a simple malware can spawn itself after the backup restoration process into a top-level app, with any non-system permissions it needed to carry out attacks.

Google classified the vulnerability as a low-security risk

Since the vulnerability depends on developer capabilities and on the phone being previously infected with a malicious app, the Google Android security team has classified this as a low-priority issue, as SecurityWeek reports.

“This issue does not affect Android users during typical device operation, as it requires that the use of a developer-only capability that is not enabled by default and is not frequently used," said a Google representative. "Exploitation also requires that users install a potentially harmful application.”

Google was made aware of the issue last year in July, but since they failed to fix it, the Hungarian security firm felt obliged to disclose its findings.

The vulnerability is documented in CVE-2014-7952 and demoed with these files on GitHub, currently being present on all versions of the Android OS.

Android ADB backup APK injection vulnerability (4 Images)

Android backup system can allow malicious apps to replicate themselves through backup packages
Android ADB backup APK injection vulnerabilityIn the tar file you will find the injected second application (com.searchlab.wifitest)
+1more