14 DAY TRIAL // At the USENIX WOOT 2015 security conference in Washington D.C. this weekend, IBM's Or Peles and Roee Hay presented a new zero-day vulnerability affecting Android devices.
In their paper titled One Class to Rule Them All, the two researchers working for IBM's X-Force Application Security Research Team provided a proof of concept of CVE-2014-3153, a vulnerability they found in Android's OpenSSLX509Certificate class.
When leveraged by an attacker, the class would allow them to escalate the privileges of a lesser app, and grant it super-privileges (system user status) over the whole phone.
Attackers can use it to replace authentic apps with fake ones
If the CVE-2014-3153 zero-day would to be exploited, attackers would need an entry point into the user's device.
Since they only need to run a small snippet of code to escalate the privileges of an app, they could hide that small piece of code in any game or lesser app they'd like, and even host it on the Play store.
Once a user installs and accesses it, the code would be executed, and the lesser app would get system-level privileges.
If the attacker's entry point is a more "malicious" app, and besides the escalation code, it also contains more complex procedures, the user would be in bigger trouble.
An attacker could easily use this vulnerability to download malicious APKs on the user's device, and then use them to replace authentic apps, like the Facebook app, seen in the video below.
The aftermath of escalating privileges with CVE-2014-3153 is not only limited to replacing authentic apps alone. Hackers could also download anything they'd like to from the user's device, spy on the user, or whatever the attacker would like to since the user won't ever be prompted with any popups, everything happening in the background.
55% of all Android devices affected
According to researchers, all Android versions from 4.3 to 5.1 are affected, meaning Jelly Bean, KitKat, and Lollipop. Additionally, the latest M version that's still unnamed, is vulnerable as well.
This accounts for about 55% of all the Android market.
Additionally, the IBM team has also taken steps to properly disclose this vulnerability, for which Google has already issued patches.
