Security Week 31: Fifty shades of insecurity in Android

For a long time we did not write about the security of Android. On the whole, the situation there seems to be quite good: such serious problems as the Stagefright bug three years ago have not yet been found. Since 2016, the Android One program has been developing, in which mid-level devices receive a single OS version and, accordingly, the fastest possible delivery of security updates. The speed of delivery of updates to traditional vendors, too, according to Google, has accelerated.

But not that it became quite good. Recently we wrote about an unusual Android-smartphone, pretending to be the tenth iPhone, in which there is no user data protection at all. But this is exotic. But the company Kryptowire analyzed ( news ) firmware many conventional smartphones that are sold throughout the world. In 25 different models, serious security holes were found.

This is a clear, but still quite fresh look at the security of Android. It's one thing when a vulnerability is found in the Android source code: all devices are usually affected by it, but therefore it closes quickly. Another thing - the problem introduced during the modification of stock Android specific manufacturer: it can sit in the firmware for years.

What eventually found? Most of the vulnerabilities are related to the “malicious application gets access to where it should not have been”. For example, on an LG G6 phone, an application without special privileges can lock the device so that it only helps to reset to the factory settings (otherwise, unlocking is possible if the ADB debugging interface was enabled in advance). There was also found the possibility of gaining access to the system logs and sending such over the Internet. In the Essential Phone, any application can erase absolutely all information from the device. On Asus ZenFone 3 Max, you can execute commands with system privileges from any application.
')
Well, and so on. In the company's presentation at DEF CON, it was noted that this weakening of application isolation standards was caused precisely by the features of a specific Android implementation. In the reference stock version of the OS there are no such problems. This, of course, is not as epic as 100+ smartphones with an active backdoor , but it seems that for the first time security studies have gone further along the development chain, not limited to analyzing the Android code itself. If he is at least a hundred times invulnerable, it is modified to work on a specific hardware, with a specific operator, with a specific software. People do this, and they can make mistakes.

By the way, about the chain. The Check Point company there, at DEF CON, told ( news , research ) about the attack type Man in the Disk. This is such a fashionable name for a generally banal situation: when one application adds data to external memory, and another modifies it. For example, the researchers took the Google Translate, Yandex.Translate and Xiaomi Browser applications.

About this seemingly innocuous action Google itself in the recommendations on the protection of applications in Android writes that the validity of data read from external memory should be checked, and it is advisable not to store the executable files there. This is because access to this external memory (roughly speaking, to a microSD card) is possible from any other application.

So, in the translators of Google and Yandex, the researchers managed to cause the application to crash by replacing the service data stored in the shared memory. This in itself is not so scary, but in other programs it is theoretically possible to intercept control and steal data. For example, in Xiaomi Browser, it was possible to replace the application itself with a malicious copy, and all because the browser stores temporary files in external memory.


Another security-related armageddon associated with Android is expected thanks to the developer of the online game Fortnite. First, the Android version is still in development, although the game is available for iOS. This has already led to the emergence of many web pages and videos , which tells how to download and install the game on an Android smartphone, - naturally, with some kind of trojan and data theft at the end. Secondly, the company Epic Games has decided not to lay out the game in the Google Play application store, so as not to pay Google a significant percentage of all user purchases. As a result, even those who conscientiously search for applications only in the official app store will be motivated to search somewhere else, and it’s good if they immediately go to the developer’s website. And if not? However, it will be fairly easy to track by the number of malware detections. According to the "Lab" for the first three months of this year, security software on Android blocked 1,322,578 malicious applications. By the way, this is less than in the previous quarter. We continue the observation.

Disclaimer: The opinions expressed in this digest may not always coincide with the official position of Kaspersky Lab. Dear editors generally recommend to treat any opinions with healthy skepticism.