A research team from IBM X-Force Research and Development, a
famous commercial security research and development teams across the world, has
found out that more than 55 percent of Android phones are at risk of a
high-severity serialization vulnerability. Along with it, the researchers have
also found several vulnerabilities in Android software development kits (SDKs),
which can allow hackers to own apps.
The Serialization vulnerability could allow an attacker to
give a malicious app with no privileges the ability to become a “super app” and
help the cybercriminals own the device.
The researchers posted a video, in which shows how the
malware works.
“Once our malware is executed, it replaces a real app with a
fake one, allowing the attacker to exfiltrate sensitive data from the app
and/or creates a perfect phishing attack. We replaced the real Facebook app with
a fake one called Fakebook,” the team said.
Similarly, other vulnerabilities found in third-party
Android SDKs and allow arbitrary code execution in the context of apps that use
these SDKs. This executed code can, for example, steal sensitive information
from the attacked app.
“The discovered vulnerabilities are a result of the
attacker’s ability to control pointer values during object deserialization in
arbitrary apps’ memory space, which is then used by native app code invoked by
the runtime’s garbage collector (GC),” the researchers explained.
Although, the flaws have been fixed, the researchers feel
that a general problem deserves a general mitigation, reducing the impact of
such serialization attacks.
“Since bundles are very common in Android’s IPC, we suggest
changing the bundle’s behavior from one that automatically instantiates all of
its values to a lazy approach, such as retrieving only the values of keys it is
asked for,” the researchers added.