Video Fresh from sorting out the Stagefright flaw, Google has another serious security vulnerability in Android on its hands.
A privilege escalation hole allows normal apps to gain superpowers to snoop on a device's owner, smuggle in malware, and wreak other havoc.
The vulnerability, CVE-2015-3825, affects about 55 per cent of Android handsets – basically version 4.3 and above, as well as the current build of Android M.
Flaws in the OpenSSLX509Certificate class in Android can be exploited by an app to compromise the system_server process – and gain powerful system-level access on the device.
"In a nutshell, advanced attackers could exploit this arbitrary code execution vulnerability to give a malicious app with no privileges the ability to become a 'super app' and help the cybercriminals own the device," said Or Peles, security researcher at IBM's X-Force application security research team.
"In addition to this Android serialization vulnerability, the team also found several vulnerable third-party Android software development kits (SDKs), which can help attackers own apps."
It works like this. The attacker puts together an innocuous-looking app which, when installed, doesn't ask for permission to use data on the device, lulling the downloader into a false sense of security.
But once installed, the malware changes the memory values on the handset using the OpenSSLX509Certificate flaws, allowing it to escalate its privileges. The attacker can then introduce a replacement application for a legitimate app already on the device, and begin harvesting data once the device is rebooted.
The good news is that a patch for the flaw is available and there are no instances yet spotted of the vulnerability being exploited in the wild. The bad news is that most people won't have received the patch as yet, and many have to wait for one of the forthcoming monthly updates to get it.
The full explanation [PDF] of the flaw is being presented at the USENIX Workshop on Offensive Technologies (WOOT '15) in Washington DC. ®