There must be a glitch in the Matrix. I feel like I'm writing the same news again and again. A pair of researchers from IBM's X-Force Application Security Research Team has discovered a set of vulnerabilities in Android and some popular app SDKs. The worst of the bugs can let a seemingly innocuous app run arbitrary code on the device, and it's present in Android versions 4.3 and above—affecting 55% of handsets worldwide. Check out the proof-of-concept video, where the Facebook app is replaced with Fakebook:
Both Google and the SDK makers have provided patches for their respective software, but as always, updates for non-Nexus devices must go through OEMs and carriers, so there's no word on when users will actually have fixes for their handsets. The researchers claim they have yet to see any exploits in the wild, but that could change at any moment.
The main vulnerability lies in how a piece of Android's code (specifically, the OpenSSLX509Certificate class) handles serialization during inter-process communication (IPC). A malicious app that needs no special permissions from the user can exploit the bug to inject malicious code into IPC requests. By doing so, the malicious app can gain system-level permissions.
The researchers also found similar vulnerabilities in some app SDKs. They surveyed 37,701 apps and discovered that a number of those were exploitable. Furthermore, the vulnerable apps all relied on the same set of six SDKs. The tools in question all misused a low-level toolkit called SWIG, which led to a code injection vulnerability similar to the one presented above. In this context, a malicious program could exploit a vulnerable app to gain the same level of permissions as the target, potentially gaining full access to that app's data and capabilities.
Full details of these exploits are available in IBM Security's research paper.