Bug could allow a malicious app to steal a plethora of sensitive data from user’s device
UPDATED Android app developers have been urged not to load code dynamically because of the heightened risk of code execution vulnerabilities.
Security researchers issued the warning after disclosing details of an ‘intent redirection’ vulnerability in the Google-for-Android app.
“This could have allowed any app installed on the same device to steal arbitrary data from it, for example, accessing a Google account, user’s search history, voice assistant interaction data, mail from Gmail, and to intercept app rights, including access to read and send SMS messages, contacts, call history (as well as making and receiving calls), calendar, microphone, camera, location, Bluetooth and NFC,” reads a blog post from Oversecured, developer of an eponymous mobile app vulnerability scanner.
Worse still, “the attacker’s app needed to launch only once for this attack to succeed. After that, even if the app was removed, the malicious functionality would continue to be present in the Google app independently. Moreover, the attack did not require any user consent or notice.”
Despite Oversecured’s warning about the dangers posed, “almost every Android app dynamically loads code from native .iso libraries or .dex files”, a process simplified by libraries such as Google Play Core, said the blog post.
“We want to convince developers not to load any code dynamically, because this unsafe practice can escalate a vulnerability that allows stealing/overwriting arbitrary files into critical code execution inside a vulnerable app.”
Google fixed the bug in question in May 2021.
Oversecured also disclosed details of a similar vulnerability in the TikTok app in September 2020.
The researchers alighted on a potential problem when, during a probe of Google’s app, they found a content provider with the flag Content-lengthandroid:grantUriPermissions="true", containing a handler that could give another app permission to read and write access to arbitrary files.
The scan also “indicated that the app uses the Google Play Core library”, meaning “if an attacker wrote an arbitrary module, the classes from the attacker’s module would automatically be added to the ClassLoader of the app”.
Explaining intent redirection vulnerabilities, Google says:
Apps that extract Intents from the Extras field of an untrusted Intent and launch a component by calling startActivity (or similarly, startService, or sendBroadcast) on an extracted Intent can be tricked into (1) launching an unintended private component which can lead to performing sensitive actions with poisoned arguments, and/or (2) unintentionally launching another app's components, which can lead to having sensitive files stolen through granted URI permissions.
Google has warned developers that apps containing intent redirection vulnerabilities will be removed from the Google Play store if they are not patched within a given time frame.
The tech giant has advised them to check their Play Console for alerts indicating when apps are affected and, if so, submit patched versions for review in advance of the deadline indicated.
Google sets out steps to fixing the bugs in one of three ways: making the app component from which the extracted Intent is redirected private; ensuring that the extracted Intent is from a trustworthy source; or ensuring that the Intent being redirected is not harmful.
Sergey Toshin, founder of Oversecured, shared his advice with The Daily Swig.
“It's not obvious, but in most cases, libraries (such as widely used Google Play Core or Facebook ImagePipeline) always check normally missing files and then automatically load them if present,” he said.
“I would recommend verifying all the app dependencies if they have such built-in functionality (e.g., Oversecured automatically checks such issues). If developers do not intend dynamic code loading, that’s important to get rid of such dependencies. If developers intend it, they should store native libraries in the app’s resources (lib/ folder).”
This article was updated on June 21 with comments from Sergey Toshin of Oversecured