Biz & IT —

Android security on the ropes with one-two punch from researchers

Faulty Stagefright patch and newly reported sandbox bypass leave users exposed.

Android security on the ropes with one-two punch from researchers

Android security woes got worse on Thursday, with two separate reports of code defects that put millions of end users at risk.

The first involves the update Google released last week fixing a flaw that allowed attackers to execute malicious code on an estimated 950 million phones with nothing more than a maliciously crafted text message. Seven days later, security researchers are reporting that the patch, which has been in Google's possession since April, is so flawed that attackers can exploit the vulnerability anyway.

"The patch is 4 lines of code and was (presumably) reviewed by Google engineers prior to shipping," Jordan Gruskovnjak and Aaron Portnoy, who are researchers with security firm Exodus Intelligence, wrote in a blog post published Thursday. "The public at large believes the current patch protects them when it in fact does not."

The code-execution vulnerability is the result of a buffer overflow bug in Stagefright, a code library that processes video. Last week's patch, which was submitted by the researcher who discovered the flaw and privately reported it to Google in April, closed some but not all exploits. Specifically, booby-trapped MP4 videos that supplied variables with 64-bit lengths were able to overflow the buffer and feed malicious code into Android memory. Typically, MP4 videos work with 32-bit variable lengths, but the Exodus researchers found rare cases where 64-bit lengths can be used.

Buffers act as containers that are designated to hold specific amounts of data. When the designated size is exceeded, contents can be executed. Newer versions of Android have a security measure known as address space layout randomization that makes overflow exploits harder to carry out. The defense works by randomizing the memory locations the malicious code is loaded into, preventing attack code from being able to call it. As a result, devices merely crash rather than execute the code. The exploit mitigation, however, can often be bypassed using more advanced hacking techniques.

At the time this post was being prepared, Google was continuing to make last week's patch available, both to end users through over-the-air updates and to partners. Company engineers have allocated the vulnerability identifier CVE-2015-3864 to the flawed patch, the Exodus researchers said, but so far there's no word when a corrected fix will be available. The incident underscores just how hard it is to get security right.

"Google employs a tremendously large security staff, so much so that many members dedicate time to audit other vendor's software and hold them accountable to provide a code fix within a deadline period," the Exodus researchers wrote. "If Google cannot demonstrate the ability to successfully remedy a disclosed vulnerability affecting their own customers then what hope do the rest of us have?"

Separately, researchers from security firm MWR Labs disclosed a flaw that allows malicious apps to break out of the Android security sandbox. The sandbox is a key Android defense that isolates passwords and other sensitive data belonging to one app from being accessed by any other app installed on a handset. The bug, which resides in the Android Admin application at com.google.android.apps.enterprise.cpanel, allowed other applications on the device to bypass those restrictions to read arbitrary files through the use of symbolic links.

The rash of vulnerabilities being reported in Android and the difficulty in getting them installed on end-user devices is taking its toll on the mobile OS. Fortunately, there are no current indications that such vulnerabilities are being actively exploited in the wild. Still, Android users—this reporter included—have reason to be concerned and to remain wary.

Channel Ars Technica