LaunchAnyWhere: Activity component Permission Bypass Vulnerability

LaunchAnyWhere: Activity component Permission Bypass Vulnerability
Release date:

 

Vulnerability No:

Google Bug ID 7699048

 

Security level:

Moderate

 

Impact scope:

Android 2.1-Android 4.3

 

Vulnerability description:

Recently, security researcher retme [1] announced a vulnerability in the Android Account Management Service. malicious applications can exploit this vulnerability to break through the access isolation restrictions of inter-process components, any undisclosed Activity component that calls other applications may pollute the data of the component, damage local data of the application, inject specific data, or even inject malicious data into the remote server. It can also work with other vulnerabilities, such as WebView addJavascriptInterface, to threaten Webview controls that are relatively secure because they are not disclosed.

 

This vulnerability is caused by the fact that the Account Management Service of Android does not verify the Intent forwarded by the installed account service application. Hackers can write malicious applications that contain their own account services and disguise them as normal applications to cheat users in downloading and installing them. When a user starts a malicious application, a request is triggered to add an account of the malicious application type to the Android account management service. Then, the Android system calls the Account Service of the malicious application, and accept an Intent returned by the malicious application and then call the Activity to which the Intent points. Under normal circumstances, the Intent should be directed to the logon interface of the account service. However, because the Android Account Management Service is privileged and does not verify the identities of the initiators and targets of the Intent, therefore, hackers can return any Intent to the Android account management service in their own account service code, regardless of whether the Activity represented by the Intent is made public.

 

 

All details of the vulnerability have been disclosed, and the POC [2] Code has also been released. Google released the Patch [3] In September 29, 2013 to verify whether the signatures of the account service application that returns Intent are consistent with those of the application that directs Intent to Activity, code path/frameworks/base/services/java/com/android/server/accounts/AccountManagerService. java

 

 

 

Test method: (does my mobile phone have this problem ?)

If your mobile phone version is earlier than (inclusive) 4.3, this may cause this threat. Please check settings-> account-> Add account interface for suspicious applications, you can also use the POC to test the vulnerability.

 

Solution: (Please protect me)

Google has already released the bugfix. mobile phone manufacturers should release the patch as soon as possible based on their actual situation. Prior to this, users should use a trusted App Store and carefully download and install the app. Uninstall the application in time if any suspicious application is found.

 

References:

[1] http://retme.net/

[2] https://github.com/retme7/launchAnyWhere_poc_by_retme_bug_7699048

[3] https://android.googlesource.com/platform/frameworks/base/+/5bab9da%5E%21/#F0