A two-year-old Linux kernel vulnerability, which Android only patched in October, has been exploited for about 10 months. To make matters worse, the exploits were in Play Store apps.
That’s right: Not only did Google fail to merge the fix back into Android, but it also hosted espionage malware using the flaw in its own “safe” app store.
Utter, utter FAIL. In this week’s Security Blogwatch, we dig out our Nokia 3210s.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Dance Monkey Who.
UAF LPE redux
What’s the craic? Shaun Nichols reports—Here we go again: Software nasties slip into Google Play:
At least three malicious apps with device-hijacking exploits have made it onto the Google Play Store in recent weeks. [They] were all abusing a use-after-free() flaw … to elevate their privileges, and pull down and run further malware.
…
The exploited programming blunder was CVE-2019-2215, a … vulnerability present in the inter-process messaging system of the Android kernel. [It] allows a local app to execute arbitrary code … with kernel-level privileges.
…
While the apps themselves have been available since March 2019, the fix … was only posted in the October 2019 Android security update.
And Dan Goodin adds—Apps used a variety of tricks to covertly install well-written espionage software:
Camero connected to a command and control server that has links to SideWinder, the code name for a malicious hacking group that has been targeting military entities since at least 2012. [It] then downloaded attack code that exploits CVE-2019-2215 or a separate exploit in the MediaTek-SU driver that installs an espionage app called callCam [which] collected a variety of sensitive user data.
…
Google representatives had no comment … other than to confirm the apps have been removed from Play.
Who found it? Trend Micro’s Ecular Xu and Joseph C Chen—First Active Attack Exploiting CVE-2019-2215 Found on Google Play:
We found three malicious apps in the Google Play Store that work together to compromise a victim’s device and collect user information. One of these apps, called Camero, exploits CVE-2019-2215, a vulnerability that exists in Binder (the main Inter-Process Communication system in Android).
…
The three malicious apps were disguised as photography and file manager tools. We speculate that these apps have been active since March 2019 based on the certificate information on one of the apps.
…
To evade detection, it uses many techniques such as obfuscation, data encryption, and invoking dynamic code. … The malware retrieves a specific exploit from the C&C server depending on the [phone model] to get root privilege.
…
Once granted, the app shows a full screen window … that is just an overlay screen that is displayed on top of all activity windows on the device. … Meanwhile, the app invokes code … to enable the installation of unknown apps and the installation of the payload app callCam … and then launches the payload app. All of this happens behind the overlay screen, unbeknownst to the user.
…
callCam hides its icon on the device after being launched. It collects the following information and sends it back to the C&C server in the background: Location, Battery status, Files on device, Installed app list, Device information, Sensor information, Camera information, Screenshot, Account, Wifi information, [and] Data of WeChat, Outlook, Twitter, Yahoo Mail, Facebook, Gmail, and Chrome.
Chalk up another FAIL for Android updates? BushLin heeds no excuses:
The Android update problem is also made more complicated by the abuse of their position by Qualcomm. But the lack of driver updates is a problem that Google … should have totally solved by now.
Instead, most phones have a very small window of having security updates. What is less excusable is the quantity of **** and malware permitted on the Play store.
And Lord Elpuss is less equivocal—much less:
Seriously people, if you're … running consumer Android, you need your head seeing to. Neither Google nor Android manufacturers give a rat's **** about protecting your data, except to prepare it for sale.
…
Chumps get sucked in by some pretty hardware then realise (if they're lucky) that it was the bait in the trap, they're the product and it was cheap for a reason. The smart ones get out while they still can; the dumb ones … fire broadsides at Apple users for paying too much without realising that any difference in price is the price you pay to dance with the Devil.
And when you dance with the Devil, you stay until the music stops.
Still, Project Treble fixes this problem, right? Wrong, says Kydaria:
For most users, Treble changed very little if at all. There is still little incentive for device makers to support old phones.
So while it is now technically possible, not much will change as long as the device makers and carriers have any input into the process.
But what’s this about it being an old bug? typical182 gives this typical response:
1. Over two years ago, this was apparently detected automatically by the syzkaller kernel fuzzer, and automatically reported.
…
2. Over a year and a half ago, it was apparently fixed in the upstream kernel.
3. It was apparently never merged back to various “stable” kernels, leading to the recent CVE.
…
4. This is apparently a super common sequence of events, with kernel vulnerabilities getting lost in the shuffle, or otherwise not backported to “stable” kernels.
…
Dmitry Vyukov (original author of syzkaller fuzzer that found this 2 years ago) gave a very interesting talk on how frequently this happens … at the Linux Maintainer’s Summit, along with some discussion of how to change kernel dev processes to try to dramatically improve things.
Meanwhile, gTsiros wonders if it’s the 1990s still:
This is merely an indication and consequence of modern software being utter trash. Use-after-free? Seriously? What's next? Getting owned due to an off-by-one error?
The moral of the story?
Consider phasing out Android phones that aren’t getting monthly security updates. SIM-free Google Pixel and Android One devices are the obvious choices, unless this sort of malarkey makes you want to jump ship to iPhone.
And finally
The best mashup I’ve heard in a while
You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.
Image source: gfk DSGN (Pixabay)
Keep learning
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed fast on the state of app sec testing with TechBeacon's Guide. Plus: Get Gartner's 2021 Magic Quadrant for AST.
Get a handle on the app sec tools landscape with TechBeacon's Guide to Application Security Tools 2021.
Download the free The Forrester Wave for Static Application Security Testing. Plus: Learn how a SAST-DAST combo can boost your security in this Webinar.
Understand the five reasons why API security needs access management.
Learn how to build an app sec strategy for the next decade, and spend a day in the life of an application security developer.
Build a modern app sec foundation with TechBeacon's Guide.
