Two critical bugs and more malicious apps make for a bad week for Android

Google releases fixes for newer devices and ejects apps following reports.

Dan Goodin – Sep 9, 2016 8:22 PM | 178

It was a bad week for millions of Android phone users. Two critical vulnerabilities were disclosed but remain unpatched in a large percentage of devices, while, separately, malicious apps were downloaded as many as 2.5 million times from Google's official Play Marketplace.

The vulnerabilities, which are similar in severity to the Stagefright family of bugs disclosed last year, have been fixed in updates Google began distributing Tuesday. A large percentage of Android phones, however, aren't eligible to receive the fixes. Even those that do qualify don't receive them immediately (the September updates are currently not available as over-the-air downloads for either of the Nexus 5X devices in my household). That gives attackers crude blueprints for exploiting vulnerabilities that remain unpatched on millions of devices.

"Extremely serious bug"

The first vulnerability was disclosed by Mark Brand, a researcher with Google's Project Zero security team. Indexed as CVE 2016-3861, it allows attackers to execute malware or escalate local privileges on vulnerable phones. Brand warned that it's "an extremely serious bug" because it can be exploited in a large variety of ways. He also said CVE 2016-3861 wasn't particularly hard to detect, a finding that increases the chances that other researchers already knew about it. (In any event, Brand included proof-of-concept exploit code with his disclosure. A Google spokesman said the exploit was for research purposes, worked only on an undisclosed subset of Nexus devices, and "could not be used in real world attacks without substantial modification and even further research.") Brand didn't say exactly which Android version introduced the code-execution vulnerability, but he indicated that it's present in at least several of the most recent releases.

"The provided exploit performs this on several recent Android versions for the Nexus 5x and is both reliable and fast in my testing," he wrote in a blog post published Wednesday. "It would also be possible to make the exploit faster by directly generating the exploit files in javascript, reducing the unnecessary network round-trips [spent] retrieving identical mp4 files."

The same Android update patches a separate critical vulnerability that's similar to Stagefright. Cataloged as CVE-2016-3862, it can be exploited by sending a maliciously formatted jpeg image. When sent through Gmail or Google Talk, the malicious code is concealed inside Exif data embedded in the image. The target doesn't need to click on anything to become compromised.

"To an advanced attacker, this was relatively easy to find and in their wheelhouse to exploit," Tim Strazzere, director of mobile research at SentinelOne and the researcher who reported the bug to Google, told Threatpost. "You would have access to anything that app had access to or leverage another exploit to get system privileges or root."

The vulnerabilities were made public the same week that security firm Checkpoint disclosed that recently discovered apps, some available since April, had been downloaded from Google Play as many as 2.5 million times. One malware family dubbed DressCode was likely used to generate fraudulent clicks on ads, but Checkpoint researchers said it could also be used to breach internal networks and retrieve sensitive files from them. DressCode was found in more than 40 Google Play apps that had been downloaded from 500,000 to 2 million times.

In a separate post published Thursday, Checkpoint disclosed an app that contained code that redirected infected phones to websites that generated fraudulent revenue. Known as CallJam, the malware also included code that called fee-based premium phone numbers, although this ability was only invoked after receiving permission from end users. CallJam was embedded into an app called "Gems Chest for Clash Royale," which was downloaded from 100,000 to 500,000 times. The app, as well as those containing DressCode, were removed from Play following the posts.

Post updated on September 10 to add details in the third paragraph about the proof-of-concept exploit.