A research team from IBM X-Force Research and Development, a famous commercial security research and development teams across the world, has found out that more than 55 percent of Android phones are at risk of a high-severity serialization vulnerability. Along with it, the researchers have also found several vulnerabilities in Android software development kits (SDKs), which can allow hackers to own apps.
The Serialization vulnerability could allow an attacker to give a malicious app with no privileges the ability to become a “super app” and help the cybercriminals own the device.
The researchers posted a video, in which shows how the malware works.
“Once our malware is executed, it replaces a real app with a fake one, allowing the attacker to exfiltrate sensitive data from the app and/or creates a perfect phishing attack. We replaced the real Facebook app with a fake one called Fakebook,” the team said.
Similarly, other vulnerabilities found in third-party Android SDKs and allow arbitrary code execution in the context of apps that use these SDKs. This executed code can, for example, steal sensitive information from the attacked app.
“The discovered vulnerabilities are a result of the attacker’s ability to control pointer values during object deserialization in arbitrary apps’ memory space, which is then used by native app code invoked by the runtime’s garbage collector (GC),” the researchers explained.
Although, the flaws have been fixed, the researchers feel that a general problem deserves a general mitigation, reducing the impact of such serialization attacks.
“Since bundles are very common in Android’s IPC, we suggest changing the bundle’s behavior from one that automatically instantiates all of its values to a lazy approach, such as retrieving only the values of keys it is asked for,” the researchers added.