Marshmallow OS to get patch for two critical Android bug

Google has patched seven of its code execution vulnerabilities in which two of them were rated critical, while four were high and one was moderate. This was the fourth round of Android patching since August this year.

Two flaws, which give attackers remote code execution, that were rated critical include libutils (CVE-2015-6609) and mediaserver (CVE-2015-6608) holes. The holes can be exploited by sending crafted media files to the affected devices.

Google informed their “partners’ about the patch on October 5, and the patch code is set to be available on Nexus, Samsung, and Android Open Source Project, but it will be first available for its latest Marshmallow Android operating system.

In its advisory Google said that, "The most severe of these issues is a critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files."

"During media file and data processing of a specially crafted file, vulnerabilities in mediaserver could allow an attacker to cause memory corruption and remote code execution as the mediaserver process.The affected functionality is provided as a core part of the operating system and there are multiple applications that allow it to be reached with remote content, most notably MMS and browser playback of media."

Privilege elevation bug is solved in libstagefright library which was separate from StageFright vulnerabilities reported by Zimperium researcher Joshua Drake earlier this year.

Vulnerabilities in Bluetooth (CVE-2015-6613), the mediaserver (CVE-2015-6611), the telephone app (CVE-2015-6614), and libmedia (CVE-2015-6612) were also patched.

Google says “exploitation is made harder on the security-improved Marshmallow Android platform.

Remote Code Execution Vulnerabilities in Mediaserver
Remote Code Execution Vulnerability in libutils
Information Disclosure Vulnerabilities in Mediaserver
Elevation of Privilege Vulnerability in libstagefright
Elevation of Privilege Vulnerability in libmedia
Elevation of Privilege Vulnerability in Bluetooth
Elevation of Privilege Vulnerability in Telephony

Bypassing lockscreen in Android Lollipop devices with a long password

A Security flaw has been found in Android 5.x <= 5.1.1 (before build LMY48M) that allows an attacker to crash the lockscreen and gain full access to a locked device, even if encryption is enabled on the device.

According to the researchers, the attacker gains the access by manipulating a sufficiently large string in the password field when the camera app is active an attacker is able to destabilize the lockscreen, causing it to crash to the home screen.

At this point arbitrary applications can be run or adb developer access can be enabled to gain full access to the device and expose any data contained therein.

It is only possible when the attack must have physical access to the device. So, Android users must set password either pin or pattern.

The researchers have suggested that in order to breakdown the attack, the users should open the EMERGENCY CALL window from the locked screen. Type a few characters like 10 asterisks. Then, double-tap the characters to highlight them and copy the buttons. Then tap once in the field and tap paste, doubling the characters in the field. Repeat this process of highlight all, copy, and paste until the field is so long that double-tapping no longer highlights the field. This usually occurs after 11 or so repetitions.

New Android Serialization vulnerability which can change a malicious app to a real one

A research team from IBM X-Force Research and Development, a famous commercial security research and development teams across the world, has found out that more than 55 percent of Android phones are at risk of a high-severity serialization vulnerability. Along with it, the researchers have also found several vulnerabilities in Android software development kits (SDKs), which can allow hackers to own apps.

The Serialization vulnerability could allow an attacker to give a malicious app with no privileges the ability to become a “super app” and help the cybercriminals own the device.

The researchers posted a video, in which shows how the malware works.

“Once our malware is executed, it replaces a real app with a fake one, allowing the attacker to exfiltrate sensitive data from the app and/or creates a perfect phishing attack. We replaced the real Facebook app with a fake one called Fakebook,” the team said.

Similarly, other vulnerabilities found in third-party Android SDKs and allow arbitrary code execution in the context of apps that use these SDKs. This executed code can, for example, steal sensitive information from the attacked app.

“The discovered vulnerabilities are a result of the attacker’s ability to control pointer values during object deserialization in arbitrary apps’ memory space, which is then used by native app code invoked by the runtime’s garbage collector (GC),” the researchers explained.

Although, the flaws have been fixed, the researchers feel that a general problem deserves a general mitigation, reducing the impact of such serialization attacks.

“Since bundles are very common in Android’s IPC, we suggest changing the bundle’s behavior from one that automatically instantiates all of its values to a lazy approach, such as retrieving only the values of keys it is asked for,” the researchers added.

Attackers can crash Your Android Device, says Trend Micro

Researchers from TrendLabs Security Intelligence have discovered a vulnerability in Android 4.3 (Jelly Bean) up to the current version, Android 5.1.1 (Lollipop) that could help an attacker to turn a phone “dead silent, unable to make calls, with a lifeless screen”.

Researchers have said that the flaw would cause phones to have no ring, text or notification sounds and be unable to make calls.

According to a post in its blog, “This vulnerability can be exploited in two ways: either via a malicious app installed on the device, or through a specially-crafted web site. The first technique can cause long-term effects to the device: an app with an embedded MKV file that registers itself to auto-start whenever the device boots would case the OS to crash every time it is turned on.”

The researchers said that the vulnerability was similar to the recently discovered Stagefright vulnerability. Both vulnerabilities were triggered when Android handles media files, although the way these files reached the user differs.

Researchers from Zimperium Mobile Security, a security firm, had discovered Stagefright in Android mobile operating system which they said to be the “worst Android vulnerabilities” to the date.

Though, the Google had patched the problem, millions of devices need to be updated. The flaw has affected nearly a billion devices.

 “The vulnerability lies in the mediaserver service, which is used by Android to index media files that are located on the Android device,” said the company. “The vulnerability is caused by an integer overflow when the mediaserver service parses an MKV file. It reads memory out of buffer or writes data to NULL address when parsing audio data,” the blog post read.

Although, the flaw was reported to the Google in May, the company concerned has been able to fix the issue.

Trend Micro discovers vulnerability in Android debugger "Debuggerd"

Trend Micro has found a new vulnerability that exists in phones running Android IceCream Sandwich to Lollipop.

The vulnerability in the debugging program of Android, Debuggered, allows a hacker to view the device's memory and the data stored on it.

You can create a special ELF (Executable and Linkable Format) file to crash the debugger and then you can view the dumps and log files of content stored on the memory.

The glitch in itself is not a big threat but the type of data it can give a hacker access to can lead to a difficult situation.

Google is said to be working on a fix in the next version of Android for this.

Researcher discloses a flaw in Samsung Keyboard leaves 600m Android devices vulnerable to hacking attack

A flaw has been disclosed by a security researcher in Samsung's Android, including the recently released Galaxy S6, keyboard installed on over 600 million Samsung mobile device users that could allow hackers to take full control over the smartphones or tablet.

Ryan Welton, a mobile security researcher at NowSecure, who discovered the vulnerability, wrote in the blog, “A remote attacker capable of controlling a user’s network traffic can manipulate the keyboard update mechanism on Samsung phones and execute code as a privileged (system) user on the target’s phone. The Swift keyboard comes pre-installed on Samsung devices and cannot be disabled or uninstalled. Even when it is not used as the default keyboard, it can still be exploited.”

Researcher said that the vulnerability was discovered last year. Samsung was notified in December 2014. However, Samsung asked NowSecure not to disclose the flaw until it could fix the problem.

NowSecure also notified CERT who assigned CVE-2015-2865, and also informed the Google Android security team.

 The researcher pointed out the flaw could attacker to do:

-         - Access sensors and resources like GPS, camera and microphone.
-         -  Secretly install malicious app(s) without the user knowing.
-          - Tamper with how other apps work or how the phone works.
-          - Eavesdrop on incoming/outgoing messages or voice calls.
-          - Attempt to access sensitive personal data like pictures and text messages.

According to the researcher, the defected keyboard application can’t be uninstalled. Similarly, it is not easy for the Samsung mobile device user to tell if the carrier has patched the problem with a software update.

“However, in order to reduce the risk, avoid insecure Wi-Fi networks, use a different mobile device and contact your carrier for patch information and timing,” the researcher added.

Address bar in Android browsers can be spoofed to lead to phishing attacks

Most of the time people identify malicious websites based on the URL in the address bar. A new vulnerability allows attackers to spoof that URL in android Stock browser and trick users into supplying sensitive information to phishing websites.

The vulnerability is an issue the Android Lollipop as well as prior versions. The problem is caused due to the fact that the browser fails to handle 204 error "No Content" responses when combined with event, thereby allowing hackers to spoof the address bar.

A proof of concept shows that in case of a site with no content which has been opened with an unpatched Android Stock browser, the users are redirected to a page with the URL "".

This leads the user to think that it is a secure site hosted on google whereas it is a phishing site. As soon a the users enter the credentials, those are sent to

It was reported to the Android security team by Rafah Baloch, in February. The Android team has released patches for both Kitkat and Lollipop. It is advisable that users contact the service providers to determine whether they have received the updates.

Tapjacking in Android devices can lead to malware download

The functionality of overlaying multiple activities in Android API can be combined with handling of events to trick users into downloading malicious applications without the user's knowledge.

The authorization  « android.permission.SYSTEM_ALERT_WINDOW » existing since the first version of the developer API and affecting even the last version of the application « Google Play Store »  can be used to create alerts which always stays on the top e.g. low battery levels which are used in the systems. Now, this alert window can be not touchable.

This not touchable window can be programmed so that touch events are never transmitted to this window or touch events can be automatically transmitted to underlying activity. So, utilizing the android API functionality a different event window can be placed underneath this not touchable window.

Since the alert window can be utilized to communicate touch events to an underlying window, the attacker can place buttons and images at right locations for the victims to touch it. It would then be relayed to the window beneath which would cause a application to be downloaded without any intent of the user.

Increasingly as the users have become alert towards downloading apps which ask for control to contacts, texts or images, the challenge to the attackers lie in tricking the users to  download without even showing the app terms and policies. 

So,this "tapjacking" can be applied by attackers to lead users to download malicious apps. It can be conducted in games or any other kinds of applications. Though a theoretical security issue till now, technically, this method can be exploited to infect all kinds of Android devices, irrespective of the version. It has been tested on Nexus 4 under Android 4.3,Android 4.4 and Nexus 5 under Android 4.4 by NES security lab and a notification has been sent to the Android security team for its resolution.

Researchers discover fingerprint flaw on Samsung Galaxy S5

Photo Courtesy: Mobilesyrup website
Despite the various efforts made to secure biometric information on Samsung Galaxy S5 by the Android phone makers, hackers can still take copies of fingerprint which is used to unlock the phone set, said researchers.

Tao Wei and Yulong Zhang, researchers at FireEye, a security firm, said that even though there is a separate secure enclave for the information on the phone, it is possible to grab the biometric data before it reaches that safe area which allows hackers to copy people’s fingerprints for further attacks.

Wei and Zhang, who conducted research on Galaxy S5 including other unnamed Android devices, will be presenting their findings at the RSA conference on April 24.

The researchers said that in order to clone the fingerprints, the hackers don’t have to break the protected zone where the data is stored. They just have to collect data from the device’s fingerprint sensor.

According to them, any hacker can easily clone fingerprints from the phone sets. They have to get user-level access and run a program as root. They wouldn’t need to go deeper on Samsung Galaxy S5 because the malware needs only system-level access.

And once the hackers break the operating system of the phone, they can easily read the fingerprint sensor. Then, the hackers get the data from which they can generate an image of fingerprint. After that, those hackers can do whatever they want.

After finding the flaw on the phone, the researchers had contacted Samsung. However, they did not get any updates or measures to fix the vulnerability from the company.

They said that it is better to update Android version in order to get protected from this vulnerability because it is not resident on Android 5.0 or later versions.

"Samsung takes consumer privacy and data security very seriously. We are currently investigating FireEye’s claims,” said a spokesperson for Samsung via email to Forbes.

Although, there are various security concerns about biometric, it is going to be the primary form of authentication on mobile phones.

It is said that Microsoft is testing out a range of biometric options for its upcoming Windows 10 operating system. 

However, Wei and Zhang said they only tested Android devices as of now.

They said that not all of the Android phones below 5.0 with fingerprint authentication were affected but this vulnerability is likely to spread among other phone companies as well.  Like HTC One Max, Motorola Atrix, Samsung Galaxy Note 4 and Edge, Galaxy S6, and Huawei Ascend Mate 7.

“We only tested a limited number of devices. While we expect the issue is more widespread, we are not sure,” the FireEye spokesperson said in an email to Forbes

Android users worldwide exposed to Malware risks

Network security company, Palo Alto Networks, has confirmed that they have discovered a vulnerability in Google's Android OS application installation procedure, that can leave its users potentially exposed to malware that can seek control of the whole device. They have named the vulnerability, 'Android Installer Hijacking'.

The vulnerability called Time-of-Check to Time-of-Use (TOCTTOU) was discovered by Palo Alto in January last year. In simple words, it hijacks your device while the installation of an application and installs malware instead of the application.

The malware has been linked to people who frequent and download often from third party application stores that download an application you want to install, in the local storage area of your phone, rather than the protected area where the Play Store downloads and installs its applications from.

Google's security team was informed of the vulnerability a month after it was found by Palo Alto. It can be used by hackers to exploit an android running device in various manners, with credit card information of users also being at risk.

The vulnerability has existed for an year according to Palo Alto's Disclosure Timeline and measures like vulnerability scanners have been put in place to mitigate this vulnerability.

Vulnerability in Android default browser allows attackers to hijack Sessions

A Serious vulnerability has been discovered in the Android default browser(AOSP) that allows a malicious website to bypass "Same Origin Policy(SOP)" and steal user's data from other websites opened in other tabs. AOSP browser is the default browser in Android versions older than 4.4. 

What is Same Origin Policy?
SOP plays an important role in the Web Security, restricts a website from accessing scripts and data stored by other websites.  For example, the policy restricts a site 'Y' from accessing the cookies stored by site 'X' in user's browser.

Same Origin Policy Bypass:
Rafay Baloch, a security researcher, found a security flaw in the "Same Origin Policy" system used by the AOSP browser.  The bug allows the website 'Y' to access the scripts and user's data stored by website 'Y'.

Imagine You are visiting attacker's website while your webmail is opened in another tab, the attacker is now able to steal your email data or he can steal your cookies and could use it to compromise your mail account.

Proof of Concept:
<iframe name="test" src=""></iframe>
<input type=button value="test"
onclick="'\u0000javascript:alert(document.domain)','test')" >

"Its because when the parser encounters the null bytes, it thinks that the string has been terminated, however it hasn't been, which in my opinion leads the rest of the statement being executed." Rafay said in his blog.

Metasploit Module:
Rafay published the poc on his blog in August.  However, it remained largely unnoticed until rapid7 released a metasploit module that exploits the vulnerability.

This browser also known for the remote code execution vulnerability, has been discontinued by Google. But older versions of Android do come with this browser.

What you should do?
Stop using the default android browser, Use Google Chrome or Mozilla.

Opening malicious PDF in Android version of Adobe reader allows attacker to access files

The android version of Adobe PDF Reader contains a security bug that could allow an attacker to compromise documents stored in reader and other files stored on the android's SD card.

Security researcher says the problem is there because the Adobe reader exposes few insecure javascript interfaces.  These javascript interfaces allows an attacker to run malicious javascript code inside Adobe reader.

"An attacker can create a specially crafted PDF file containing Javascript that runs when the target user views (or interacts with) this PDF file" security researcher Yorick Koster from Security said.

Researcher has successfully verified the existence of vulnerability in the version 11.1.3 of the adobe reader for Android. The bug has been fixed in the latest version 11.2.0.

He also have released a poc code that will create '.txt' file, when an user open the specially crafted .pdf on vulnerable version of reader.

Pileup flaw: Android updates can be exploited by malware to gain permissions

Upgrading an operating system patches the security holes in the previous versions.  However, researchers found a bug in upgrading process of Android itself, which can be exploited by malicious apps.

A team of researchers from Indiana University and Microsoft have published a paper explains a new critical security bugs which are referred as "Pileup flaws".  The vulnerability exists in Package Management Service (PMS) of Android.

When a user upgrades android to the latest version, a malicious app with few or no permission in the old version can exploit this vulnerability to update itself with new set of permissions.

An attacker can exploit this vulnerability to steal sensitive information from the compromised device, change security configurations and also prevent installation of critical system services.

Researchers say they have confirmed the presence of security hole on all official android versions as well as 3,000 customized android versions.

Researchers also have developed a new service called 'SecUp' which is capable of detecting the malicious apps designed to exploit PileUp vulnerabilities.

Android Vulnerability allows hackers to Turn Legitimate Application into Virus

All Android applications contain a signature which helps the Android to determine if the app is legitimate and to make sure the apk hasn't been tampered with or modified.

Security Researchers from BlueBox Labs have uncovered a new security flaw in Android that allows hacker to modify the application's code without breaking the application's cryptographic signature.

It can be exploited by cyber criminals to turn the legitimate applications into Malicious apps.

Exploited HTC Phone. - Image Credits: BlueBox

In a blog post, Jeff Forristal, Bluebox CTO, noted that the security flaw is particularly dangerous if hackers managed to exploit the application developed by the device manufacturers.

He also pointed out that turning the apps from the device manufacturer into Malware will grant the app full access to Android system that allows hackers to gain access to email , Messages, documents, passwords and more sensitive data.