Opening malicious PDF in Android version of Adobe reader allows attacker to access files


The android version of Adobe PDF Reader contains a security bug that could allow an attacker to compromise documents stored in reader and other files stored on the android's SD card.

Security researcher says the problem is there because the Adobe reader exposes few insecure javascript interfaces.  These javascript interfaces allows an attacker to run malicious javascript code inside Adobe reader.

"An attacker can create a specially crafted PDF file containing Javascript that runs when the target user views (or interacts with) this PDF file" security researcher Yorick Koster from Security said.

Researcher has successfully verified the existence of vulnerability in the version 11.1.3 of the adobe reader for Android. The bug has been fixed in the latest version 11.2.0.

He also have released a poc code that will create '.txt' file, when an user open the specially crafted .pdf on vulnerable version of reader.

Pileup flaw: Android updates can be exploited by malware to gain permissions

Upgrading an operating system patches the security holes in the previous versions.  However, researchers found a bug in upgrading process of Android itself, which can be exploited by malicious apps.

A team of researchers from Indiana University and Microsoft have published a paper explains a new critical security bugs which are referred as "Pileup flaws".  The vulnerability exists in Package Management Service (PMS) of Android.

When a user upgrades android to the latest version, a malicious app with few or no permission in the old version can exploit this vulnerability to update itself with new set of permissions.

An attacker can exploit this vulnerability to steal sensitive information from the compromised device, change security configurations and also prevent installation of critical system services.

Researchers say they have confirmed the presence of security hole on all official android versions as well as 3,000 customized android versions.

Researchers also have developed a new service called 'SecUp' which is capable of detecting the malicious apps designed to exploit PileUp vulnerabilities.

Android Vulnerability allows hackers to Turn Legitimate Application into Virus

All Android applications contain a signature which helps the Android to determine if the app is legitimate and to make sure the apk hasn't been tampered with or modified.

Security Researchers from BlueBox Labs have uncovered a new security flaw in Android that allows hacker to modify the application's code without breaking the application's cryptographic signature.

It can be exploited by cyber criminals to turn the legitimate applications into Malicious apps.

Exploited HTC Phone. - Image Credits: BlueBox

In a blog post, Jeff Forristal, Bluebox CTO, noted that the security flaw is particularly dangerous if hackers managed to exploit the application developed by the device manufacturers.

He also pointed out that turning the apps from the device manufacturer into Malware will grant the app full access to Android system that allows hackers to gain access to email , Messages, documents, passwords and more sensitive data.