.png)
BOOK THIS SPACE FOR AD
ARTICLE ADBug could allow a malicious app to steal a plethora of sensitive data from user’s device
Android app developers have been urged not to load code dynamically because of the heightened risk of code execution vulnerabilities.
Security researchers issued the warning after disclosing details of an ‘intent redirection’ vulnerability in the Google-for-Android app.
“This could have allowed any app installed on the same device to steal arbitrary data from it, for example, accessing a Google account, user’s search history, voice assistant interaction data, mail from Gmail, and to intercept app rights, including access to read and send SMS messages, contacts, call history (as well as making and receiving calls), calendar, microphone, camera, location, Bluetooth and NFC,” reads a blog post from Oversecured, developer of an eponymous mobile app vulnerability scanner.
Worse still, “the attacker’s app needed to launch only once for this attack to succeed. After that, even if the app was removed, the malicious functionality would continue to be present in the Google app independently. Moreover, the attack did not require any user consent or notice.”
Read more of the latest mobile security news
Despite Oversecured’s warning about the dangers posed, “almost every Android app dynamically loads code from native .so libraries or .dex files”, a process simplified by libraries such as Google Play Core, said the blog post.
“We want to convince developers not to load any code dynamically, because this unsafe practice can escalate a vulnerability that allows stealing/overwriting arbitrary files into critical code execution inside a vulnerable app.”
Google fixed the bug in question in May 2021.
Oversecured also disclosed details of a similar vulnerability in the TikTok app in September 2020.
Malicious Intent
The researchers alighted on a potential problem when, during a probe of Google’s app, they found a content provider with the flag , containing a handler that could give another app permission to read and write access to arbitrary files.
The scan also “indicated that the app uses the Google Play Core library”, meaning “if an attacker wrote an arbitrary module, the classes from the attacker’s module would automatically be added to the of the app”.
Explaining intent redirection vulnerabilities, Google says:
Apps that extract Intents from the Extras field of an untrusted Intent and launch a component by calling startActivity (or similarly, startService, or sendBroadcast) on an extracted Intent can be tricked into (1) launching an unintended private component which can lead to performing sensitive actions with poisoned arguments, and/or (2) unintentionally launching another app's components, which can lead to having sensitive files stolen through granted URI permissions.
Google warning
Google has warned developers that apps containing intent redirection vulnerabilities will be removed from the Google Play store if they are not patched within a given time frame.
The tech giant has advised them to check their Play Console for alerts indicating when apps are affected and, if so, submit patched versions for review in advance of the deadline indicated.
Google sets out steps to fixing the bugs in one of three ways: making the app component from which the extracted Intent is redirected private; ensuring that the extracted Intent is from a trustworthy source; or ensuring that the Intent being redirected is not harmful.
Overloaded recommends using a mobile app vulnerability scanner to detect and “proactively secure your apps against these vulnerabilities”.
The firm also advises developers to “get rid of dynamic code loading by adding it to the existing application”.
The Daily Swig has invited Overloaded to comment further – we will update the article if and when we receive a response.
RELATED XSS flaw in Wire messaging app allowed attackers to ‘fully control’ user accounts
Bengali (Bangladesh) · 
English (United States) ·