U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Hacking

How to remotely install malicious apps on Android devices

Security researchers discovered how to install and launch malicious applications remotely on Android devices exploiting two flaws. Security researchers have uncovered a couple of vulnerabilities in the Google Play Store that could allow cyber criminals to install and launch malicious apps remotely on Android mobile devices. The expert Tod Beardsley, technical lead for the Metasploit […]

How to remotely install malicious apps on Android devices

Security researchers discovered how to install and launch malicious applications remotely on Android devices exploiting two flaws.

Security researchers have uncovered a couple of vulnerabilities in the Google Play Store that could allow cyber criminals to install and launch malicious apps remotely on Android mobile devices.

The expert Tod Beardsley, technical lead for the Metasploit Framework at Rapid7 explained that attackers can install any arbitrary app from the Play store onto victims’ device even without the consent. This is possible by combining the exploitation of an X-Frame-Options (XFO) vulnerability with Android WebView (Jelly Bean) flaw.

The flaw affects mobile devices running Android version 4.3 Jelly Bean and earlier versions, also devices running third party browsers are vulnerable.

Android OS affected

The researcher reported that the web browser in Android 4.3 and prior versions are vulnerable to a Universal Cross-Site Scripting (UXSS) attack, meanwhile the Google Play Store is vulnerable to a Cross-Site Scripting (XSS) flaw.

In the UXSS attack scenario, hackers exploit client-side vulnerabilities affecting a web browser or browser extensions to run a XSS attack, which allows the execution of malicious code bypassing security protection mechanisms in the web browser.

“Users of these platforms may also have installed vulnerable aftermarket browsers,” Beardsley wrote in a blog post on Tuesday.”Of the vulnerable population, it is expected that many users are habitually signed into Google services, such as Gmail or YouTube. These mobile platforms are the the ones most at risk. Other browsers may also be affected.” “Until the Google Play store XFO [X-Frame-Options] gap is mitigated, users of these web applications who habitually sign in to their Google Account will remain vulnerable.”

The expert provided the JavaScript and Ruby code that could be used get a response from the play.google.com domain without an appropriate XFO header:

Code exploit Android
Rapid7 has already published a Metasploit module to exploit the flaw, Module for R7-2015-02 #4742, which is available made public on Github.

“This module combines two vulnerabilities to achieve remote code execution on affected Android devices. First, the module exploits CVE-2014-6041, a Universal Cross-Site Scripting (UXSS) vulnerability present in versions of Android’s open source stock browser (the AOSP Browser) prior to 4.4. Second, the Google Play store’s web interface fails to enforce a X-Frame-Options: DENY header (XFO) on some error pages, and therefore, can be targeted for script injection. As a result, this leads to remote code execution through Google Play’s remote installation feature, as any application available on the Google Play store can be installed and launched on the user’s device. This module requires that the user is logged into Google with a vulnerable browser.” reads the advisory.

To mitigate the security issue:

  • Use a web browser that is not affected by UXSS flaws (i.e. Google Chrome or Mozilla Firefox or Dolphin).
  • Log out of the Google Play store account in order to avoid the vulnerability.

Pierluigi Paganini

(Security Affairs –  Google Android, hacking)