We’ve recently found a vulnerability in certain Android apps that may leave user data at risk of being captured or being used to launch attacks. The two affected apps we investigated are both highly popular:
- The productivity app has at least 10M installs and hundred thousands of customer reviews based on their download page
- The shopping-related app has at least 1M installs and several thousand customer reviews based on their download page
This issue lies in a certain Android component which basically executes functions of the app. This component has an attribute named “android:exported“, which, when set to “true”, allows this component to be executed or accessed by other applications. This means that apps installed within a device may be able to trigger certain functions in other apps. This has obvious convenient uses for developers and vendors who want to strike partnerships with apps by other vendors, but from a security standpoint, this also poses an opportunity for cybercriminals.
Using Activities to Launch Attacks
Ways to exploit this issue may vary, depending on the intent of the attacker and the nature of the vulnerable application. As an example, in our analysis, we found that a particular Activity in a shopping app –one related to showing pop-ups whenever the user makes a purchase– is vulnerable to abuse and can be triggered by other apps.
A possible implication of this is that a malicious application can display pop-ups in the shopping app and use it to launch attacks. The attacker may craft the malicious application to display pop-ups that lead to malicious links or other malicious apps.
Using Content Providers to Steal Information
Another possible way to take advantage of this security issue is to target content providers that handle critical information in order to collect them. A content provider related to storing user input in a productivity app, for example, may be used to capture data.
Such content provider that can be considered as critical may be protected by defining permissions. However, not putting the proper permission protection level can still leave the content provider vulnerable to abuse. In the mentioned productivity app, the content provider to store user input was protected by READ and WRITE permissions. However, both permissions were given “normal” protection level, which means that all applications installed in the device are granted the two permissions as well.
What Can Be Done?
For developers, this issue highlights the importance of putting the appropriate restrictions in the different components of apps. Components that are prone to abuse should be protected with permissions — and with the proper protection level. As we’ve reported in the past, using protection levels in order to secure Android components may not be fool-proof, but it offers a good level of security.
We strongly advise developers to check components used in their app and make sure that access to them are restricted properly. We’ve already reached out to the developers of the apps mentioned above and informed them of this issue. We believe that some other popular apps may be affected and we will work to inform them as we encounter them.
Update as of June 1, 2013, 7:15 PM PDT:
Trend Micro is working closely with the vendors and developers that were initially found to be affected by the vulnerability discussed. This does not imply that these are the only apps affected, though, hence the names were not disclosed.
We are working with the vendors of these affected apps to responsibly disclose details about this vulnerability in the near future. This blog entry is meant for other app developers to immediately learn about the vulnerability before full disclosure, in order to check whether or not their apps are likewise affected.