Alipay is a popular third-party payment platform in China that is operated by Alibaba, one of the biggest Internet companies in China. We recently found two vulnerabilities in their Android app that could be exploited by an attacker to carry out phishing attacks to steal Alipay credentials. We disclosed the said vulnerabilities to Alipay; they acknowledged the issue and provided updates to their users earlier this month which fixed this vulnerability. Version 8.2 and newer of the Alipay app no longer contain this vulnerability. We urge all users of the Alipay app to check if they still have the vulnerable version and update to the latest version (if needed).
First vulnerability: Exported activity
Android applications have several important components, one of which is Activities. This has an important attribute, android:exported. If this attribute is set as “true”, every application installed on the same device can call this activity. Developers should take care so that their exported activities are not abused.
We found that the official Android app for Alipay was vulnerable to exactly this kind of exploitation. This particular activity can be used to add an Alipay passport (known as Alipass). An attacker, using a specially created Alipass, can use this activity to create an Alipass login display. This can be used to lead the user to a phishing page or to display a QR code. Before the activity is launched, the user will be asked to enter the Alipay unlock pattern, which makes the user believe the login really is from Alipay.
Figure 1. Phishing URL delivered by activity
Vulnerability #2: Malicious permission
We discussed earlier how permissions can also be exploited by permission preemption. In this attack, a malicious app ius installed before the target application which grants the target application’s customized permission and access the components protected by the permission
Alipay’s app defined the permission com.alipay.mobile.push.permission.PUSHSERVICE to protect the component com.alipay.mobile.push.integration.RecvMsgIntentService. This component is used by the Alipay app to receive messages from the Alipay server. One particular message is the a message informing the user that an update for their app is present.
After a malicious app is granted the PUSHSERVICE permission, an attacker can simply construct a message and send it to the RecvMsgIntentService to push an update notification to user.
Figure 2. Test notification exploiting vulnerability
Figure 3. Notification asking to install a malicious app.
Once the user has accepted the update, another application will be downloaded and installed. The URL where this download app will come from is controlled by the attacker as well. Combined with the recently uncovered Android launcher vulnerability, we can hijack the Alipay’s shortcut and launch the faked Alipay to get user’s account.
Android’s exported activities are not the last mobile operating system feature that might be thought of as a security risk. For example, iOS allegedly contained a backdoor – before it later emerged that this was simply a diagnostic tool. Real or not, mobile OS features can become security threats down the road if developers do not use these in a secure manner.