• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Mobile   »   Trend Micro Discovers Apache Cordova Vulnerability that Allows One-Click Modification of Android Apps

Trend Micro Discovers Apache Cordova Vulnerability that Allows One-Click Modification of Android Apps

  • Posted on:May 27, 2015 at 7:44 pm
  • Posted in:Mobile, Vulnerabilities
  • Author:
    Seven Shen (Mobile Threats Analyst)
5

We’ve discovered a vulnerability in the Apache Cordova app framework that allows attackers to modify the behavior of apps just by clicking a URL. The extent of the modifications can range from causing nuisance for app users to crashing the apps completely.

Designated as CVE-2015-1835, this high-severity vulnerability affects all versions of Apache Cordova up to 4.0.1. Apache has released a security bulletin confirming the vulnerability. This means that majority of Cordova-based apps, which accounts for 5.6% of all apps in Google Play, are prone to exploits.

The vulnerability is found in a Cordova feature where secondary configuration variables (also as preferences) could be set from intent bundles in the base activity. This feature was part of a code update (also known as commit in Github) Apache released in November 2010, along with the Cordova Android update to 0.9.3.

Our research has revealed that if the base activity is not properly secured and the preferences are set to default, an attacker may be able to alter these preferences and modify the appearance and behavior of the app itself.

Prerequisites for a successful exploit

Only two conditions are required to successfully exploit this vulnerability:

  1. At least one of the application’s components extending from Cordova’s base activity: CordovaActivity or configuring Cordova framework such that Config.java is not properly secured, meaning it is accessible from outside the app.
  2. At least one of Cordova supported preferences (except LogLevel and ErrorUrl) is not defined in the configuration file: config.xml.

How it works

To understand how the vulnerability works, we’ll look into how preferences are set in apps.

Secondary configuration variables, also known as preferences, are set of variables reserved for developers to configure their apps.  They are the sources of the build-in characteristics of Cordova-based Apps and should be only controlled by app developers.  Any tampering to these variables during runtime initialization will certainly mess up the APP’s normal behaviors.

The Apache Cordova framework on Android (up to 4.0.1) supports the following preferences:

  • Fullscreen
  • DisallowOverscroll
  • BackgroundColor
  • Orientation
  • KeepRunning
  • LoadUrlTimeoutValue
  • SplashScreen
  • SplashScreenDelay
  • InAppBrowserStorageEnabled
  • LoadingDialog
  • LoadingPageDialog
  • ErrorUrl
  • ShowTitle
  • LogLevel
  • SetFullscreen
  • AndroidLaunchMode
  • DefaultVolumeStream

These preferences could be explicitly set in config.xml in Cordova framework, or left undefined and implicitly linked to default values. It is important to note that many developers take the latter option in practice since not all of these preferences are necessary for their APPs.  Once a preference is not explicitly configured in config.xml, the Cordova framework will set it from intent bundles in the base activity.

Figure 1. The app loads the intent bundle and copies it to preference during initialization in CordovaActivity

Figure 2. The app loads the preference value from its bundle when it is absent in config.xml

App developers are usually guided to extend CordovaActivity in their applications to make this hybrid framework work.

Figure 3. A subclass extent from CordovaActivity to launch web pages

Unfortunately, in this case, it is this common developer guidance that leaves apps vulnerable to attacks. The activity being extended means that it is accessible from outside the app, so attackers can inject malicious intent bundles to the activity to tamper the build-in characteristics of app, either from remote web servers, or local compromised apps.

We discovered that all of these preferences except LogLevel and ErrorUrl could be exploited. The Cordova framework handles the two preferences in a specific way which makes them immune to this vulnerability.

We believe this vulnerability is highly exploitable because the conditions that need to be met for a successful exploit are common developer practices. Most Cordova-based apps do extend the “CordovaActivity” and very few explicitly define all preferences in their configuration. Moreover, all of Cordova-based apps build from the Cordova Command-Line Interface(CLI)() automatically meet  the exploit prerequisites mentioned earlier, thus all of them are vulnerable.

Proof-of-Concept

We’ve created a demo of a typical remote intent injection attack which utilizes a previous disclosed vulnerability of the  intent URL scheme in a vulnerable Android device: a Huawei T950E smartphone.

Here is the HTML code located on the remote server:

<html>
<body bgcolor=white text=red>
<font size=10>Your Cordova APP</center>
<br>
<font size=20>   is hacked!!</font>
<script>
setTimeout(function()
{location.href=”intent:#Intent;S.loadingpagedialog=hacked,haha..blabla..please contact with www.trendmicro.com.cn or send to seven_shen@trendmicro.com.cn for solotion ;SEL;component=com.trendmicro.justademo/.MainActivity;end;”},5000);
</script>
</body>
</html>

Just by accessing the page on the device stock browser, the local designed Cordova-based app could be injected with an unwanted dialog along with the pushed tile and text messages. A video of how this works can be seen in the demo video here:

We can also modify other app preferences, and created demo videos for these cases:

  • Exploiting SplashScreen and SplashScreenDelay to inject splash screens in Cordova-based apps with any resources under “res/drawable” and keep the display time as wanted
  • Exploiting BackgroundColor to tamper with the Cordova-based app’s background color
  • Exploiting SetFullScreen to tamper with the Cordova-based app’s display setting
  • Exploiting DefaultVolumeStream to tamper the basic feature of volume button controller (e.g., replace the control on phone call by default with the control on media)

We also found that it is possible to remotely crash Cordova-based apps by injecting special data into the intent bundle.

adb shell am start -n com.trendmicro.justademo/.MainActivity --es backgroundcolor ffffff

This attack will cause an exception in Cordova framework and force the app to close.

Figure 4. The app crashing due to exploitation

Possible Impact

So far we’ve been able to discover the following possible impact this vulnerability has to Cordova-based apps and its users:

  1. Tamper app appearance
  2. Inject popups and texts
  3. Inject splash screens
  4. Modify basic functionalities
  5. Crash the app

While this vulnerability affects apps, there is also a great risk of exploitation in thousands of Apache Cordova third-party plugins, especially since their functionalities are highly dependent on preferences.

Solutions

We privately disclosed this vulnerability to Apache, and they have released an official bulletin regarding this vulnerability. We suggest Android app developers upgrade their Cordova framework to the latest version (version 4.0.2) and rebuild to a new release. This will prevent apps from being modified by attackers targeting this vulnerability.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: androidapachecordovaGooglevunerability

Featured Stories

  • systemd Vulnerability Leads to Denial of Service on Linux
  • qkG Filecoder: Self-Replicating, Document-Encrypting Ransomware
  • Mitigating CVE-2017-5689, an Intel Management Engine Vulnerability
  • A Closer Look at North Korea’s Internet
  • From Cybercrime to Cyberpropaganda

Security Predictions for 2019

  • Our security predictions for 2019 are based on our experts’ analysis of the progress of current and emerging technologies, user behavior, and market trends, and their impact on the threat landscape. We have categorized them according to the main areas that are likely to be affected, given the sprawling nature of the technological and sociopolitical changes under consideration.
    Read our security predictions for 2019.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Waterbear is Back, Uses API Hooking to Evade Security Product Detection
  • December Patch Tuesday: Vulnerabilities in Windows components, RDP, and PowerPoint Get Fixes
  • Obfuscation Tools Found in the Capesand Exploit Kit Possibly Used in “KurdishCoder” Campaign
  • Mobile Cyberespionage Campaign Distributed Through CallerSpy Mounts Initial Phase of a Targeted Attack
  • Operation ENDTRADE: Finding Multi-Stage Backdoors that TICK

Popular Posts

  • Mac Backdoor Linked to Lazarus Targets Korean Users
  • Microsoft November 2019 Patch Tuesday Reveals 74 Patches Before Major Windows Update
  • New Magecart Attack Delivered Through Compromised Advertising Supply Chain
  • September Patch Tuesday Bears More Remote Desktop Vulnerability Fixes and Two Zero-Days
  • 49 Disguised Adware Apps With Optimized Evasion Features Found on Google Play

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.