Categories: Breaking NewsHackingMobileSecurity

Zero-Day in the Google Admin App can bypass Android sandbox

MWR Labs have disclosed information on an unpatched vulnerability that allows an attacker to easily bypass the Android sandbox.

Other problems for the popular Android OS, after the discovery of the Stagefright vulnerabilities and other security flaws recently revealed by security researchers, now experts at MWR Labs have disclosed information on an unpatched vulnerability that allows a hacker to bypass the Android sandbox.

The vulnerability affects the last version of the Android OS and likely affects earlier versions.

The flaw in Google is related the way that the Google Admin application on mobile devices handles some URLs. An attacker can use a mobile application on the mobile device to send the Admin application a specific kind of URL to bypass the Same Origin Policy and access data from the Admin sandbox.

“An issue was found when the Google Admin application received a URL via an IPC call from any other application on the same device. The Admin application would load this URL in a webview within its own activity. If an attacker used a file:// URL to a file that they controlled, then it is possible to use symbolic links to bypass Same Origin Policy and retrieve data out of the Google Admin sandbox,” is the description provided in the advisory from MWR Labs.

The attackers can exploit the flaw by getting a malicious mobile app on the target device.

“A malicious application on the same device as the Google Admin application is able to read data out of any file within the Google Admin sandbox, bypassing the Android Sandbox.” continues the advisory.

The cause of the vulnerability is that The Google Admin App has an exported activity that accepts an extra string called setup_url.

“The Google Admin application (com.google.android.apps.enterprise.cpanel), has an exported activity that accepts an extra string called setup_url. This can be triggered by any application on the device creating a new intent with the data-uri set to http://localhost/foo and the setup_url string set to a file url that they can write to, such as file://data/data/com.themalicious.app/worldreadablefile.html,” MWR’s advisory says.

“The ResetPinActivity will then load this in the WebView under the privileges of the Google Admin application.”

Despite MWR Labs reported the flaw to Google in March, the vulnerability still affects the Android OS.

Waiting for a fix, MWR experts suggest users with the Google Admin app shouldn’t install any untrusted third party apps.

Pierluigi Paganini

(Security Affairs – Google Android, hacking)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.