Zero-Day in the Google Admin App can bypass Android sandbox

MWR Labs have disclosed information on an unpatched vulnerability that allows an attacker to easily bypass the Android sandbox.

Other problems for the popular Android OS, after the discovery of the Stagefright vulnerabilities and other security flaws recently revealed by security researchers, now experts at MWR Labs have disclosed information on an unpatched vulnerability that allows a hacker to bypass the Android sandbox.

The vulnerability affects the last version of the Android OS and likely affects earlier versions.

The flaw in Google is related the way that the Google Admin application on mobile devices handles some URLs. An attacker can use a mobile application on the mobile device to send the Admin application a specific kind of URL to bypass the Same Origin Policy and access data from the Admin sandbox.

“An issue was found when the Google Admin application received a URL via an IPC call from any other application on the same device. The Admin application would load this URL in a webview within its own activity. If an attacker used a file:// URL to a file that they controlled, then it is possible to use symbolic links to bypass Same Origin Policy and retrieve data out of the Google Admin sandbox,” is the description provided in the advisory from MWR Labs.

The attackers can exploit the flaw by getting a malicious mobile app on the target device.

“A malicious application on the same device as the Google Admin application is able to read data out of any file within the Google Admin sandbox, bypassing the Android Sandbox.” continues the advisory.

The cause of the vulnerability is that The Google Admin App has an exported activity that accepts an extra string called setup_url.

“The Google Admin application (com.google.android.apps.enterprise.cpanel), has an exported activity that accepts an extra string called setup_url. This can be triggered by any application on the device creating a new intent with the data-uri set to http://localhost/foo and the setup_url string set to a file url that they can write to, such as file://data/data/com.themalicious.app/worldreadablefile.html,” MWR’s advisory says.

“The ResetPinActivity will then load this in the WebView under the privileges of the Google Admin application.”

Despite MWR Labs reported the flaw to Google in March, the vulnerability still affects the Android OS.

Waiting for a fix, MWR experts suggest users with the Google Admin app shouldn’t install any untrusted third party apps.

Pierluigi Paganini

(Security Affairs – Google Android, hacking)