We don’t talk about Android much here on the Bromium Labs Blog, but now and again we like to tinker. Recently my colleague Thomas Coudray and I have been looking at an Android remote code execution vulnerability to see how much of a problem it is in real-world usage.
While privilege-escalation techniques are common on Android (and form the basis for the common practice of ‘rooting’ a device), remote code execution is a rarer and much more dangerous type of vulnerability. It allows an attacker to run code of their choosing on a user’s device without their knowledge or permission. This bug was particularly interesting because it appeared to still be exploitable even on a fully-patched latest-model Android device, a full 18 months after it was fixed. We wanted to see if this was true and if so, how much effort was required to exploit it. We found that the scenario described above is an all-too-real possibility.
We took a two-pronged approach to investigating this bug. Firstly we wanted to try exploiting it in an environment similar to the public wifi you might find in a coffee shop, so we fired up a few Android devices and some cheap networking kit and started hacking. The second part was to try and estimate how likely the average user would be to hit the worst-case combination of circumstances that would open the door to the coffee-shop apocalypse. For this we employed some static analysis techniques to see how many vulnerable apps and devices were out there.
Before we get into the details, some background on the bug:
