Eight out of twelve apps vulnerable to new attack. This past Monday, at the GI Sicherheit 2016 security conference in Bonn, Germany, two researchers unveiled details about a new type of attack on Android devices called Surreptitious Sharing.
The problem is buried deep in the Android API. The two researchers, Dominik Schürmann and Lars Wolf, explain that the issue affects links shared inside apps, for which Android uses Uniform Resource Identifiers (URIs) that point to the data’s actual storage position on the device.
The two explain that the normal behavior would have been to send the files as serialized content via the Intent API, and not to use file scheme URIs.
They say that the easiest way to mitigate this issue is not to allow certain MIME types when transferring or sharing data inside apps, and more precisely by disallowing URI file schemes.
The entire concept is a little hard to grasp without a deep knowledge of Android’s underbelly, but the two researchers provided two demos to showcase the attack’s capabilities.
Example one: Attackers can steal your IMAP passwords
In the first one, they’ve created a malicious app, which, after being installed on the user’s device, would show a fake crash page, with a button to send a bug report to the app’s creator.
This fake bug report button contained a file scheme URI, which pointed to the exact position on the user’s hard drive where the client’s IMAP passwords were stored.
When the user clicked the link, an emailing app would be opened, and the user would send his IMAP passwords to the attacker. The user wouldn’t know anything wrong had happened, thinking he just clicked a link, without knowing the attacker leveraged a bug in the Android OS that hijacks the link/button’s real purpose.
Researchers said that they had tested four emailing apps for this issue and found all four vulnerable. The apps were K-9 Mail, AOSP Mail, Gmail and WEB.DE.
Example two: Attackers can steal your private IM conversations
In their second attack, the researchers created another malicious app, which encouraged users to share an audio file via an IM app.
As before, the share link for the audio file was hijacked to point to the user’s IM app conversation database file. Clicking to share the audio file would have actually send the IM database to the attacker.
Researchers tested IM apps like Skype, Threema, Signal, Telegram, Snapchat, Hangouts, WhatsApp, and Facebook Messenger. They only managed to exploit Threema, Signal, Telegram, and Skype. Of these, only Skype has remained unpatched at the time of the presentation.
For more in-depth technical details, the Surreptitious Sharing on Android research paper is available online for everyone to read.