- Content source
- http://www.net-security.org/secworld.php?id=18619
A flaw (CVE-2014-7952) in Android's backup/restore mechanism can be exploited by knowledgeable developers to "respawn" malicious apps on phones, and make them gain top-level access and potentially dangerous permissions that they didn't have before.
[...]
The backup mechanism works through the Android Debug Bridge utility, so users who employ it for creating and restoring backups are in danger.
The researchers have shared the bug with the Android security team in July 2014, but it has still not been fixed.
It will be, though, in time. A Google spokesperson told Eduard Kovacs that it's low on their list of priorities, and explained why: “This issue does not affect Android users during typical device operation, as it requires that the use of a developer-only capability that is not enabled by default and is not frequently used. Exploitation also requires that users install a potentially harmful application."
Nevertheless, the researchers have decided that sharing this information with the world is important to keep users safe, and so they did. More information and PoC code can be found [at source].
[...]
The backup mechanism works through the Android Debug Bridge utility, so users who employ it for creating and restoring backups are in danger.
The researchers have shared the bug with the Android security team in July 2014, but it has still not been fixed.
It will be, though, in time. A Google spokesperson told Eduard Kovacs that it's low on their list of priorities, and explained why: “This issue does not affect Android users during typical device operation, as it requires that the use of a developer-only capability that is not enabled by default and is not frequently used. Exploitation also requires that users install a potentially harmful application."
Nevertheless, the researchers have decided that sharing this information with the world is important to keep users safe, and so they did. More information and PoC code can be found [at source].
