Other issues in this category (21)
Install updates if you want to keep your system healthy
Monday, June 24, 2019
And here’s one more news post about updating Dr.Web products: this time about the changes made to Dr.Web Security Space for Android for inclusion in version 12.3.2. This version also incorporates counteractive measures for the Janus vulnerability (CVE-2017-13156), but we’re not going to talk about that right now.
- The ability to detect the EvilParcel vulnerability has been added
You may recall that the Janus vulnerability (this topic was discussed in the issue "The modest news post") allowed attackers to modify a signed file due to the fact that the file’s signature was scanned only for its part. Of course, cybercriminals began exploiting this vulnerability, but it was the CVE-2017-13315 vulnerability (from the EvilParcel vulnerability group) that allowed infected apps to be installed without user confirmation.
Android.Janus under the Dr.Web classification system.
EvilParcel is a group of similar vulnerabilities that enable information to be modified during application-OS data exchanges. If an attacker creates a specific array of transmitted data, the data values after reading will be different from the original values.
CVE-2017-0806 (error in the GateKeeperResponse class), published in October 2017;
CVE-2017-13286 (error in the OutputConfiguration class), published in April 2018;
CVE-2017-13287 (error in the VerifyCredentialResponse class), published in April 2018;
CVE-2017-13288 (error in the PeriodicAdvertizingReport class), published in April 2018;
CVE-2017-13289 (error in the ParcelableRttResults class), published in April 2018;
CVE-2017-13311 (error in the SparseMappingTable class), published in May 2018;
CVE-2017-13315 (error in the DcParamObject class), published in May 2018
How it all works.
Applications can exchange data. It’s logical that if a program uses data, and that data includes images, structures, code, etc., in other words—structured objects, they are transmitted between applications like a set of consecutive bytes. Accordingly, prior to transmission, one application converts (serialises) the data into a set of bytes, and when another application receives the set, it restores the required structure from the byte stream (it deserialises it).
And, of course, the data cannot easily be restored — a certain key that tells the receiving application what to do with the byte stream is needed. In this case, the key is a string, and it can have almost any value. It could even be a Parcelable object (but that’s not important for this discussion). EvilParcel vulnerabilities are caused by errors made in the way these objects are created and written — the number of bytes read in the binary methods will differ. And this allows the object to be changed after re-serialisation.
This lets cybercriminals hide their activity from OS security mechanisms. And trojans will be able to perform malicious actions without user permission.
The Anti-virus Times recommends
Dr.Web successfully detects malicious programs that exploit these vulnerabilities.
But it's better to be safe than sorry.
EvilParcel vulnerabilities are a threat for devices running Android 5.0–8.1 that haven’t had updates from May 2018 and onwards applied to them.
If Dr.Web for Android detects one or more EvilParcel vulnerabilities on your device, we recommend that you contact the hardware manufacturer to obtain the operating system updates you need.