When we think of Android vulnerabilities we typically picture a zero-day vulnerability that exploits some process to escalate privileges. This can be anything from tricking your smartphone or tablet into connecting to a malicious WiFi network, or allowing code to be executed on a device from a remote location. However, there’s a new type of Android vulnerability that has recently been discovered. It’s being called ParseDroid and it exploits developer tools including Android Studio, IntelliJ IDEA, Eclipse, APKTool, the Cuckoo-Droid service and more.
ParseDroid isn’t isolated to just Android’s developer tools, though, and these vulnerabilities have been found in multiple Java/Android tools that programmers are using these days. It doesn’t matter if you’re using a downloadable developer tool or one that works in the cloud, Check Point Research has found these vulnerabilities in the most common Android and Java development tools. Once exploited, an attacker is then able to access internal files of the developer’s work machine.
Check Point Research first did some digging into the most popular tool for reverse engineering third party Android apps (APKTool) and found that both its decompiling and building APK features are vulnerable to the attack. After looking at the source code, researchers managed to identify an XML External Entity (XXE) vulnerability that is possible because its configured XML parser of APKTool does not disable external entity references when parsing an XML file.
Once exploited, the vulnerability exposes the whole OS file system of APKTool users. In turn, this potentially allows the attacker to retrieve any file on the victim’s PC by using a malicious “AndroidManifest.xml” file that exploits an XXE vulnerability. Once that vulnerability was discovered, the researchers then looked at popular Android IDEs and found out that by simply loading the malicious “AndroidManifest.xml” file as part of any Android project, the IDEs starts spitting out any file configured by the attacker.
Check Point Research also demonstrated an attack scenario potentially affecting a large number of Android developers. It works by injecting a malicious AAR (Android Archive Library) containing an XXE payload into online repositories. If a victim clones the repository, then the attacker would then have access to potentially sensitive company property from the victim’s OS file system.
Finally, the authors described a method through which they can execute remote code on a victim’s machine. This is done by exploiting a configuration file in APKTool called “APKTOOL.YAML.” This file has a section called “unknownFiles” where users can specify file locations that will be placed during the rebuilding of an APK. These files are stored on the victim’s machine in an “Unknown” folder. By editing the path where these files are saved, an attacker can inject any file they want on the victim’s file system since APKTool did not validate the path where unknown files are extracted from an APK.
The files that the attacker injects lead to full Remote Code Execution on the victim’s machine, meaning that an attacker can exploit any victim with APKTool installed by crafting a maliciously made APK and having the victim attempt to decode and then rebuild it.
Since all of the IDEs and tools mentioned above are cross-platform and generic, the potential for exploiting these vulnerabilities is high. Thankfully, after reaching out to the developers of each of these IDEs and tools, Check Point Research has confirmed that these tools are no longer vulnerable to this kind of attack. If you are running an older version of one of these tools, we recommend you update immediately to secure yourself against a ParseDroid-style attack.