Posted on

VU#787952: Android and iOS apps contain multiple vulnerabilities

Many Android mobile devices come with OEM-pre-installed apps. Some apps have been identified as having incorrect access control settings,allowing malicious third-party apps to exploit and bypass system permissions and settings. Additionally,some Android and iOS apps embed a hard-coded cryptographic key or use a weak cryptographic algorithm that allows an attacker to obtain elevated access. Kryptowire has released a paper documenting 38 vulnerabilities in various Android smartphone devices. These vulnerabilities are largely attributed to incorrect user permissions and access control settings via pre OEM pre-installed apps,and may be exploitable via malicious third-party apps installed by the user. Two of the vulnerabilities are exploitable via the Android debug bridge(adb). Kryptowire,in collaboration with DHS S&T and the NCCIC,previously discovered and reported the following vulnerabilities. CWE-295:Improper Certificate Validation The software does not validate,or incorrectly validates,a certificate. When a certificate is invalid or malicious,it might allow an attacker to spoof a trusted entity by using a man-in-the-middle(MITM)attack. The software might connect to a malicious host while believing it is a trusted host,or the software might be deceived into accepting spoofed data that appears to originate from a trusted host. Vulnerable app: (CVE-2017-13105) Virus Cleaner(Hi Security)- Antivirus,Booster,3.7.1.1329 CWE-798:Use of Hard-coded Credentials The software contains hard-coded credentials,such as a password or cryptographic key,which it uses for its own inbound authentication,outbound communication to external components,or encryption of internal data. Vulnerable apps: (CVE-2017-13100) The Moron Test,6.3.1,2017-05-04,iOS(CVE-2017-13101)musical.ly – your video social network,6.1.6,2017-10-03,iOS(CVE-2017-13102)Asphalt Xtreme:Offroad Rally Racing,1.6.0,2017-08-13,iOS(CVE-2017-13104)UberEATS:Uber for Food Delivery,1.108.10001,2017-11-02,iOS(CVE-2017-13105)Virus Cleaner(Hi Security)- Antivirus,Booster,3.7.1.1329,2017-09-13,Android(CVE-2017-13106)CM Launcher 3D – Theme,wallpaper,Secure,Efficient,5.0.3,2017-09-19,Android(CVE-2017-13107)Live.me – live stream video chat,3.7.20,2017-11-06,Android(CVE-2017-13108)DFNDR Security:Antivirus,Anti-hacking&Cleaner,5.0.9,2017-11-01,Android **REJECT**DO NOT USE THIS CANDIDATE NUMBER(CVE-2017-13103)This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. The CVSS score below reflects a worst-case scenario of code execution as a system user,however many devices and vulnerabilities have significantly lower impacts and therefore lower CVSS scores.

Leave a Reply

Your email address will not be published. Required fields are marked *