SIK-2016-002

Title:

Remote Control of AndroHelm Antivirus App

Report ID

SIK-2016-002

Summary:

Vendor: AndroHelm Antivirus
Product: Virenschutz für Android App (https://play.google.com/store/apps/details?id=com.androhelm.antivirus.free2)
Affected Version: 1.6, Platform Build Version Name 5.0.1-1624448
Severity: High
Short summary:
The application “AndroHelm Antivirus” by AndroHelm Antivirus contains different implementation flaws, which allows a remote activation of the anti-theft feature (e.g., remote wipe) without any authentication.

Details:

The code part (SMSMonitor class) contains a logic flaw: if the application does not define a friend’s phone number, an attacker can use
prepared SMS messages to activate the features. In general, the message for receiving anti-theft SMS looks like this:

SMS_PASSWORD wipe or
SMS_PASSWORD lock PIN_PASSWORD

In the source-code the message of the SMS will be parsed with the split-function given a space symbol (split(“ „)). The password will be checked against an empty string (since anti-theft is disabled); so we need to get an empty string as a password. This can be done by starting the SMS with a space like this:[SPACE]wipe[SPACE]someString
If an attacker sends an SMS with an empty number field and the content [space]command[space]someString the command will be executed. For wiping and locking, the administration option must be set, otherwise the app crashes.

Workaround

The user can protect himself if he defines friend’s entries and a password for the antitheft features.

Suggested Mitigation

Verify the intent value against null in the onReceive(Context, Intent) method in Broadcast receivers. The SMS logic must also consider SMS messages, which contain empty or String values as senders.

Timeline

2015-10-15 Vulnerability Discovered
2015-10-26 Vulnerability Reported (1. Try, no reaction)
2015-10-30 Vulnerability Reported (2. Try, no reaction)
2015-11-05 Vulnerability Reported (3. Try, no reaction)
2016-08-07 Fully disclosed