SIK-2016-002
Title:
Remote Control of AndroHelm Antivirus App
Report ID
SIK-2016-002
Summary:
- Vendor: AndroHelm Antivirus
- Product: Virenschutz für Android App (https://play.google.com/store/apps/details?id=com.androhelm.antivirus.free2)
- Affected Version: 1.6, Platform Build Version Name 5.0.1-1624448
- Severity: High
- Short summary:
The application “AndroHelm Antivirus” by AndroHelm Antivirus contains different implementation flaws, which allows a remote activation of the anti-theft feature (e.g., remote wipe) without any authentication.
Details:
The code part (SMSMonitor class) contains a logic flaw: if the application does not define a friend’s phone number, an attacker can use
prepared SMS messages to activate the features. In general, the message for receiving anti-theft SMS looks like this:
- SMS_PASSWORD wipe or
- SMS_PASSWORD lock PIN_PASSWORD
In the source-code the message of the SMS will be parsed with the split-function given a space symbol (split(“ „)). The password will be checked against an empty string (since anti-theft is disabled); so we need to get an empty string as a password. This can be done by starting the SMS with a space like this:[SPACE]wipe[SPACE]someString
If an attacker sends an SMS with an empty number field and the content [space]command[space]someString
the command will be executed. For wiping and locking, the administration option must be set, otherwise the app crashes.
Workaround
The user can protect himself if he defines friend’s entries and a password for the antitheft features.
Suggested Mitigation
Verify the intent value against null in the onReceive(Context, Intent) method in Broadcast receivers. The SMS logic must also consider SMS messages, which contain empty or String values as senders.
Timeline
- 2015-10-15 Vulnerability Discovered
- 2015-10-26 Vulnerability Reported (1. Try, no reaction)
- 2015-10-30 Vulnerability Reported (2. Try, no reaction)
- 2015-11-05 Vulnerability Reported (3. Try, no reaction)
- 2016-08-07 Fully disclosed