SIK-2016-003


Title:

Premium Feature Upgrade for Free in AndroHelm Antivirus App

Report ID

SIK-2016-003

Summary:

  • Vendor: AndroHelm Antivirus
  • Product: Virenschutz für Android App (https://play.google.com/store/apps/details?id=com.androhelm.antivirus.free2)
  • Affected Version: 1.6, Platform Build Version Name 5.0.1-1624448
  • Severity: no (affects the vendor’s business)
  • Short summary:
    Fhe payment verification can be abused to enable the PRO features of the application without paying the requested fee.

Details:

The app stores payment informaiton within the SharedPreferences. It is possible to activate the PRO features within the application without any valid payment. The PRO feature verification is only performed on client side. An attacker just has to set the value=”true” for the “isPro” field in
com.androhelm.antivirus.free.preferences.xml file to activate all premium features. The modification of the SharedPreferences file can be done by a user without root privilege. The attacker can extract the file with the adb backup feature and modify the com.androhelm.antivirus.free.preferences.xml file by inserting the following entry:

<boolean name="isPro" value="true" />

After that, the modified file can be restored to the device and the app is running as a full premium version.

Workaround

Suggested Mitigation

The premium feature unlocking should be verified on server side.

Timeline

  • 2015-10-15 Vulnerability Discovered
  • 2015-10-26 Vulnerability Reported (1. Try, no reaction)
  • 2015-10-30 Vulnerability Reported (2. Try, no reaction)
  • 2015-11-05 Vulnerability Reported (3. Try, no reaction)
  • 2016-08-07 Fully disclosed