Title:

Virus Definition File Downgrade of AVIRA App

Report ID

SIK-2016-004

Summary:

• Vendor: Avira
• Product: Avira Antivirus Security for Android (https://play.google.com/store/apps/details?id=com.avira.android)
• Affected Version: 4.2 , Platform Build version 5.0.1-1624448
• Severity: medium
• Short summary:
  The update traffic at install time or requested by user is handled by an unprotected and unauthenticated http connection. A man-in-the-middle attacker, controlling a WI-FI access point can modify the request/responses of the communication or redirect the traffic to another server providing manipulated virus definition files.

Details:

Replacing the original antivirus definition file with an empty virus definition file can be done by a mitm attack, which modifies the axvdf-common-int.info file. Changing the module ( – Tag entry) containing the file information (md5sum, zip md5sum, file size, etc.) referencing for instance an empty
.vdf file, the updater will download the provided empty files. The updater currently only consider the md5 values of the files, which does not provide a reliable integrity protection. The modified files and also additional new entries will not be verified by the integrity check. The additional files will be downloaded from the redirected server into the temp folder afterwards written into the /data/data/com.avira.android/bin/antivirus folder. The scan engine and also the user
interface will not provide any error message to the user.

Workaround

Avoid public or unknown Wi-Fi hotspots (access points) or use them only through a trusted VPN connection.

Suggested Mitigation

Proposals of a vendor fix can be done using different approaches: (1) transfer the file(s) using a protected SSL (HTTPS) connection and/or (2) establish a correct signature process for the configuration files and the downloaded files to prevent modification of the files.

Timeline

• 2015-10-10 Vulnerability Discovered
• 2015-10-22 Vulnerability Reported
• 2015-11-03 Vulnerability Fixed