search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Android and iOS apps contain multiple vulnerabilities

Vulnerability Note VU#787952

Original Release Date: 2018-08-14 | Last Revised: 2018-09-14

Overview

Android apps, including those pre-installed on some mobile devices, contain multiple vulnerabilities. All of these vulnerabilities were reported by Kryptowire. Vulnerabilities in pre-installed apps were presented at DEF CON 26 and a set of different vulnerabilities were previously coordinated by the Department of Homeland Security (DHS) Science and Technology Directorate (S&T) and National Cybersecurity and Communications Integration Center (NCCIC).

Description

Many Android mobile devices come with OEM-pre-installed apps. Some apps have been identified as having incorrect access control settings, allowing malicious third-party apps to exploit and bypass system permissions and settings. Additionally, some Android and iOS apps embed a hard-coded cryptographic key or use a weak cryptographic algorithm that allows an attacker to obtain elevated access.

Kryptowire has released a paper documenting 38 vulnerabilities in various Android smartphone devices. These vulnerabilities are largely attributed to incorrect user permissions and access control settings via pre OEM pre-installed apps, and may be exploitable via malicious third-party apps installed by the user. Two of the vulnerabilities are exploitable via the Android debug bridge (adb).

Kryptowire, in collaboration with DHS S&T and the NCCIC, previously discovered and reported the following vulnerabilities.

CWE-295: Improper Certificate Validation
The software does not validate, or incorrectly validates, a certificate. When a certificate is invalid or malicious, it might allow an attacker to spoof a trusted entity by using a man-in-the-middle (MITM) attack. The software might connect to a malicious host while believing it is a trusted host, or the software might be deceived into accepting spoofed data that appears to originate from a trusted host.

Vulnerable app:
(CVE-2017-13105) Virus Cleaner ( Hi Security ) - Antivirus, Booster, 3.7.1.1329


CWE-798: Use of Hard-coded Credentials
The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

Vulnerable apps:
(CVE-2017-13100) The Moron Test, 6.3.1, 2017-05-04, iOS
(CVE-2017-13101) musical.ly - your video social network, 6.1.6, 2017-10-03, iOS
(CVE-2017-13102) Asphalt Xtreme: Offroad Rally Racing, 1.6.0, 2017-08-13, iOS
(CVE-2017-13104) UberEATS: Uber for Food Delivery, 1.108.10001, 2017-11-02, iOS
(CVE-2017-13105) Virus Cleaner ( Hi Security ) - Antivirus, Booster, 3.7.1.1329, 2017-09-13, Android
(CVE-2017-13106) CM Launcher 3D - Theme,wallpaper,Secure,Efficient, 5.0.3, 2017-09-19, Android
(CVE-2017-13107) Live.me - live stream video chat, 3.7.20, 2017-11-06, Android
(CVE-2017-13108) DFNDR Security: Antivirus, Anti-hacking & Cleaner, 5.0.9, 2017-11-01, Android

** REJECT ** DO NOT USE THIS CANDIDATE NUMBER (CVE-2017-13103) This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue.

The CVSS score below reflects a worst-case scenario of code execution as a system user, however many devices and vulnerabilities have significantly lower impacts and therefore lower CVSS scores.

Impact

The impacts are wide-ranging depending on the device, however a remote unauthenticated attacker may be able to at worst execute commands as a system user if a victim can be enticed to install a malicious app capable of exploiting the vulnerability. Affected users are encouraged to review the specific impacts in the paper from Kryptowire.

Solution

Apply an update

If available, update your device's system version of Android and apply any available Google Play / Apple Store updates to installed apps.

Use caution installing third-party apps

Apps should be installed only from official sources. Users should consider if any given third-party app is necessary to the usage of the device and take appropriate action.

Vendor Information

787952
Expand all

Gameloft

Notified:  November 07, 2017 Updated:  August 14, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

(CVE-2017-13102) Asphalt Xtreme: Offroad Rally Racing, 1.6.0, 2017-08-13, iOS.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hi Security Lab

Notified:  December 22, 2017 Updated:  August 14, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

(CVE-2017-13105) Virus Cleaner ( Hi Security ) - Antivirus, Booster, 3.7.1.1329, 2017-09-13, Android

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Live Me

Notified:  November 07, 2017 Updated:  August 14, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

(CVE-2017-13107) Live.me - live stream video chat, 3.7.20, 2017-11-06, Android,

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Tik Tok

Notified:  November 07, 2017 Updated:  August 14, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

(CVE-2017-13101) musical.ly - your video social network, 6.1.6, 2017-10-03, iOS,

If you have feedback, comments, or additional information about this vulnerability, please send us email.

UberEats

Notified:  November 07, 2017 Updated:  August 14, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

(CVE-2017-13104) UberEATS: Uber for Food Delivery, 1.108.10001, 2017-11-02, iOS,

If you have feedback, comments, or additional information about this vulnerability, please send us email.

cheetah mobile

Notified:  November 07, 2017 Updated:  August 14, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

(CVE-2017-13106) CM Launcher 3D - Theme,wallpaper,Secure,Efficient, 5.0.3, 2017-09-19, Android,

If you have feedback, comments, or additional information about this vulnerability, please send us email.

distinctdev

Notified:  November 07, 2017 Updated:  August 14, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

(CVE-2017-13100) The Moron Test, 6.3.1, 2017-05-04, iOS.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

psafe

Notified:  November 07, 2017 Updated:  August 14, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

(CVE-2017-13108) DFNDR Security: Antivirus, Anti-hacking & Cleaner, 5.0.9, 2017-11-01, Android,.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Pinterest

Notified:  November 07, 2017 Updated:  August 31, 2018

Statement Date:   August 31, 2018

Status

  Not Affected

Vendor Statement

Pinterest was not affected by the vulnerability. Pinterest uses an encryption key for the sole purpose of hindering the reverse engineering of our app. This safety practice is an industry standard that has been used for decades, and it helps Pinterest keep our app safe for our users.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

** DISPUTED ** (CVE-2017-13103) Pinterest, 6.37, 2017-10-24, iOS.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base 7.6 AV:N/AC:H/Au:N/C:C/I:C/A:C
Temporal 6 E:POC/RL:OF/RC:C
Environmental 6.0 CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Brian Schulte at Kryptowire for reporting this vulnerability.

This document was written by Laurie Tyzenhaus and Garret Wassermann.

Other Information

CVE IDs: CVE-2017-13100, CVE-2017-13101, CVE-2017-13102, CVE-2017-13104, CVE-2017-13105, CVE-2017-13106, CVE-2017-13107, CVE-2017-13108, CVE-2017-13103
Date Public: 2018-08-10
Date First Published: 2018-08-14
Date Last Updated: 2018-09-14 19:19 UTC
Document Revision: 65

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.