Detecting Remote Code Execution Vulnerabilities in Android Apps

Daoyuan Wu and Rocky K. C. Chang
Department of Computing, The Hong Kong Polytechnic University
This website was created on Apr 18, 2014

This is a sub-project website of our main FileCross projectWe extend the basic system (for analyzing FileCross issues) to detect remote code execution vulnerabilities in Android apps.

RCE (Remote Code Execution) via addJavascriptInterface

The RCE vulnerability is caused by the insecure usage of addJavascriptInterface API in WebView. More details on this issue is available in droidsec's blog post. Here we just describe its typical exploit example and several potential consequences.

An exploit example to execute remote commands via a (crafted) web page (XXX is the mapped JS object from Java codes)
<script>
function execute(cmdArgs)
{
return XXX.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec(cmdArgs);
}
...
</script>

The potential consequences:
  • remotely steal users' photos or any other files on SD card;
  • remotely execute commands;
  • remotely download a malicious app into users' phones;
  • remotely steal users' contacts if the victim app has this permission;
  • ...

Vulnerable Apps

We have automatically detected the following vulnerable apps (marked by the red 'Y') via testing our dataset consisting of 115 browsers app collected from Google Play on January 21, 2014. Note that we have emailed to all the corresponding developers, although most of them did not give us a feedback. Since we feel the RCE issue is quite serious, we hope our disclosure here can motivate developers to fix this problem.
  • "< 4.2": If one browser is marked by 'Y' in this column, then it is vulnerable under Android versions prior to 4.2.
  • " All "  : If one browser is marked by 'Y' in this column, then it is vulnerable under all Android versions (even the latest 4.4).
PackageRCEExploitable JS Objects
   < 4.2      All   
acr.browser.barebonesnn
AlexBrowserPro.namespacenn
com.adrenalinebrowser.browserYY_dopamineExec _cordovaExec backgroundExec webPush adrenaline
com.android.chromenn
com.app.downloadmanagerYnDPB
com.apps4mm.browserformmnn
com.appsverse.photonnn
com.baidu.browserhd.internn
com.baidu.browser.internn
com.boatbrowser.freenn
com.boatbrowser.tabletnn
com.boatgo.browsernn
com.cloudmosa.puffinFreen
com.compal.android.browsernn
com.digitalportal.floatingwebbrowsernn
com.exsoulYYandroid
com.fillforce.mybrowsernn
com.gm.pbnn
com.ilegendsoft.mercuryn
com.internet.browser.innovativenn
com.jiubang.browsernn
com.jmpxtreme.browserfreenn
com.kroniapp.browsenn
com.light.browsernn
com.MoNTE.Limenn
com.mx.browserYYmmbrowser nextpage guest readdetect
com.mx.browser.appendixYYmmbrowser nextpage guest readdetect
com.mx.browser.free.mx100000004981YYshowsource mmbrowser guest readdetect nextpage
com.mx.browser.tabletYYmmbrowser nextpage guest readdetect
com.ninesky.browsernn
com.oryon.browsernn
com.soshall.apps.browsernn
com.sthnn
com.tencent.ibibo.mttn
com.threemdev.popupbrowsern
com.vng.android.zingbrowsernn
com.wACBrowserYYOmeglePlugin AppsgeyserJSInterface AudioPlayer
com.websearch.browserYnandroidJsInterface
com.wSpeedUpInternetYYOmeglePlugin AppsgeyserJSInterface AudioPlayer
com.wSuperFast3GBrowserYYOmeglePlugin AppsgeyserJSInterface AudioPlayer
com.wSuperFastInternetBrowserYYOmeglePlugin AppsgeyserJSInterface AudioPlayer
com.wUltrasurfWebBrowserYYOmeglePlugin AppsgeyserJSInterface AudioPlayer
com.wUSBrowserYYOmeglePlugin AppsgeyserJSInterface AudioPlayer
com.ww2G3G4GFastInternetBrowserYYOmeglePlugin AppsgeyserJSInterface AudioPlayer
com.ww2GFastBrowserYYOmeglePlugin AppsgeyserJSInterface AudioPlayer
com.ww3GInternetBrowserYYOmeglePlugin AppsgeyserJSInterface AudioPlayer
com.ww4GSpeedUpInternetBrowserYYOmeglePlugin AppsgeyserJSInterface AudioPlayer
com.yandex.browsern
droidmate.browsernn
easy.browser.classicYYJSinterface
galaxy.browser.gb.freenn
gpc.myweb.hinet.net.PopupWebYnHtmlViewer
harley.browsersYYJSinterface
iron.web.jalepano.browserYnHTMLOUT
jp.co.lunascape.android.ilunascapenn
jp.ddo.pigsty.Habit_BrowserYnHBJSProxy
jp.ddo.pigsty.HabitBrowsernn
jp.jig.product.browser_plusnn
mobi.browser.flashfoxn
mobicow.browser.barebonesnn
movilsland.inavnn
net.adgjm.angelYandroid
net.virifi.android.quickbrowsern
nu.tommie.inbrowsernn
org.easyweb.browsernn
org.espier.browserYYWebApp
org.firstmm.browsernn
org.mozilla.firefoxn
sairam.simplebrowsernn
steffen.basicbrowserfreenn
If you are a developer of vulnerable browser, please send your patch to us for checking via the Contact page. After receiving and testing your patch, we will list the patch result.