The APPs are identified by the following steps:
First, we crawled the candidate APKs from AndroZoo. The crawl list covers the top 20 APPs from all types of ranks and all countries in Google Store and F-Droid;
Then, we located the APKs which contain the code of the vulnerable attack surfaces. This is done by first decompiling the crawled APKs using Apktool, then matching the package paths of the attack surfaces inside the bytecode of these APKs;
Next, we refined the APK list by filtering the APKs whose code are not affected by the bugs. This is done by our dynamic validation tool. The tool is an APK which contains variants of our generated fuzz drivers. It loads other APKs, and uses reflection to call the APIs of the vulnerable attack surfaces to test whether this APK is affected by the bugs;
Lastly, we manually checked whether these APKs are still vulnerable via their UI interfaces. Consequently, seven vulnerable APPs are identified (two of them have more than 10,000,000+ download count in Google Store).
So far, we identified 11 exploitable Android Apps. Four of them have more than ten millions of download counts. To avoid unnecessary influence to these Apps (mostly are commercial Apps), we detail them in an anonymous way.
APK 1:
Google Store Download Count: 10,000,000+
Trigger Method: First put the POC pdf file into the filesystem of the phone, then do "pull down" action to refresh the file list in the "import local pdf files" page
Behaviour: The App will immediately takes 100% cpu and gradually eats all the allocatable memory
APK 2:
Google Store Download Count: 10,000,000+
Trigger Method: Open the POC pdf file
Behaviour: The App is stuck at black screen
APK 3:
Google Store Download Count: 10,000,000+
Trigger Method: Merge two POC pdf files
Behaviour: The App crashes
APK 4:
Google Store Download Count: 10,000,000+
Trigger Method: Open the POC xlsx file
Behaviour: The App is stuck
APK 5:
Google Store Download Count: 5,000,000+
Trigger Method: Open the POC file
Behaviour: The App is stuck at white screen
APK 6:
Google Store Download Count: 1,000,000+
Trigger Method: First sign the POC pdf, then save the signed POC pdf
Behaviour: The App is stuck at saving the signed POC pdf
APK 7:
Google Store Download Count: 1,000,000+
Trigger Method: Extract the POC zip file
Behaviour: After click the extract button, the App continuously flashes its file list
APK 8:
Google Store Download Count: 500,000+
Trigger Method: Open the POC rar file
Behaviour: The App is stuck and restarting the App does not help
APK 9:
Google Store Download Count: 100,000+
Trigger Method: Open the POC pdf file
Behaviour: The App is stuck
APK 10:
From F-Droid
Trigger Method: Convert POC pdf to images
Behaviour: The App crashes
APK 11:
From F-Droid
Trigger Method: Convert the POC pdf to ePUB
Behaviour: The App crashes