Android Penetration Testing Tutorial

Top Android Vulnerabilities and Bugs That Lead to Mobile Hacking

Bugs and Vulnerabilities in Android

Below are some of the known vulnerabilities in Android over the years that could allow hackers to gain root access to Android devices:

  • Kernel: Wunderbar/asroot (CVE-2009-2692)

This vulnerability allowed local users to trigger NULL pointers dereference and find access with the help of mmap and map page zero. Hackers could create arbitrary code on the page and invoke unavailable operations. 

  • Recovery: Volez

Volez vulnerability existed in the Android 2.0 and 2.0.1 devices of Motorola Droid. It allows hackers to make changes to the signed OTA recovery package because of flaws in the signature verifier. 

  • Udev: Exploit (CVE-2009-1185)

This vulnerability affected all the Android versions from 1.0 to 2.1. Hackers could send NETLINK messages from user space and impose as if it started from the kernel. 

  • Adbd: RageAgainstTheCage (CVE-2010-EASY)

Here, the attackers could abuse the adbd (ADB daemon) to find root access. The vulnerability existed in all the devices running Droid2, backflip, and Evo.

  • Zygote: Zimerlich and Zysploit

This was quite similar to the RageAgainstTheCage vulnerability and affected all the devices running Android 1.0 to 2.2.

  • Ashmem: KillingInTheNameOf and psneuter (CVE-2011-1149)

Android versions below 2.3 could not limit access to the system property space. It allowed hackers to bypass the app sandbox and find access to local applications. 

  • Vold: GingerBreak (CVE-2011-1823)

This vulnerability allowed local users to write arbitrary code and find root access through a negative index. It was affecting the Android versions from 2.3 to 3.0. The vold volume manager on the devices was trusting the messages from PF_NETLINK socket. 

  • PowerVR: levitator (CVE-2011-1350 & CVE-2011-1352)

These were two vulnerabilities that were caused because of improper checking of the PowerVR driver. When the data was copied to kernel memory, hackers could use malicious local apps for writing code to the memory. This allowed them to write arbitrary code and escalate privileges. All the devices running Android 1.0 to 2.3.5 were vulnerable. 

  • Libsysutils: zergRush (CVE-2011-3874)

It allowed remote attackers to write arbitrary code through apps with illegitimate arguments. It affected the devices running Android 2.2 to 2.3. 

  • Kernel: mempodroid (CVE-2012-0056)

This vulnerability affected Android version 4.0 because the mem_write function in the Linux kernel didn’t check permissions for enabling access. Android devices from Acer, Galaxy Nexus, Motorola, and Asus were vulnerable. 

  • File Permission & Symlink Attacks

Several Android devices face attacks related to file permission and symbolic links. The primary reasons behind such attacks are the modifications to the system by original device manufacturers. 

  • Adb Restore Race Condition

Android 4.0 devices had the feature for full device data backup using adb backup command. For data restoring, the adb restore command was used.

However, the restore process had a couple of security flaws that allowed hackers to create files and directories that could be accessed by other apps. Another flaw allowed them to restore file sets without managing the restore process. 

  • Exynos4: exynos-abuse

Android devices with Exynos 4 processes were affected by this vulnerability. The flaw was there in the Samsung kernel driver, which enabled all the apps to access the /dev/exynosmem file. With this, the physical RAM could be mapped with the read & write permissions. 

  • Diag: lit/diaggetroot (CVE-2012-4220)

This vulnerability allowed hackers to write arbitrary code or carry out DoS attacks through apps that use arguments in local diagchar_ioctl calls. 

It’s Quiz Time!

Did you find this article helpful?