Android 'forensic' app pulled from Google Play after vulnerability report
Remote code execution threat via MITM attack, it is claimed
If you use an app called eVestigator, billed as checking Android phones for security compromises, delete it.
That's the word from someone signing their name as MaXe from InterN0T, who looked at what the Android app actually does.
The application claimed to test Android handsets to see if they've been infected with malware. However, MaXe found it ran a connect() scan across every available TCP port – all 65,535 of them – on the phone's external IP address, and then told the user there are thousands of "threats" on their phone.
The “report” button in the program didn't do anything much apart from sending the user's external IP address back to the developer, “along with other details about the Android environment and user-entered details,” the advisory reads.
The app is also vulnerable to remote code execution via a man-in-the-middle attack, the researcher claimed:
If an attacker performs a MITM attack against "api.ipify.org" by e.g. hijacking the domain name, DNS, IP prefix, or by serving a malicious wireless access point (or hijacking a legitimate one), or by hacking the server at "api.ipify.org", then the attacker can instruct the Android application to execute attacker controlled Java code that the phone will execute in the context of the application.
The root cause of this vulnerability is caused by addJavascriptInterface() within the WebViewer, which in older API versions can be used to execute arbitrary Java code by using reflection to access public methods with attacker provided JavaScript.
MaXe says the app's maker was notified on June 25, and responded with a legal threat. The vendor also pulled the app from Google Play, and tried to get YouTube to remove a video demonstrating issues with the software, before MaXe went ahead with publication. ®
