17.01.2014

As part of our ongoing mobile security research we have uncovered a network vulnerability on Android devices which has serious implications for users using VPN. This vulnerability enables malicious apps to bypass active VPN configuration (no ROOT permissions required) and redirect secure data communications to a different network address. These communications are captured in CLEAR TEXT (no encryption), leaving the information completely exposed. This redirection can take place while leaving the user completely oblivious, believing the data is encrypted and secure.

In this video we demonstrate the vulnerability via the following steps:

We present a regular Android device (in this case it is the popular Samsung S4 device). Behind it we display a screen with packet capturing tool, showing the traffic that flows through that computer. Now the user runs the malicious app and clicks on the Exploit button which takes advantage of the vulnerability in the phone’s system. The user then navigates the menu to the phone’s network settings and activates the VPN. In the video it is easy to see that the user verifies that the VPN is active. The user then opens an email client (the system default) and sends an email with the word security in the subject line We immediately see that some information has been captured on the computer where the detection tool is running. It is important to stress again that no communications was supposed to pass through this computer in the first place. In the video we can clearly see the SMTP (mail protocol) packets. The data of the communications protocol is analyzed and then we can see the whole mail including its “secret” subject in clear text.

Notes:

SSL/TLS traffic can be also captured with this exploit but the content stays encrypted and not in clear text. We have tested the vulnerability on multiple Android devices from different vendors. We have tested the vulnerability on Wifi connections alone. The computer in the demo is connected to the same network as the mobile device. The malicious app does not require VPN specific Android permissions. The VPN is configured properly. The vulnerability has been verified on Android 4.3. The vulnerability has not been verified on Android KitKat 4.4 and is still under investigation.

Status:

We have earlier today contacted Google through their security email security@android.com and sent them a vulnerability alert with all relevant information in an encrypted manner. We will update this blog post when new information becomes available or when progress is made in the analysis of this vulnerability. In addition, we will use this blog to issue warnings to those impacted by this vulnerability as soon as the impact is clarified. Once the issue will be resolved we will disclose here full details on the vulnerability.

Disclosure Log

17 Jan 2014 12:44 (GMT+2): Published preliminary disclosure report and submitted information to Google

Feb 27 – Google confirmed that a patch for this issue has been provided to Android OEMs

UPDATE:

This vulnerability is similar to the previous vulnerability we’ve disclosed to Samsung (two weeks ago) by the fact that both of them work in a similar manner while the difference among them is the exploit target. See more info on the previous story WSJ. A detailed report on the original disclosure process is provided here.

UPDATE2 (19 Jan):

We have updated the previous paragraph to provide more clarifications as for the similarities among the vulnerabilities we disclosed recently.

We have added a note regarding the platforms it has been verified.

UPDATE (22 Jan):

We have clarified that the vulnerability has not been verified on Android KitKat 4.4 and is still under investigation.

UPDATE (23 Jan):

We replaced the video with a new one which holds our watermark and a cleaner shot.

We have added link to our response to Samsung related to the initial disclosure.

UPDATE (27 Jan):

We updated the disclosure log about a fix issued by Google

Full details on our disclosure policy can be found here.

Cyber Security Labs Team – Follow us via @cyberlabsbgu