Android ADB backup APK injection vulnerability

The Android operating system offers a backup/restore mechanism of installed packages through the ADB utility. Full backup of applications including the private files stored on /data partition is performed by default, but applications can customize this behaviour by implementing a BackupAgent class. This way they can feed the backup process with custom files and data.

SEARCH-LAB Ltd. discovered a vulnerability in the design of the Android backup mechanism: the backup manager, which invokes the custom BackupAgent does not filter the data stream returned by the applications. A malicious BackupAgent is able to inject additional applications (APKs) into the backup archive without the user's consent. Upon restoration of the backup archive, the system installs the injected, additional application (since it is already part of the backup archive). The installed malware could gain any (non-system) permissions it wanted without any confirmation dialogs; for example permission of sending SMS messages or others with financial implications.

The vulnerability resides in the backup mechanism of the Android operating system. Anyone using the adb tool for creating and restoring backups of their handsets might be affected. One could think that command line applications are used by geeks or programmers only, but not necessarily, there are Windows GUI applications which rely on the same technology behind the scenes when creating backups or restoring them. The malware might come from an innocent looking game without any suspicion as it claims to need no permissions at all. As soon as backup was created, the archive is infected.

SEARCH-LAB Ltd. reported the vulnerability to the Android security team on July 14, 2014, but the issue was still not fixed. This means as of today, July 8, 2015 all current Android versions are affected, including L (5.1.1).

Further information, technical details and working Proof of Concept code can be found here: