In Android versions prior to 5.0 and possibly greater than and equal to 4.0, Settings application leaks Pendingintent with a blank base intent (neither the component nor the action is explicitly set) to third party applications. Due to this, a malicious app can use this to broadcast intent with the same permissions and identity of the Settings application, which runs as SYSTEM uid.
cfc2aeebb8ce7b28e800f8cd2c1a2ef4f012afd9da67892dea7842b3fef42e7c
This Metasploit module exploits an unsafe intent URI scheme and directory traversal found in Android Mercury Browser version 3.2.3. The intent allows the attacker to invoke a private wifi manager activity, which starts a web server for Mercury on port 8888. The webserver also suffers a directory traversal that allows remote access to sensitive files. By default, this module will go after webviewCookiesChromium.db, webviewCookiesChromiumPrivate.db, webview.db, and bookmarks.db. But if this isnt enough, you can also specify the ADDITIONAL_FILES datastore option to collect more files.
42c6caf8a1093e6428f263ebc0ed216930afb756d1796e8f552f46a3d7e1ee90
This Metasploit module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Androids open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. Target URLs that use X-Frame-Options can not be exploited with this vulnerability. Some sample UXSS scripts are provided in data/exploits/uxss.
515d589ae7fa921c6c47ddf5fa3b3cc8aad06aec0fe62c65331d5cac2c574d51
This Metasploit module exploits a cross-domain issue within the Android web browser to exfiltrate files from a vulnerable device.
dd13356635f2999608328974a708d0fa3528aed773ff26396b6cd072f639afbd
This Metasploit module steals the cookie, password, and autofill databases from the Browser application on AOSP 4.3 and below.
461f161dc15f2136e113fe628614a254fcbe8647f9473ac567fe7752ac4fa00a
In Androids stock AOSP Browser application and WebView component, the "open in new tab" functionality allows a file URL to be opened. On versions of Android before 4.4, the path to the sqlite cookie database could be specified. By saving a cookie containing a <script> tag and then loading the sqlite database into the browser as an HTML file, XSS can be achieved inside the cookie file, disclosing *all* cookies (HttpOnly or not) to an attacker.
70b3a8344e4fcf5439123086e568b9e7984fe8d61764dc191d64ca919125593d
This Metasploit module exploits a Universal Cross-Site Scripting (UXSS) vulnerability present in all versions of Androids open source stock browser before 4.4, and Android apps running on < 4.4 that embed the WebView component. If successful, an attacker can leverage this bug to scrape both cookie data and page contents from a vulnerable browser window. If your target URLs use X-Frame-Options, you can enable the "BYPASS_XFO" option, which will cause a popup window to be used. This requires a click from the user and is much less stealthy, but is generally harmless-looking. By supplying a CUSTOM_JS parameter and ensuring CLOSE_POPUP is set to false, this module also allows running arbitrary javascript in the context of the targeted URL. Some sample UXSS scripts are provided in data/exploits/uxss.
c310932b590c18e1c4846f4e90d57edda5909db4103dc3c5954aec52431efc71
This Metasploit module exploits a vulnerability in the native browser that comes with Android 4.0.3. If successful, the browser will crash after viewing the webpage.
ed9f536506a6fbec4e357c8ba0d4fba05c0f9f3e72f96d8657a24235f3ca4bda
The Google Passkey Manager on Android appears to have inconsistent messaging for deletion of data along with other varying issues that lead us to believe it's not ready for prime time.
71ba8e2e5aa435ade4ea33b5a81739d52d8bb150b921a598410d86d24ec2fe85
Whitepaper called Android Application Vulnerabilities. Written in Vietnamese.
25a9be443e83e5ebb65adc0990933e8bc358ae4df7692ffa351cac1c3505acde
Android Studio has an issue where a malicious project can execute a custom cmd.exe allowing for privilege escalation. Google does not believe this is an issue.
46be4037148bbd4dd5a2366f68c681f1a4a3663d8877cd818fdf312172011cdc
o2 Business for Android version 1.2.0 suffers from an open redirection vulnerability.
ed073540b55db066df4e43d61452b19af671d57a6dad0ef1271c98600b232356
Android suffers from a bluetooth remote denial of service vulnerability.
89e5543cb6f51f283e41a489aaa3e084de84be0c84b8090c5910f061d0b501ba
Whitepaper called Android Pentest Tutorial Step By Step. Written in Persian.
5b7d21010a256cb1f4b468d223e3ec667013b6a8d7142cf2136bd61da5d324c0
Android OS suffers from a sensitive data exposure vulnerability in its RSSI broadcasts.
b84b85cafb558b1dc05e71a251d6e82bce2a07ab37bb19c2c696f5dd92aa04d5
Android OS version 5.0 suffers from a sensitive data exposure vulnerability in its battery information broadcasts.
8ad47d4c35696bfefa77337a99ecd6afe8715bda10ca617af6f70817f6c9f62c
Whitepaper called Android Application Penetration Testing. Written in Persian.
99ed5daa9189d9dc52297b718052e093b81f9027457ef626c18d34c33e76312b
Android Dexdump, tested on Nexus 4 with Android 5.1.1, was found to have a buffer overflow vulnerability.
17f6454004b8a93af64f455ddf63ae9dda00225c1d8b53683c343356ee18c5ad
System broadcasts by Android OS expose information about the user's device to all applications running on the device. This includes the WiFi network name, BSSID, local IP addresses, DNS server information and the MAC address. Some of this information (MAC address) is no longer available via APIs on Android 6 and higher, and extra permissions are normally required to access the rest of this information. However, by listening to these broadcasts, any application on the device can capture this information thus bypassing any permission checks and existing mitigations.
523ebc0e6847c2ff3858fa671185f0aded4e77fd712ecd694c1d059ae8df9760
Whitepaper called Android Application Pentest With Drozer. Written in Persian.
bbab551e432b1fa855bffd240fa39aaa15559b5520d44abc8128b8be2b998743
Android OS did not use the FLAG_SECURE flag for sensitive settings, potentially exposing sensitive data to other applications on the same device with the screen capture permissions. The vendor (Google) fixed this issue in 2018-02-01 Pixel security update.
419aa59f60c639bf9769fc664825bf713bf20d2a125449f8cf156e98eb09bb86
Android Bluetooth BNEP bnep_data_ind() remote heap disclosure proof of concept vulnerability.
bca48d1c32a6cf579a5ece90b87234274c98bed6401f1470ca5a6cdcba4d5b50
Android Bluetooth BNEP BNEP_SETUP_CONNECTION_REQUEST_MSG out-of-bounds read proof of concept vulnerability.
99eb32567c7340a388cd09922afb5a94b3797a234d4baf2ff8977aa03764df08
Android DRM services suffers from a buffer overflow vulnerability.
efb1ce2739b233f90481dfd1618352f64557499ae57c7214a0748615c4651e39
Android devices can be crashed forcing a halt and then a soft reboot by downloading a large proxy auto config (PAC) file when adjusting the Android networking settings. This can also be exploited by an MITM attacker that can intercept and replace the PAC file. However, the bug is mitigated by multiple factors and the likelihood of exploitation is low.
9a6a1af684f67a60cc245b0a7841aeca5cc4c686f0d9b20cffcd532b0d7b75f1
Android devices can be crashed remotely forcing a halt and then a soft reboot by a MITM attacker manipulating assisted GPS/GNSS data provided by Qualcomm. This issue affects the open source code in AOSP and proprietary code in a Java XTRA downloader provided by Qualcomm. The Android issue was fixed by in the October 2016 Android bulletin. Additional patches have been issued by Qualcomm to the proprietary client in September of 2016.
a65dfddf168a89391ed0b8297e76ae23566fa1e4d61a4e69446fbad5e0a2b52b