Android 'forensic' app pulled from Google Play after vulnerability report

[Batu69]

MITM, remote code execution

If you use an app called eVestigator, billed as checking Android phones for compromise, delete it.

That's the word from someone signing their name as MaXe from InterN0T, who looked at what the Android app does.

 

The app claimed to test Android phones to see if they've been compromised, but MaXe found it ran a connect() scan across every available TCP port – all 65,535 of them – and tell the user there are “87,375 threats” on their phone.

 

The “report” button didn't do anything much apart from sending the user's external IP address back to the developer, “along with other details about the Android environment + user-entered details”, the advisory says.

 

The app is vulnerable to remote code execution via a man-in-the-middle attack, the note says:

 

“If an attacker performs a MITM attack against "api.ipify.org" by e.g. hijacking the domain name, DNS, IP prefix, or by serving a malicious wireless access point (or hijacking a legitimate one), or by hacking the server at "api.ipify.org", then the attacker can instruct the Android application to execute attacker controlled Java code that the phone will execute in the context of the application.

 

“The root cause of this vulnerability is caused by addJavascriptInterface() within the WebViewer, which in older API versions can be used to execute arbitrary Java code by using reflection to access public methods with attacker provided JavaScript.”

 

MaXe says the vendor was notified on June 25, responded with a legal threat, the vendor pulled the app from Google Play, and tried to get YouTube to pull the video below, before MaXe went ahead with publication.

 

  Youtube Video: eVestigator Forensic PenTester v1 - Remote Code Execution via MITM

 

Article source