CHEF-KOCH / Android Vulnerabilities Overview

Android Vulnerabilities Overview (AVO) is a databse of known security vulnerabilities in Android.

The vulnerabilities database is splitted into seperate .md files to get an better and cleaner overview. The current 2016 list is avaible over here.

The security flaw gives hacker ability to spy on Android smartphone owners, steal login credentials, install malware, and many more, according to the latest research conducted by the researchers at the Pennsylvania State University and FireEye.

Contact

Found something that isn't on the list? - Feel free to submit, maintainers/contributors are always welcome!

Want to communicate secure, feel free - my eMail public key is stored in the 'eMail.txt' file.

Warning

Do not install security updates like CVE-2015-1538.apk from untrusted sources! It's a trap!

Security updates are rolled out by Google Play-services (in background) or as ROM update directly from your provider and never comes as single .APK!

Attacks

• Ransomware (User needs to confirm the device admin part)
• Distributed Denial of Service (DDoS)
• Cyber-attacks like (mass) surveillance (e.g. directly on telecommunication infrastructures), worms, viruses, trojans, ...
• Hijacking in Android is a common problem, see also Clickjacking
• Cyberterrorism (Data Theft, DOS, ...)
• Remote Access Tools (RATs)
• Fingerprinting to sniff metadata
• Impersonation Attack
• Session Fixation Attack
• Cache-Poisoning Attack
• Heap thermal vision problems attacks/bugs
• Other data leakage, exploits, 0day, ...

Spyware Capabilities

• Listening in to telephone conversations
• Accessing the Internet
• Viewing and copy contacts
• Installing unwanted apps
• Asking for location data
• Taking and copying images
• Recording conversations using the microphone
• Sending and reading SMS/MMS
• Disabling Anti-Virus software
• Listening in to chats via messaging services (Skype, Viber, WhatsApp, Facebook and Google+)
• Reading the browser history

Infected apps with Backdoors, Loggers or Ransomware

• Adult Player (not avb. via Google Play Store)
• FreePorn
• LockerPin (Ransomware)
• Kemoge Malware which infects several appshttps://www.fireeye.com/blog/threat-research/2015/10/kemoge_another_mobi.html), see all affected apps
• Ghost Push, Braintest, Guaranteed Clicks, RetroTetri based on Kemoge Malware

Generally apps that often bundled with security risks (due popularity and other weaknesses)

• WhatsApp Security Vulnerability (telegraph.co.uk) - this is only one example!
• AppLock
• Android-InsecureBankv2
• Sieve Sieve is a password manager app, riddled with security vulnerabilities.
• ExploitMe Mobile Android Labs
• OWASP-GoatDroid-Project
• DIVA DIVA (Damn insecure and vulnerable App) is an App intentionally designed to be insecure.

Research

• Official Android Security Updates News
• News from SecurityWeek
• Security | Android Open Source Project
• Crypzo Standard EDU
• SS7 hack shown demonstrated to track anyone |60 Minutes
• Android AOSP Security Overview
• CIS security overview
• Mozilla Security Blog
• Chomium Security FAQ
• Android Vulnerability Overview | TheHackerNews
• Beyond Security Team
• The Difference Between a Vulnerability Assessment and a Penetration Test (danielmiessler.com)
• Why SIM Cards Are at Risk--Rising Threat from Differential Power Analysis (semiengineering.com)
• Base clean architecture Android MVP (github.com)
• Muni.cz
• Securityinabox
• Google Security Research
• Stagefighter Source releases + Source direct link
• AT&T says malware secretly unlocked hundreds of thousands of phones (techworld.com)
• Most vulnerable Operating Systems and applications in 2014
• Discovered the first Android ransomware that sets the PIN lock (welivesecurity.com)
• The Android device fragmentation is getting, beautifully, out of control (opensignal.com)
• Bits, Please
• Reddit Vulnerability Research and Development r/vrd
• SecurityTube
• Project Zero

Papers

• http://www.mcafee.com/us/resources/white-papers/wp-defeating-ssl-cert-validation.pdf
• https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-ren-chuangang.pdf
• http://www.pwc.com/en_US/us/financial-services/regulatory-services/publications/assets/sanctions-cyber-crime.pdf
• Fingerprinting Web Application Platforms by Variations in PNG Implementations [pdf] (github.com)
• https://mjanja.ch/2013/11/disabling-aes-ni-on-linux-openssl/
• http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/Documentation/stable_api_nonsense.txt
• Security Metrics for the Android Ecosystem
• Android Compatibility Definition Document v2015
• Real-world Stagefright exploitation notes on Android 5.x [pdf]

Videos

• This Mind-Blowing Hack allows Anyone to Control your Phone From 16 Feet Away (youtube.com) (no CVE since this is by design from Google Now, but still a hack/problem)
• 'Shedun' gaining accessibility service privileges (youtube.com
• Metaphor - Stagefright Exploitation Breaking ASLR (youtube.com)

Online tests

• FREAK test
• Panopticlick (Browser Fingerprint test)
• filldisk
• SSL Client test
• Evercookie test
• BrowserSpy.dk (Browser Fingerprint test)
• Testing mixed content
• WebRTC check
• Adobe Flash player version detector no Flash support since Android 4.x, if you need it please use FlashFox or Dolphin Browser.
• IP check
• CORS and WebSocket test
• Browserrecon
• WebGL check
• Battery.js test
• RC4 fallback test
• Battery API check
• Testing TLS/SSL encryption (testssl.sh)

Kernel

• Kernel Overview | Android Developers
• Kernel Security Overview | Android Developers
• Android Kernel Security | eLinux

'Security' (pentesting) Apps

• Stagefright Detector App by Zimperium
• TextSecure (SMS encryption was removed)
• RedPhone (Stores the private key on there servers)
• Crypt4All Lite (AES) - (Free File Encryption Software)
• Orbot alias 'Tor for Android'
• (AppLock (Free Application Lock Utility)
• App Ops (Free App Permission Manager) On Android 6 (Marshmellow) obsolete
• LastPass Password Manager Premium (Free) personally I prefer KeePass - alias KeePassDroid
• K-9 Mail (Free Secure Email Encryption Software) - I prefer [email protected] Mail Pro [it's based on K-9 Mail but with a better gui]
• Android open source apps overview | GitHub
• MyLocalAccount (app that doesn't need any cloud to store local contacts)
• DIVA Android - Damn Insecure and vulnerable App for Android
• cSploit which comes with Metasploit

Forensics analysis software and apps

In most cases Trojans/Malware only sending 'stuff' to there C&C's if you're on wifi (to not getting easier detected by the bandwidth consumptation itself), of course they often drain your battery, so some tools are to detect such cases and identifys them (like Hush) such tools can be used to reveal what exactly going on behind the scenes.

• Androl4b
• Android Connections Forensics
• Androick
• Android Forensics Open Source Android Forensics App and Framework
• Android Data Extractor Lite
• BitPim
• LiME
• OSAF - Open Source Android Forensics Community
• P2P-ADB
• Appie
• Mobisec
• pySimReader
• Pixiewps
• Android Vulnerability Test Suite (github.com)
• catch-it-quick - catch the firmware malware and spyware
• Google Remote Encryption and wipping function analyzed see here

Vulnerability Databases

• KB.cert.org - KB Cert
• Common Vulnerabilities and Exposures (CVE®) for Android - CVE Mitre
• Android - CVE Details - CVE Details
• All vulnerabilities - Android Vulnerabilities
• NVD - US National Vulnerability Database
• CERT - US Computer Emergency Readiness Team
• OSVDB - Open Sourced Vulnerability Database
• Bugtraq - Symantec SecurityFocus
• Exploit-DB - Offensive Security Exploit Database
• Fulldisclosure - Full Disclosure Mailing List
• MS Bulletin - Microsoft Security Bulletin
• MS Advisory - Microsoft Security Advisories
• Inj3ct0r - Inj3ct0r Exploit Database
• Packet Storm - Packet Storm Global Security Resource
• SecuriTeam - Securiteam Vulnerability Information
• CXSecurity - CSSecurity Bugtraq List
• Vulnerability Laboratory - Vulnerability Research Laboratory
• ZDI - Zero Day Initiative
• Exploit Exercises - Exploit Exercises
• Seclist.org - Seclist
• AVO - Android Vulnerabilities Overview - AndroidVulnerabilities
• Exploits Project by 4B5F5F4B (GitHub.com)

Known Pre-Installed Backdoors (within firmware)

• CoolReaper (China and Taiwan)

Backdoor Discussion

• AB1681 suggestion
• Cooper Introduces Human Trafficking Evidentiary Access Legislation
• Assembly Bill A8093

‘Stingrays’ Cell Phone Trackers

Stingrays, made by the Harris Corporation, has capabilities to access user's unique IDs and phone numbers, track and record locations, and sometimes even intercept Internet traffic and phone calls, send fake texts and install spyware on phones. The authorities used these tracking tools for years to breach people's privacy and did everything to keep even the existence of these devices out of the public eye. They even avoid telling judges when they used them.

• 2015 FBI Statement
• Confirmation & full source
• Android Silent SMS Ping example app

Firewall Leak Tests

• Not avb. for Android? (only some common pages but not really proper designed for Android)
• 2015 FBI Statement
• Confirmation & full source