September 20, 2016

BadKernel Vulnerability Technical Details

BadKernel Vulnerability Technical Details

360 researchers (Alpha Team) has recently uncovered a vulnerability that affects millions of Android phones.  Since it is especially widespread in China and can cause significant damage, it has been assigned CNNVD-201608-414 in the Chinese National Vulnerability Database of Information Security.  CNNVD is the Chinese equivalent of the US Common Vulnerabilities and Exposures system (CVE).

The vulnerability lies in the part of the Chrome V8 Engine responsible for JavaScript parsing.  It allows hackers to hijack the phone and remotely execute malicious code which could invade user privacy by accessing the camera and microphone, and to steal sensitive information such as credit card and password.

The flaw exists in version 3.20 to 4.2 of the Chrome V8 engine. The observe_accept_invalid exception type was incorrectly defined as observe_invalid_accept (see source), this error mistakenly allows open access to the kMessages key objects, which leaves an exploit allowing hackers to download and execute malicious code.

Versions of the Tencent’s X5.SDK library that integrated version 3.20 to 4.2 of the Chrome V8 engine are also affected.  The X5.SDK is used by many popular apps in China such as phone QQ, QQ space, Jingdong, 58 city, Sohu, Sina news.  These versions of apps are vulnerable to attacks.

Any app running on Android 4.4.4 to version 5.1 system and uses the WebView component are also vulnerable.

This exploit is introduced primarily via Social Engineering, such as an receiving email with a shared link from an infected friend, or an IM phishing message claimed to be from a well known source.  Once the user clicks on the link, the device will be infected with malicious code often leaving no detectable signs.

To check if a phone is infected

What to do if you are infected?

  • Upgrade to the latest phone software
  • Upgrade downloaded browsers
  • Be wary of emails and messages with links, even from people or organizations you know.  Never click on unknown URL, type it in browser bar instead.