Android Zero Day in Admin App Can Bypass Sandbox

Type threatpost
Reporter Dennis Fisher
Modified 2015-08-14T21:09:27


The Android security team at Google is having a busy month. First the Stagefright vulnerabilities surfaced last month just before Black Hat and now researchers at MWR Labs have released information on an unpatched vulnerability that allows an attacker to bypass the Android sandbox.

The vulnerability lies in the way that the Google Admin application on Android phones handles some URLs. If another application on the phone sends the Admin app a specific kind of URL an attacker can bypass the Same Origin Policy and get data from the Admin sandbox.

“An issue was found when the Google Admin application received a URL via an IPC call from any other application on the same device. The Admin application would load this URL in a webview within its own activity. If an attacker used a file:// URL to a file that they controlled, then it is possible to use symbolic links to bypass Same Origin Policy and retrieve data out of the Google Admin sandbox,”the advisory from MWR Labs says.

An attacker can exploit this vulnerability by getting a malicious app on a victim’s phone. MWR Labs notified Google of the vulnerability in March and Google acknowledged the report right away and later said it would have a patch ready by June. But the fix was never pushed out and last week MWR Labs informed Google that it planned to release its advisory, which was published Thursday.

Google did not respond to a request for comment on this story. The vulnerability affects the current version of the app, and may affect earlier versions as well.

“The Google Admin application (, has an exported activity that accepts an extra string called setup_url. This can be triggered by any application on the device creating a new intent with the data-uri set to http://localhost/foo and the setup_url string set to a file url that they can write to, such as file://data/data/,” MWR’s advisory says.

“The ResetPinActivity will then load this in the WebView under the privileges of the Google Admin application.”

MWR says that until a patch is deployed by Google, users with the Google Admin app shouldn’t install any untrusted third party apps, which is good advice for any mobile phone user.