A series of critical vulnerabilities in Android developer tools exposed software developers to breaches that could allow access to every file on the developer’s computer, according to the Israeli cybersecurity firm Check Point Technologies.
Several of the most common Android development tools were affected, including Google’s Android Studio, JetBrains’ IntelliJ IDEA and Eclipse. The problems also impact reverse-engineering tools like APKTool, the Cuckoo-Droid service and more.
This past year has seen multiple supply chain cyberattacks against organizations, including hacks against CCleaner and Notepad++. The goal is to gain access to organizations and then progress to attacking users and companies. The vulnerabilities discovered by Check Point opened up Android developers, the largest software development community in the world, to a series of potential attacks that ultimately put a wide array of users at risk.
Check Point researchers found APKTool suffered a XML External Entity (XXE) vulnerability that exposed users’ entire operating system that let attackers retrieve any file on a victim’s computer.
The problem was traced to the vulnerable XML parser called “DocumentBuilderFactory” used in a wide variety of popular development tools. Researchers repeatedly showed attackers effectively delivering the payload and then stealing protected files without ever alerting the victim. The attack cloned across different developer environments and tools.
Another vulnerability in APKTool’s configuration files allowed for an attacker to execute code remotely on a victim’s computer, effectively handing full control over to the hacker.
The issues were reported to Google and the rest of the developers in May 2017. Fixes have been issued in the intervening seven months.