Multiple security vulnerabilities in Google’s Android SDK can give hackers complete control of phone

Core Security Technologies has published a CoreLabs Advisory, “Multiple vulnerabilities in Google’s Android SDK” which explains:

Several vulnerabilities have been found in Android’s core libraries for processing graphic content in some of the most used image formats (PNG, GIF an BMP). While some of these vulnerabilities stem from the use of outdated and vulnerable open source image processing libraries, otherss were introduced by native Android code that use them or that implement new functionality.

Exploitation of these vulnerabilities to yield complete control of a phone running the Android platform has been proved possible using the emulator included in the SDK, which emulates phone running the Android platform on an ARM microprocessor.

This advisory contains technical descriptions of these security bugs, including a proof of concept exploit to run arbitrary code, proving the possibility of running code on Android stack (over an ARM architecture) via a binary exploit.

Full advisory here.

21 Comments

  1. I agree, This is why companies release Beta editions first. Granted, Google has a long tradition of making things Beta for 2 or more years.

    I expect apple to release a Beta of the SDK today and not release the full version until June.

  2. Does this post mean that Android is an official competitor of the iPhone? A declaration of war by MDN? Are we gearing up to take it on? Is it going to be the iPhone fanboys and fangirls against the Android squad?

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.