Android RCE threats – MobileIron’s Guidance

Last week we wrote a blog about arbitrary remote code execution (RCE) exploits that hinted on the Apple iDevice’s side of the mobile device world.

This week, some vulnerabilities on Android devices appeared in cybersecurity threat news feeds. Two highly-publicized remote code execution exploits are trending. Both of these high-severity vulnerabilities have reportedly been patched in the May update, so check your Android devices to see if you have already applied the May security update. Here is Android’s bulletin.

CVE-2020-0103 is a vulnerability within the AAC media decoder built into the Android OS system, which could result in a remote code execution exploit on affected Android 9 and 10 devices

“The most severe of these issues is a critical security vulnerability in the System component that could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process,” Google notes in its advisory.

CVE-2020-8899 is a buffer overwrite vulnerability within the Quram qmg library of Samsung's Android OS versions 8, 9 and 10. An unauthenticated and unauthorized attacker can send a specially-crafted MMS to a vulnerable phone and trigger a heap-based buffer overflow in the Quram image codec. This can evolve into an arbitrary remote code execution (RCE) without any user interaction. The Samsung ID is SVE-2020-16747.  Samsung has reached out and confirmed to us by saying, “Samsung takes the protection of our users’ data very seriously. Project Zero recently brought to our attention potential vulnerabilities related to the Qmage codec library on Galaxy devices. We immediately investigated this issue and released a patch with our May security update. We recommend that all customers keep their devices updated with the latest software to ensure the highest level of protection possible.”

Samsung has patched the vulnerability in the May security update, so this has been rolling out directly to Samsung devices. Check your Samsung devices to see if you already have the May security update that patches this exploit! 

As we mentioned in the previous handling RCE blog we posted last week:

Based on previous exploits, some escape app sandbox isolation, Elevation of Privileges (EoP) along with File System Changed and App Tampering or System Tampering threats, would be detected by MobileIron Threat Defense (MTD). MTD would instruct MobileIron’s unified endpoint management (UEM) platform to trigger a quarantine compliance action that removes managed apps and their content from the device, preventing any data loss. If the exploit tried to make a command-and-control connection to a mothership server on the dark web to exfiltrate the stolen data, then a (network) Gateway Change or DNS Change threat would also be triggered. The compliance action to block network traffic and prevent any data to leave the device could be enforced. If the exploit performed a lateral movement onto any connected network, an Internal Network Access or Network Handoff threat would be detected with a blocking or sinkhole network traffic being triggered as a compliance action from UEM.

With MobileIron UEM and corporate-owned devices, administrators can install updates to the devices once new patches are released. For BYOD devices, MobileIron can send a push notification so that employees can upgrade as soon as possible. A tiered compliance policy can also be enforced by setting a time limit to permit the user to update to the prescribed OS version that has the security fixes in place. A notification can be sent to both the user and UEM administrator that a device is out-of-compliance. Then, a specified amount of time like four hours or one day elapses before more restrictive compliance actions, like blocking access to the corporate network and work resources, or quarantining the device by removing managed apps and content, or a final action of retiring the device completely from UEM can be enforced. MobileIron Access can also be deployed to block access to the device or user and prevent access to critical work resources until the mobile device is fully compliant once more.

James Saturnio

James Saturnio

Senior Lead Technical Market Adviser at MobileIron

About the author

James Saturnio is a Senior Lead Technical Market Adviser at MobileIron. He immerses himself in all things cybersecurity and has over 25 years’ experience in this field. He has been with MobileIron for over 6 years, and previously worked at Cisco Systems for 19 years. While at Cisco, he worked as a TAC Engineer, and then as a Technical Leader for the Security Technology and Internet of Things (IoT) business units. He was the main architect for the IoT security framework that is still being used today by Cisco’s IoT customers.