There is a security flaw in Debuggerd, the debugging component integrated in the Android operating system.
The flaw, working in conjunction with other bugs, could achieve arbitrary code execution on the device.
The vulnerability is in all Android versions starting 4.0 (Ice Cream Sandwich) to 5.x (Lollipop), which currently accounts for 94.1 percent of the mobile devices.
According to official statistics, most Android users (39.2 percent) run build 4.4 of the operating system, commonly known as KitKat, followed by JellyBean, with 37.4 percent. Lollipop, the latest version of the OS, accounts for only 12.4 percent of the Android market.
An attacker could create a special ELF (Executable and Linkable Format) file to crash the debugger and view dumps and log files for data stored in the memory, said researchers at Trend Micro.
They said on its own, the glitch is not suitable for code execution, but the information it provides access to can end up leveraged to bypass ASLR (address space layout randomization) protection. Once this occurs, it is possible to run rogue code on the device.
The flaw can end up abused for denial-of-service purposes, though, by repeatedly crashing the built-in debugger.
“This vulnerability can be exploited by a malicious or repackaged app downloaded onto the device, although the impact would be relatively limited,” Wish Wu, mobile threat response engineer at Trend Micro, said in a blog post.
Wu said Debuggerd relies on “sym->st_name” as an offset for a string copy command but no error checking function is available. A malformed ELF file could end up used to control the value to point to inaccessible memory, which causes Debuggerd to crash.
Trend Micro disclosed the vulnerability to Google on April 27, who assigned it a low severity rating.
At the moment, there is no patch for the affected Android versions available to consumers, but a fix will be in the next release of the OS (Android M), expected to launch in October/November.
The patch is also present in the Android Open Source Project (AOSP) code since May 15, so it can end up integrated by carriers and device manufacturers and pushed to users, but historically, such a move has always ended up delayed for significant periods of time.