A vulnerability codenamed ParseDroid affects development tools used by Android app developers and allows attackers to steal files and execute malicious code on vulnerable machines.
Discovered by security researchers from Israeli firm Check Point, ParseDroid affects the XML parsing library included with projects such as APKTool, IntelliJ, Eclipse, and Android Studio.
Researchers discovered that this library does not disable external entity references when parsing an XML file, a classic XML External Entity (XXE) vulnerability that attackers can exploit with ease.
Attackers can steal files from PCs running vulnerable IDEs
“The vulnerability exposes the whole OS file system of [affected] users, and as a result, attackers could then potentially retrieve any file on the victim’s PC by using a malicious AndroidManifest.xml file,” researchers said.
All Android apps contain an AndroidManifest.xml file, which makes this the perfect place to hide malicious code.
Developers using APKTool, IntelliJ, Eclipse, or Android Studio to open an app containing a malicious AndroidManifest.xml file are vulnerable to having local files stolen by an attacker.
Check Point said it notified the development teams of all affected products and they’ve all released updates fixing the ParseDroid flaw. Android app developers and security researchers who use these tools to compile or decompile Android APK files should update their IDEs.
Furthermore, APKTool is also vulnerable to a second flaw. This second vulnerability allows attackers to execute an attacker’s desired code on vulnerable systems. This lets attackers expand their attack…