Skip to main content

Google patches the Google Admin app

The Google Admin app has had a vulnerability which allowed hackers to steal enterprise accounts, however Google has now issued a fix.

The vulnerability was spotted by MWR Labs researcher Rob Miller, who rated it medium severity. In order for the vulnerability to be exploited, malware would have to be on the same device.

The flaw can be used to steal Google for Work credentials, according to the UK researcher.

"A malicious application on the same device as the Google Admin application is able to read data out of any file within the Google Admin sandbox, bypassing the Android Sandbox," Miller says in an advisory.

"Devices with Google Admin installed should not install any untrusted third party applications."

"An issue was found when the Google Admin application received a URL via an IPC call from any other application on the same device. The Admin application would load this URL in a webview within its own activity“, Miller said.

Attackers using a file:// URL to link to a file that they controlled could use symbolic links to bypass the Same Origin Policy and hop the sandbox.

That attack is possible using any app on an Android device.

As an interim workaround, Miller has advised everyone not to download or install any untrusted third party applications.

Google has issued a fix on August 14, a day after the vulnerability was announced and, according to a report by The Register, labelled it under 'bug fixes'.

Google has had a lot of work with Android lately, especially after the Stagefreight vulnerability was uncovered. Stagefright allows an attacker to take control of a device simply by sending a video message.