I modules APEX (Android Package EXecutable) are packages prepared by Google to allow developers to update specific parts of the Android operating system without having to intervene on the entire system. The thing is, as Tom Hebb (Meta) explains, APEX packages should always be signed with a private key known only to the individual hardware manufacturer.
In September 2023, however, the technicians of the Red Team X of Meta have discovered that in the source of AOSP (Android Open Source Project), the open source project managed by Google, there are some cryptographic keys of tests. This, for example, is the private key with which the APEX module that allows you to act on is signed com.android.artor the Art engine (Android Runtime), application execution environment introduced by Google with Android 5.0 “Lollipop” as the successor to the previous runtime Dalvik.
Private keys present in Android images can allow code execution with the highest privileges
Analyzing the source of operating system imagesderived from AOSP, used by 14 famous Android manufacturers in their devices, it was found that 7 companies share at least one private key. Using it, anyone can effectively develop digitally signed code and present it to Android as if it were a authorized update.
This, of course, can have dramatic consequences: execution of arbitrary code with i maximum privileges possible can result in the installation of low-level malware and spyware, the stealing of personal data, and the corruption of application and data integrity.
Which Android devices are at risk and which manufacturers are affected by the problem
After Meta’s report, which arrived privately, Google immediately took action to remedy the issue. The Mountain View company then released, in December 2023, a patch official that aims to prevent the use of test private keys. Meanwhile, the security issue has been assigned the identifier CVE-2023-45779.
Regardless of the device used, therefore, anyone who has installed the December 2023 or later update for Android is currently immune to any type of attack.
According to Hebb, an attacker trying to execute code on a vulnerable Android device by exploiting the CVE-2023-45779 flaw could actually bypass existing security mechanisms and completely compromise them.
The security gap in question impacts many OEMs, including ASUS (Zenfone 9), Microsoft (Surface Duo 2), Nokia (G50), Nothing (Phone 2), VIVO (X90 Pro), Lenovo (Tab M10 Plus) e Fairphone (5). The device models mentioned, however, represent only the tip of the iceberg because they are only those used during the tests carried out in the Meta laboratories. It is likely that many, if not all, Android devices from the same manufacturers may suffer from the same problem. On the other hand, Fairphone’s bulletin on the matter confirms this.
The list of manufacturers and Android devices certainly NOT vulnerable
Meta experts also shared the list of device models found to be immune to the problem described. Google (Pixel), Samsung (Galaxy S23), Xiaomi (Redmi Note 12), OPPO (Find X6 Pro), Sony (Xperia 1 V), Motorola (Razr 40 Ultra) e OnePlus (10T) are indicated as certainly not vulnerable.
Also in this case, other devices from the same manufacturers should also be excluded from the CVE-2023-45779 flaw.
Currently not remotely exploitable, CVE-2023-45779 vulnerability could be used in an exploit chain
With the aim of raising awareness of developers, producers and end users on the sensitivity of the issue, Meta researchers have published the code on GitHub Proof-of-Concept (PoC).
The problem being discussed in itself requires physical access to the vulnerable Android device and the use of the command adb shell. However, as we have seen in many other circumstances, there is always the possibility that the CVE-2023-45779 vulnerability is used as part of a exploit chain to gain elevated privileges on an already compromised device.
The advice is to check in the Android settings, tapping About your phone/tablet, the update status of the device. If it was not updated (security patch level prior to 2023-12-05), it is advisable to install any available patches. In their absence, it is advisable to consider switching to a more recent Android ROM.