At the USENIX WOOT 2015 Security Conference this weekend in Washington, Peles and Roee Hay presented a new zero-day vulnerability that affects Android devices.
In their work titled One Class to Rule Them All, the two researchers with X-Force Application Security Research IBM Team presented a PoC of CVE-2014-3153, a vulnerability they discovered in Android's OpenSSLX509Certificate class.
With this vulnerability an attacker can give greater privileges to an application, but also gain root privileges throughout the phone.
Attackers can use the vulnerability to replace authentic ones applications with fake ones!
According to the researchers, an attacker could easily use this vulnerability to download malware archives APK on the user's device, and then use them to replace genuine apps, such as the Facebook app, as shown in the video below.
The impact of privilege escalation with CVE-2014-3153 is not limited to overwriting authentic applications. The hackers they could also download whatever they want from the user's device, and spy on the owner, who will never know anything, as everything happens in the background.
According to the researchers, all versions of Android 4,3 with up to 5,1 are affected, namely Jelly Bean, KitKat, and Lollipop. The latest version M is also vulnerable. This represents approximately 55% of all Android devices.
See PoC
https://www.youtube.com/watch?v=VekzwVdwqIY
Note: Such vulnerabilities make it imperative to find a direct distribution solution for Android updates. 2015 Google's system of updates is unacceptable!