Posted by Imre RAD on Apr 17

Android backup agent arbitrary code execution
———————————————

The Android backup agent implementation was vulnerable to privilege
escalation and race condition. An attacker with adb shell access could
run arbitrary code as the system (1000) user (or any other valid
package). The attack is tested on Android OS 4.4.4.

The main problem is inside bindBackupAgent method in the
ActivityManagerService.
This method is…