A vulnerability codenamed ParseDroid affects development tools used by Android app developers and allows attackers to steal files and execute malicious code on vulnerable machines.
Discovered by security researchers from Israeli firm Check Point, ParseDroid affects the XML parsing library included with projects such as APKTool, IntelliJ, Eclipse, and Android Studio.
Researchers discovered that this library does not disable external entity references when parsing an XML file, a classic XML External Entity (XXE) vulnerability that attackers can exploit with ease.
"The vulnerability exposes the whole OS file system of [affected] users, and as a result, attackers could then potentially retrieve any file on the victim's PC by using a malicious AndroidManifest.xml file," researchers said.
All Android apps contain an AndroidManifest.xml file, which makes this the perfect place to hide malicious code.
Developers using APKTool, IntelliJ, Eclipse, or Android Studio to open an app containing a malicious AndroidManifest.xml file are vulnerable to having local files stolen by an attacker.
Check Point said it notified the development teams of all affected products and they've all released updates fixing the ParseDroid flaw. Android app developers and security researchers who use these tools to compile or decompile Android APK files should update their IDEs.
Furthermore, APKTool is also vulnerable to a second flaw. This second vulnerability allows attackers to execute an attacker's desired code on vulnerable systems. This lets attackers expand their attack from blind data exfiltration to something more complex that involves dropping more advanced malware on the targets' PCs.
Attacking developers via ParseDroid is easy because malicious XML code can be hidden in many other places, and not just the AndroidManifest.xml file. For example, the malicious code can also be hidden inside AAR (Android Archive Library) files.
Furthermore, the Android development ecosystem is used to cloning apps from various third-party websites. Attackers will find it very easy to host malicious code disguised as open-source app templates and libraries on GitHub and other repositories and reach thousands of users without having to dedicate too many resources to ParseDroid attacks. A video demoing some of these attacks is available below.
ParseDroid is also a cross-platform bug, allowing attackers to target developers running any operating system. Furthermore, ParseDroid is also a silent attack, and users won't notice hackers stealing sensitive files from their systems.
Because many Android app developers work for big companies, some of these hacked systems could contain closed-source code, intellectual property, or trade secrets.
Regular Android app users aren't affected by the ParseDroid vulnerability.
This article was based on a Check Point investigation provided to Bleeping Computer ahead of publication. We will update our story with a link to Check Point's detailed report once it is available on the company's official website. UPDATE: The Check Point ParseDroid report is now live and available here.