TY - UNPB
T1 - Executing Arbitrary Code in the Context of the Smartcard System Service
AU - Roland, Michael
N1 - associated CVE identifier: CVE-2015-6606
PY - 2016/1/21
Y1 - 2016/1/21
N2 - This report summarizes our findings regarding a severe weakness in implementations of the Open Mobile API deployed on several Android devices. The vulnerability allows arbitrary code coming from a specially crafted Android application package (APK) to be injected into and executed by the smartcard system service component (the middleware component of the Open Mobile API implementation). This can be exploited to gain elevated capabilities, such as privileges protected by signature- and system-level permissions assigned to this service. The affected source code seems to originate from the SEEK-for-Android open-source project and was adopted by various vendor-specific implementations of the Open Mobile API, including the one that is used on the Nexus 6 (as of Android version 5.1).
AB - This report summarizes our findings regarding a severe weakness in implementations of the Open Mobile API deployed on several Android devices. The vulnerability allows arbitrary code coming from a specially crafted Android application package (APK) to be injected into and executed by the smartcard system service component (the middleware component of the Open Mobile API implementation). This can be exploited to gain elevated capabilities, such as privileges protected by signature- and system-level permissions assigned to this service. The affected source code seems to originate from the SEEK-for-Android open-source project and was adopted by various vendor-specific implementations of the Open Mobile API, including the one that is used on the Nexus 6 (as of Android version 5.1).
KW - cs.CR
UR - https://nvd.nist.gov/vuln/detail/CVE-2015-6606
U2 - 10.48550/arXiv.1601.05833
DO - 10.48550/arXiv.1601.05833
M3 - Preprint
T3 - CoRR - Computing Research Repository
BT - Executing Arbitrary Code in the Context of the Smartcard System Service
PB - arXiv
ER -