Security researchers from Check Point have found an easily-exploitable vulnerability called ParseDroid that could affect the millions of users of integrated development environments such as Intellij, Eclipse and Android Studio. The vulnerability could enable attackers to steal files and execute malicious code on vulnerable systems remotely.
According to Check Point researchers:
“The vulnerabilities in question are the developer tools, both downloadable and cloud based, that the Android application ecosystem, the largest application community in the world, is using,”
The ParseDroid attack, actually known as XML External Entity (XXE) flaw, which is activated when a vulnerable Android development tool decodes an app and attempts to parse maliciously crafted “AndroidManifest.xml” file inside it.
To exploit this vulnerability, attackers need to fool the developers and reverse engineers into using a maliciously crafted APK file. Just by loading the malicious “AndroidManifest.xml” file as part of an Android project, the IDEs begins spitting out any file used by the attacker.
Attackers can also use the same vector to inject malicious files anywhere in the targeted machine’s file system leading to complete remote code execution (RCE).
Google and integrated development environments Intellij, Eclipse and Android Studio were warned of this vulnerability. and vendors have patched their platform.