Google Patches Vulnerability in "Google Admin" App for Android

Researchers identified a vulnerability in the Google Admin application for Android that could have been exploited to read arbitrary files from the app's sandbox. Google says it has released an update to patch the flaw.

The Google Admin application for Android is designed to allow administrators to manage their Google for Work accounts from their mobile devices. Admins of Google Apps for Work, Education, Google Coordinate, and Government can use the app to add and manage users, contact support, and view their organization's audit logs.

Researchers at security firm MWR InfoSecurity discovered a medium severity vulnerability that allows malicious applications installed on the same device as Google Admin to bypass the Android sandbox and read data from any file within Admin's sandbox.

"An issue was found when the Google Admin application received a URL via an IPC call from any other application on the same device. The Admin application would load this URL in a webview within its own activity. If an attacker used a file:// URL to a file that they controlled, then it is possible to use symbolic links to bypass Same Origin Policy and retrieve data out of the Google Admin sandbox," MWR InfoSecurity wrote in an advisory published last week.

According to MWR, the flaw was reported to Google in mid-March. The company noted in its advisory that the search giant had not released an update to patch the vulnerability.

However, Google says it has released an update for Google Admin to address the flaw reported by MWR. The company is not aware of any attacks leveraging this security hole.

"We thank the researchers for flagging this to us. We have addressed the issue in the Google Admin app and the fix has been released. In order for this issue to occur, a malicious app would need to be installed on the device. As far as we know, no one has been affected," a Google spokesperson told SecurityWeek.

Technical details on the vulnerability are available in MWR's advisory.

Google announced in February that it has expanded its vulnerability reward program to mobile applications developed by the company.

As far as Android is concerned, numerous vulnerabilities have been uncovered in the mobile platform over the past months. The list includes several denial-of-service (DoS) bugs, and some critical issues such as the Stagefright vulnerabilities.