BlueStacks, one of the most popular and widely used mobile and PC Android emulator, had several severe security vulnerabilities. These bugs allowed attackers to perform remote arbitrary code execution, gain access to personal information, and steal backups of the VM (Virtual Machine) and its data.
BlueStacks, the free Android emulator backed by investors including Intel, AMD, Samsung, and Qualcomm, disclosed the existence of the vulnerabilities. These bugs, if exploited correctly, could potentially grant attackers a way to remotely execute code on vulnerable systems. Given the fact that BlueStacks is one of the most widely used Android emulators, the risk to users has been quite severe. If that’s not concerning enough, the vulnerabilities could also allow attackers to remotely install malicious Android apps commonly distributed through APKs.
The company behind the emulator released a security advisory which mentioned the existence of a severe security bug. Officially tagged CVE-2019-12936, the vulnerability exists within BlueStacks’ IPC mechanism and an IPC interface. At its core was the inexistence of correct and thorough authentication protocols. The bug has been issued a CVSS score of 7.1, which is a lot lower than the Oracle WebLogic Server security vulnerability that we recently reported. The advisory read: “An attacker can use DNS Rebinding to gain access to the BlueStacks App Player IPC mechanism via a malicious web page. From there, various exposed IPC functions can be abused.”
— ZDNet (@ZDNet) June 26, 2019
Essentially, the security flaw permits attackers to use DNS Rebinding. The functioning is on the client-side script to turn a target’s browser into a proxy for attacks. The flaw granted access to the BlueStacks App Player IPC mechanism. Once exploited, the flaw would allow executions of functions which could then be used for a variety of different attacks ranging from remote code execution to information disclosure. In other words, a successful exploit of the bug could lead to remote execution of malicious code, massive information leaks of the victim, and the theft of data backups in the emulator. The flaw could also be used to install APKs without authorization on the BlueStacks virtual machine. Incidentally, the security threat appears limited to the victim and apparently cannot spread using the victim’s BlueStacks installation or machine as a zombie.
Which BlueStacks Versions Are Affected By The Security Vulnerability?
It is shocking to note that the attack merely requires the target to visit a malicious website. The security vulnerability exists in the 4.80 and below version of the BlueStacks App Player. The company has issued a patch to resolve the vulnerability. The patch upgrades the version of BlueStacks to 4.90. Users of the emulator are recommended to visit the official website to install or update their software.
It is mildly concerning to note that BlueStacks will not be back-porting this fix to versions 2 or 3. In other words, BlueStacks won’t be developing a patch for the archaic versions of the emulator. Although it is highly unlikely that there are many users sticking to these ancient releases, it is strongly recommended that users update to the latest version of BlueStacks at the earliest to safeguard their installations and data.
— Cyber Report (@cyberreport_io) June 25, 2019
It is interesting to note that BlueStacks was vulnerable to a DNS Rebinding attack because it exposed an IPC interface on 127.0.0.1 without any authentication. This allowed an attacker to use DNS Rebinding to execute remote commands to the IPC server of the BlueStacks emulator, reported Bleeping Computer. The attack also allowed the creation of backup of the BlueStacks virtual machine, and all the data that was contained in it. Needless to add, the data backup could easily include sensitive information including login credentials to various websites and platforms, and other user data as well.
BlueStacks has successfully patched the security vulnerability by creating an IPC authorization key. This secure key is now stored in the Registry of the computer on which BlueStacks is installed. Moving ahead, any IPC requests that the virtual machine receives must contain the authenticating key. Failing to contain this key, the IPC request will be discarded, thereby preventing access to the virtual machine.