Recently disclosed EvilParcel vulnerabilities (CVE-2017-13287 and others) detected in the Android OS allow performing arbitrary actions in context of the privileged system_server process.

The speaker gives a description of a new trojan Android.InfectionAds.1 that exploits the EvilParcel and Janus vulnerabilities. They allow the trojan to install and remove applications from Android devices without users’ confirmation, change the application code while retaining its signature, and perform other malicious actions. The speaker examines in detail the EvilParcel class of vulnerabilities, explains how they are exploited by Android.InfectionAds.1, and discusses whether the protection against EvilParcel in AOSP updates can be considered reliable.