Remote code execution bug lurked in BlueStacks Android emulator

Vulnerable code allowed BlueStack’s IPC mechanism to be tampered with, with severe consequences.
Written by Charlie Osborne, Contributing Writer

Severe vulnerabilities have been publicly disclosed in the BlueStacks emulator which granted attackers a way to remotely execute code on vulnerable systems. 

BlueStacks is a mobile and PC Android gaming platform. Catering to millions of users, the software is a free emulator backed by investors including Intel, AMD, Samsung, and Qualcomm. 

In a recent security advisory, BlueStacks revealed the existence of a bug, CVE-2019-12936, which relates to problems with BlueStacks' IPC mechanism and an IPC interface which had no form of authentication enabled. 

See also: Malicious URL attacks using HTTPS surge across the enterprise

Issued a CVSS score of 7.1, the security flaw permits attackers to use DNS Rebinding -- the operation of a client-side script to turn a victim's browser into a proxy for attacks -- to gain access to the BlueStacks App Player IPC mechanism. All it takes is a visit to a malicious webpage. 

The researcher who found and reported the vulnerability, Nick Cano, told Bleeping Computer that successful exploit of the bug can lead to the remote execution of code, information leaks, and the theft of data backups in the emulator. 

TechRepublic: Why half of enterprises struggle to keep pace with cloud security

In addition, Caro said that the flaw could be used to install APKs without authorization on the BlueStacks virtual machine. 

CNET: Instagram chief Adam Mosseri: We don't have a policy against deepfakes

The vulnerability is present in the 4.80 and below version of the BlueStacks App Player.

A patch has been developed to resolve the vulnerability and in version 4.90 and users can visit the BlueStacks website to install or update their software. It is also worth noting the fix will not be made available for version 2 or 3, and so it is recommended that users update their builds as soon as possible. 

These are the worst hacks, cyberattacks, and data breaches of 2019 (so far)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards