Remote code execution bug lurked in BlueStacks Android emulator

Vulnerable code allowed BlueStack’s IPC mechanism to be tampered with, with severe consequences.

Your data is at risk from unpatched vulnerabilities Flaws are left open for weeks or longer even when fixes exist, security experts admit, leaving organisations at risk.

Severe vulnerabilities have been publicly disclosed in the BlueStacks emulator which granted attackers a way to remotely execute code on vulnerable systems. 

BlueStacks is a mobile and PC Android gaming platform. Catering to millions of users, the software is a free emulator backed by investors including Intel, AMD, Samsung, and Qualcomm. 

Security 101

How to protect your privacy from hackers, spies, and the government

Simple steps can make the difference between losing your online accounts or maintaining what is now a precious commodity: Your privacy.

Read More

In a recent security advisory, BlueStacks revealed the existence of a bug, CVE-2019-12936, which relates to problems with BlueStacks' IPC mechanism and an IPC interface which had no form of authentication enabled. 

See also: Malicious URL attacks using HTTPS surge across the enterprise

Issued a CVSS score of 7.1, the security flaw permits attackers to use DNS Rebinding -- the operation of a client-side script to turn a victim's browser into a proxy for attacks -- to gain access to the BlueStacks App Player IPC mechanism. All it takes is a visit to a malicious webpage. 

The researcher who found and reported the vulnerability, Nick Cano, told Bleeping Computer that successful exploit of the bug can lead to the remote execution of code, information leaks, and the theft of data backups in the emulator. 

TechRepublic: Why half of enterprises struggle to keep pace with cloud security

In addition, Caro said that the flaw could be used to install APKs without authorization on the BlueStacks virtual machine. 

CNET: Instagram chief Adam Mosseri: We don't have a policy against deepfakes

The vulnerability is present in the 4.80 and below version of the BlueStacks App Player.

A patch has been developed to resolve the vulnerability and in version 4.90 and users can visit the BlueStacks website to install or update their software. It is also worth noting the fix will not be made available for version 2 or 3, and so it is recommended that users update their builds as soon as possible. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0