Remote code execution bug lurked in BlueStacks Android emulator

Severe vulnerabilities have been publicly disclosed in the BlueStacks emulator which granted attackers a way to remotely execute code on vulnerable systems. 

BlueStacks is a mobile and PC Android gaming platform. Catering to millions of users, the software is a free emulator backed by investors including Intel, AMD, Samsung, and Qualcomm. 

Security

Cyber security 101: Protect your privacy from hackers, spies, and the government

Simple steps can make the difference between losing your online accounts or maintaining what is now a precious commodity: Your privacy.

Read now

In a recent security advisory, BlueStacks revealed the existence of a bug, CVE-2019-12936, which relates to problems with BlueStacks' IPC mechanism and an IPC interface which had no form of authentication enabled. 

See also: Malicious URL attacks using HTTPS surge across the enterprise

Issued a CVSS score of 7.1, the security flaw permits attackers to use DNS Rebinding -- the operation of a client-side script to turn a victim's browser into a proxy for attacks -- to gain access to the BlueStacks App Player IPC mechanism. All it takes is a visit to a malicious webpage. 

The researcher who found and reported the vulnerability, Nick Cano, told Bleeping Computer that successful exploit of the bug can lead to the remote execution of code, information leaks, and the theft of data backups in the emulator. 

TechRepublic: Why half of enterprises struggle to keep pace with cloud security

In addition, Caro said that the flaw could be used to install APKs without authorization on the BlueStacks virtual machine. 

CNET: Instagram chief Adam Mosseri: We don't have a policy against deepfakes

The vulnerability is present in the 4.80 and below version of the BlueStacks App Player.

A patch has been developed to resolve the vulnerability and in version 4.90 and users can visit the BlueStacks website to install or update their software. It is also worth noting the fix will not be made available for version 2 or 3, and so it is recommended that users update their builds as soon as possible. 

These are the worst hacks, cyberattacks, and data breaches of 2019 (so far)

Previous and related coverage

• User data stolen from 'human hacking' forum Social Engineered, published on rival site
  
• Qualcomm Snapdragon 855 SPU snags smart card security certificate
  
• ICO slams UK Met Police for failure to handle public data requests
  

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0