PT-2012-23: SQL Injection in Dr.Web Anti-virus

Vulnerable software

Dr.Web Anti-virus
Version: 7.00.0 and earlier

Application link:
https://play.google.com/store/apps/details?id=com.drweb.pro

Severity level

Severity level: Medium
Impact: SQL Injection
Access Vector: Local  

CVSS v2:
Base Score: 6.6
Vector: (AV:L/AC:L/Au:N/C:C/I:N/A:C)

CVE: not assign

Software description

Dr.Web Anti-virus is an antivirus software for Android platform.

Vulnerability description

The specialists of the Positive Research center have detected "SQL Injection" vulnerability in Dr.Web Anti-virus application.

The vulnerability was detected in Dr.Web Anti-virus application for Android platrform in com.drweb.activities.antispam.CursorActivity class. An attacker can get the history of calls or SMS messages via third-party applications installed in the system.

How to fix

Update your software up to the latest version

Advisory status

11.07.2012 - Vendor is notified
11.07.2012 - Vendor gets vulnerability details
13.07.2012 - Vendor releases fixed version and details
17.07.2012 - Public disclosure

Credits

The vulnerability was discovered by Artem Chaykin, Positive Research Center (Positive Technologies Company)

References

http://en.securitylab.ru/lab/PT-2012-23
http://news.drweb.com/show/?c=5&i=2573&lng=en

Reports on the vulnerabilities previously discovered by Positive Research:

http://ptsecurity.com/research/advisory/
http://en.securitylab.ru/lab/

Threatscape
4G and 5G are not ready for smart cities