My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets



EvilParcel is a group of similar vulnerabilities found in some Android system classes. Those classes contain an error that enables information to be modified during the data exchange between applications and the operating system. If an attacker creates a specific array of transmitted data, the data values will be different after reading from the original.

Malicious programs that exploit these vulnerabilities can bypass operating system checks, obtain higher privileges, and perform previously unavailable actions. For example, they can revert the devices to factory settings and install or uninstall applications without users’ permission. Additionally, if Trojans exploit EvilParcel vulnerabilities together with other vulnerabilities, they can replace previously installed programs with their infected versions.

The following known vulnerabilities of this type are:

  • CVE-2017-0806 (error in the GateKeeperResponse class), published in October 2017;
  • CVE-2017-13286 (error in the OutputConfiguration class, published in April 2018;
  • CVE-2017-13287 (error in the VerifyCredentialResponse class), published in April 2018;
  • CVE-2017-13288 (error in the PeriodicAdvertizingReport class), published in April 2018;
  • CVE-2017-13289 (error in the ParcelableRttResults class), published in April 2018;
  • CVE-2017-13311 (error in the SparseMappingTable class), published in May 2018; and
  • CVE-2017-13315 (error in the DcParamObject class), published in May 2018.

These vulnerabilities are a threat for devices running Android 5.0–8.1 without updates from May 2018 and later.

If Dr.Web for Android detects one or more EvilParcel vulnerabilities, we recommend that you contact the hardware manufacturer to obtain the operating system updates you need.

Technical details

Android applications interact with the system by sending and receiving Intent objects. An Intent can contain an arbitrary number of key value pairs inside a Bundle object. When transferring an Intent, the Bundle object is converted (serialized) into a byte array; and when reading keys and values from a serialized Bundle, it is automatically deserialized. The key in Bundles is a string with almost any value, including a Parcelable object. Thus, you can place an arbitrary object that implements the Parcelable interface in a Bundle. To serialize and deserialize the object, the writeToParcel() and createFromParcel() methods have to be implemented.

EvilParcel vulnerabilities are caused by errors in the createFromParcel() and writeToParcel() methods in some system classes that implement Parcelable. In these classes, the number of bytes read in the createFromParcel() method will differ from the number of bytes written in the writeToParcel() method. If you place an object of this class inside a Bundle, the boundaries of the object inside the Bundle will change after re-serialization.

This is what the malware takes advantage of. To launch activities with higher privileges, it creates a specific Bundle containing a vulnerable class. Changing the boundaries of the vulnerable class allows you to place an Intent object in the Bundle in such a way that it only appears in the Bundle after the second deserialization. This allows the Intent to be hidden from the OS security mechanisms. After being called, the Intent will launch activity with elevated privileges, and the Trojans will be able to perform malicious actions without the user's permission.

See also information about other vulnerabilities