A Google spokesman said that the fix for this vulnerability was not a priority.
The vulnerability CVE-2014-7952 in the mechanism backup and recovery of data used by Android-devices, allows attackers to a high level of access to a mobile device. Information security researchers from Search-Lab reported that a full backup applications, including stored in the data section of personal files is done by default, but the application can be configured differently by the implementing class BackupAgent. On it informs edition Help Net Security.
Manager backups using customized class BackupAgent, does not filter the data stream returned to the application. When the BackupAgent during backup is possible to without the user’s consent to implement a backup archive in the form of additional applications APK-files. BackupAgent not need any permissions on the OS Android.
When you restore from a backup to , the system sets embedded in a application with elevated privileges. Because the application is part of the archive, the system considers it authentic. So Android-application can install other applications with elevated privileges without a user’s permission.
The mechanism works with a backup utility Android Debug Bridge, so that all the devices used to backup and restore the utility, Affected Software .
IB researchers reported vulnerability developers Android back in 2014, but the gap has not yet been fixed. Google spokesman said that the correction This vulnerability is not a priority, as it does not affect the normal operation of Android-based device. The danger may come when a user downloads himself potentially malicious application.