Hidden Code, Hacked Apps: MavenGate Attack Lurks in Java, Android Library Supply Chain

Security mobile application company Oversecured has recently disclosed a vulnerability found in several popular Java and Android application libraries, rendering them susceptible to a new supply chain attack method named MavenGate.

Oversecured’s analysis highlights the risk of project compromise through the acquisition of domain names. Given that most default build configurations are vulnerable, detecting an attack could prove challenging or even impossible. Successful exploitation of these vulnerabilities could allow an attacker to intercept artifacts in dependencies and inject malicious code into the application. Worse still, an attacker could compromise the build process with a malicious plugin. Oversecured revealed that all Maven-based technologies, including Gradle, are susceptible to this attack. The company has reported its findings to over 200 companies, including Google, Facebook, Signal, and Amazon.

A cybercriminal might target public repositories to conduct supply chain poisoning attacks using abandoned libraries added to well-known repositories. This is achieved by purchasing an expired reverse domain controlled by the dependency owner and gaining access to the groupId (the object developer’s identifier). If the groupId is already registered in the repository, the attacker could attempt to gain access by contacting the repository’s support service.

To test the attack scenario, Oversecured uploaded its test Android library to Maven Central and JitPack. The attack occurs by adding Maven Central and JitPack to the dependency repository list in the Gradle build script. The declaration order determines how Gradle checks dependencies during execution.

Researchers found that a hacker could target existing library versions by publishing a newer version or target new versions by releasing a version lower than its legitimate counterpart. Out of 33,938 analyzed domains, 6,170 (18.18%) were found vulnerable to MavenGate, allowing an attacker to intercept dependencies and inject their code.

Sonatype, the owner of Maven Central, stated that the described attack strategy is not feasible due to existing automation. Nonetheless, the company has deactivated all accounts associated with expired domains and GitHub projects as a security measure.

Oversecured emphasizes that developers should be responsible not only for direct dependencies but also for transitive ones. Library creators should be accountable for their declared dependencies and publish public key hashes for their dependencies.