1

Upgrading Your Android, Elevating My Malware:

Privilege Escalation Through Mobile OS Updating

Luyi Xing1, Xiaorui Pan1, Rui Wang2, Kan Yuan1, and XiaoFeng Wang1

1Indiana University 2Microsoft Research

2

Contents

• Introduction• Pileup Vulnerabilities• Exploit Opportunities• Systematic Analysis• Mitigation – Scanner App• Discussion• Conclusion

3

Contents

• Introduction• Pileup Vulnerabilities• Exploit Opportunities• Systematic Analysis• Mitigation – Scanner App• Discussion• Conclusion

4

Introduction

• Operating System (OS) update is supposed to make the system more secure, reliable and usablefix security bugsEnhance security protection, add new functionalities

• Our research is to show– Android OS update itself has security vulnerabilities

5

Introduction

• Android ecosystem is fragmented

Data provided by Google ending on April 1st, 2014

Feb. 2011

Dec. 2011

Oct. 2013

6

Introduction

• Following threat model is practicalAssume there is a malicious app on the device running

any Android versionThanks to fragmentation, the attacker has the

opportunity to study every single detail of the “future” OS (higher-version OS)

When OS update happens, can the attacker leverage the knowledge of the newer OS? e.g., to obtain more permissions, knock out new

system apps, manipulate the data of new system apps, etc.

7

Contents

• Introduction• Pileup Vulnerabilities• Exploit Opportunities• Finding Pileups• Mitigation – Scanner App• Discussion and related work• Conclusion

8

Pileup Vulnerabilities

• First systematic security analysis of mobile OS update mechanismFocused on Package Manager Service (PMS) as a first step

Most critical component in OS update It installs new system apps, new properties/attributes during OS

update

• Discovered a new category of vulnerabilities in OS update installation logic

• Pileup

9

What is Pileup?

• Pileup (Privilege escalation through OS updating)A totally new category of vulnerabilities

Not attack on current OS

Neither on “future” OS

10

What is Pileup?

• Pileup (Privilege escalation through OS updating)A totally new category of vulnerabilities

Attacks on the OS updating process

11

In general, how attacks work?

• A little background information:– Android OS update usually adds new system apps,

new permissions and other attribute

12

Android device running any Android version

Malicious app which exploits Pileup flaws installed

Claiming a set of carefully selected privileges or attributes only available on the higher OS version

Android OS updates to a higher version

During the OS update, the malicious app obtains previously claimed privileges or attributes, e.g. obtains new permissions, replaces system apps, injects malicious data into system apps, etc.

Reads your messages, passwords, call logs, access your banking accounts…

13

Six Pileup Vulnerabilities

Pileup 1: Permission Harvesting

current OS “future” OS

14

updating

You request a permission that I never heard of

Now I have the permission and will grant it to you

15

Attack Demo I

• Eavesdrop on Google Voice messagesStep I

A malicious app installed on Android 2.3 requests a permission "com.google.googlevoice.RECEIVE_SMS"

The permission is to be added on Android 4.0 for receiving Google Voice SMS Before OS update, Android did not recognize the permission Therefore did not ask the user whether to grant the permission to the

malicious app

Step II The device is upgraded from 2.3 to 4.0

The OS recognized the permission The app got the permission automatically Now able to read SMS messages of Google Voice

Pileup 2: Permission Preempting

current OS “future” OS

16

updating

You define a permission that I never heard of

I also want to define that permission, but you did first

Pileup 3: Shared UID Grabbing

current OS “future” OS

17

updating

You claim a Shared UID that I never heard of

I also want to claim that Shared UID, but you did first

Pileup 4: Data Contamination

current OS “future” OS

18

updating

You take a package name that I never heard of

I also want to take that package name, so I kick you out. But I

will use the data you left.

19

Attack Demo II

• Hijacking mobile browserStep I

A malicious app installed on Android 2.3 takes the same package name of future browser: com.google.android.browser

The app placed malicious data to its own directoryStep II

The device is upgraded from Android 2.3 to 4.0 The OS update logic kicked out the malicious app But kept its data and merged it into the new browser app

Cache, cookies, settings of the browser are all contaminated All webpages were hijacked

20

Six Pileup Vulnerabilities

5. Denial of Services 1- Exploiting permission tree Disable permissions

6. Denial of Services 2- Blocking Google Play Services Cause malfunction of other apps

Root Cause• Conservative strategy

21current OS “future” OS

updating

Existing Apps, Properties, Attributes

New ones added by OS update

22

Impact

• Pileup are pervasive– All Android versions are vulnerable

• since the first Android• all AOSP (Android Open Source Project) versions • all 3,522 customized versions by different

manufacturers and carriers across the world– 1552 from Samsung– 377 from LG– 1593 from HTC

– Affecting 1 Billion Android users worldwide

Malware Distribution

• Malware: easy to spread• App stores: all accepted our malware

23

24

Contents

• Introduction• Pileup Vulnerabilities• Exploit Opportunities• Systematic Analysis• Mitigation – Scanner App• Discussion• Conclusion

25

Exploit opportunities

• New resources added in Android update (permissions, packages, share UIDs) – Affected by Android versions, device models,

different manufacturers and carriers• Pileup attacks must target on new resources of

each specific Android update– Android version– Device model– Manufacturers– Carriers

26

Exploit Opportunities

• Data sources

All AOSPGoogle Nexus Family

3,511 customized Android of Samsung

Up to Android 4.4

Nexus 7, Nexus 10, Nexus Q, Galaxy Nexus, Nexus S, etc.

217 models, 267 carriers

27

Measurement of Exploit Opportunities

• A lot of exploit opportunities• Among the thousands of customized

Android, 50% of Android updates added at least

• 38 sensitive permissions (dangerous/system/signature level permissions)

• 23 new packages (new system apps) • 1 new shared UID

Measurement of Exploit Opportunities

• Impacts of carriers– different carriers means different exploit

opportunities

29

Database of Exploit Opportunities

• For every specific customizations, all the exploit opportunities are documented in a Database, generating 2 million records

30

Contents

• Introduction• Pileup Vulnerabilities• Exploit Opportunities• Systematic Analysis• Mitigation – Scanner App• Discussion• Conclusion

Systematic Analysis - SecUp• Vulnerability detector: detect Pileup flaws in any customized source code• Exploit Opportunity analyzer: extract exploit opportunities in

corresponding OS image• Risk Database: store exploit opportunities• Scanner app: protect users against Pileup

Android Images

Risks Report

Architecture of SecUP

Risk DB

Opportunityanalyzer

Vulnerabilitydetector

AndroidSource Code

flaw detected

detected flaws exploit

opportunities

Scanner app

query exploit opportunities

Opportunities are stored for each specific Android customization

2 million records after scanning over 3,500 Android images

Systematic Analysis - SecUp• Vulnerability detector: detect Pileup flaws in any customized source code• Exploit Opportunity analyzer: extract exploit opportunities in

corresponding OS image• Risk Database: store exploit opportunities• Scanner app: protect users against Pileup

Android Images

Risks Report

Architecture of SecUP

Risk DB

Opportunityanalyzer

Vulnerabilitydetector

AndroidSource Code

flaw detected

detected flaws exploit

opportunities

Scanner app

query exploit opportunities

Vulnerability Detector

• Input: Android source code• Output: detected flaws• PMS (PackageManagerService)

VeriFast

Diff computation

Code generation

Flaw detectedFull

verification

Reference PMS

new PMS

New or customized

Formal Verification

• Assertions– Two principles:

1. A non-system app should not gain any more privileges during update

2. A non-system app should not compromise the integrity or availability of the new Android

– Two stages:1. Set new attributes (e.g. UID of new system app)2. Register new properties (e.g. permissions defined by new system

apps)

BasePermission bp = mSettings.mPermissions.get( PermissionName );Assert (bp.pkgFlags & SYSTEM ) !=0);

35

Contents

• Introduction• Pileup Vulnerabilities• Exploit Opportunities• Systematic Analysis• Mitigation – Scanner App• Discussion• Conclusion

Patch Progress

• Oct. 14, 2013– Pileup reported to Google

• Jan. 08, 2014– Google told us they released a patch for

permission preempting to vendors• Not sure when vendors release the patch to

users• Google created tracking number for all other

pileup flaws

37

Frequent Updates

• From Android 1.0 to 4.4, All 19 major Android versions are released every 3.8 months

Hey users, the new Android system is better. Please upgrade.

38

An Interesting Paradox

• Android Update is the very fundamental mechanism to fix security bugs

• With Pileup, –Encouraging users to update is to

encourage them to be attacked

39

Scanner App

• Secure Update Scanner– Installed on Android devices– Used before each OS update– Scan malware exploiting Pileup– Powered by the DB with 2 million records– Accurately detect malware targeting on each

specific Android update

40

Secure Update Scanner

• Free on Google Play, Amazon AppStore, etc.

41

App Popularity

• Number of Downloads– 70,687 as of May 16.

• High rating: 4.2 out of 5 by 647 users on Google Play

42

App Popularity

• Users Origins– 163 countries and districts

• United States, France, Germany, Spain, Italy, China, Portugal, Canada, United Kingdom, Poland, Switzerland, Belgium, India, Australia, Brazil, Thailand, Austria, Netherlands, Hong Kong, Malaysia, Taiwan, Morocco, Singapore, Indonesia, Mexico, Algeria, Ireland, Philippines, South Africa, Greece, Egypt, Russia, Pakistan, Saudi Arabia, Sweden, Vietnam, Romania, Tunisia, Honduras, Iraq, Norway, New Zealand, Nigeria, Eritrea, Japan, Denmark, Luxembourg, Ivory Coast, Burkina Faso, Bulgaria, Bangladesh, Argentina, United Arab Emirates, Mauritius, Ecuador, Albania, Colombia, Israel, Panama, Iran, Hungary, Serbia, Kuwait, Myanmar, Finland, Turkey, French Polynesia, Haiti, Ukraine, Uruguay, New Caledonia, Czech Republic, Guatemala, Ghana, South Korea, Senegal, Sri Lanka, Kenya, Slovakia, Cyprus, Croatia, Qatar, Peru, Bahrain, Yemen, Lebanon, Jamaica, Reunion, Paraguay, Macao, Cameroon, Djibouti, Sudan, Chile, Venezuela, Georgia, Trinidad and Tobago, Puerto Rico, Costa Rica, Monaco, Lithuania, Gabon, Tanzania, Slovenia, Madagascar, Angola, Estonia, Mongolia, Jordan, Benin, Barbados, Namibia, Mali, Nicaragua, Afghanistan, Dominican Republic, Uzbekistan, Uganda, Malta, Palestine, Burundi, The Democratic Republic Of Congo, El Salvador, Niger, Cambodia, Brunei, South Sudan, Curacao, Zimbabwe, Nepal, Suriname, Tajikistan, Bosnia and Herzegovina, Mozambique, Mauritania, Jersey, Ethiopia, Laos, Montenegro, Fiji, Rwanda, Oman, Libya, Bolivia, Syria, Botswana, San Marino, Iceland, Guinea, Comoros, Azerbaijan, Greenland, Andorra, Latvia, Gambia, Martinique, Congo, Maldives, Moldova, Guam, Kyrgyzstan, Central African Republic, and Cape Verde

Discussion

• Services other than PMS in Android Update– UserManagerService, BackManagerService,

ServiceManager, etc.

• Other OSes may also subject to Pileup– Windows, iOS

• Can a normal user become admin after Windows Update?

44

Conclusion

• First systematic study of Android Update security– new threat to Android Update– root cause– exploit opportunities in over 3,500 Android customizations

• A scanner app to protect users before Android update

• Next time when you click to upgrade your Android, be aware that there is a risk

45

Media Coverage

• Tens of news agencies across the world

• English:

European (German, French, Italian, Portuguese, etc.):

Chinese:

46

SecureAndroidUpdate.org

47

Thanks!Q&A