upgrading your android, elevating my malware: privilege escalation through mobile os updating
DESCRIPTION
Upgrading Your Android, Elevating My Malware: Privilege Escalation Through Mobile OS Updating. Luyi Xing 1 , Xiaorui Pan 1 , Rui Wang 2 , Kan Yuan 1 , and XiaoFeng Wang 1 1 Indiana University 2 Microsoft Research. Contents. Introduction Pileup Vulnerabilities - PowerPoint PPT PresentationTRANSCRIPT
1
Upgrading Your Android, Elevating My Malware:
Privilege Escalation Through Mobile OS Updating
Luyi Xing1, Xiaorui Pan1, Rui Wang2, Kan Yuan1, and XiaoFeng Wang1
1Indiana University 2Microsoft Research
2
Contents
• Introduction• Pileup Vulnerabilities• Exploit Opportunities• Systematic Analysis• Mitigation – Scanner App• Discussion• Conclusion
3
Contents
• Introduction• Pileup Vulnerabilities• Exploit Opportunities• Systematic Analysis• Mitigation – Scanner App• Discussion• Conclusion
4
Introduction
• Operating System (OS) update is supposed to make the system more secure, reliable and usablefix security bugsEnhance security protection, add new functionalities
• Our research is to show– Android OS update itself has security vulnerabilities
5
Introduction
• Android ecosystem is fragmented
Data provided by Google ending on April 1st, 2014
Feb. 2011
Dec. 2011
Oct. 2013
6
Introduction
• Following threat model is practicalAssume there is a malicious app on the device running
any Android versionThanks to fragmentation, the attacker has the
opportunity to study every single detail of the “future” OS (higher-version OS)
When OS update happens, can the attacker leverage the knowledge of the newer OS? e.g., to obtain more permissions, knock out new
system apps, manipulate the data of new system apps, etc.
7
Contents
• Introduction• Pileup Vulnerabilities• Exploit Opportunities• Finding Pileups• Mitigation – Scanner App• Discussion and related work• Conclusion
8
Pileup Vulnerabilities
• First systematic security analysis of mobile OS update mechanismFocused on Package Manager Service (PMS) as a first step
Most critical component in OS update It installs new system apps, new properties/attributes during OS
update
• Discovered a new category of vulnerabilities in OS update installation logic
• Pileup
9
What is Pileup?
• Pileup (Privilege escalation through OS updating)A totally new category of vulnerabilities
Not attack on current OS
Neither on “future” OS
10
What is Pileup?
• Pileup (Privilege escalation through OS updating)A totally new category of vulnerabilities
Attacks on the OS updating process
11
In general, how attacks work?
• A little background information:– Android OS update usually adds new system apps,
new permissions and other attribute
12
Android device running any Android version
Malicious app which exploits Pileup flaws installed
Claiming a set of carefully selected privileges or attributes only available on the higher OS version
Android OS updates to a higher version
During the OS update, the malicious app obtains previously claimed privileges or attributes, e.g. obtains new permissions, replaces system apps, injects malicious data into system apps, etc.
Reads your messages, passwords, call logs, access your banking accounts…
13
Six Pileup Vulnerabilities
Pileup 1: Permission Harvesting
current OS “future” OS
14
updating
You request a permission that I never heard of
Now I have the permission and will grant it to you
15
Attack Demo I
• Eavesdrop on Google Voice messagesStep I
A malicious app installed on Android 2.3 requests a permission "com.google.googlevoice.RECEIVE_SMS"
The permission is to be added on Android 4.0 for receiving Google Voice SMS Before OS update, Android did not recognize the permission Therefore did not ask the user whether to grant the permission to the
malicious app
Step II The device is upgraded from 2.3 to 4.0
The OS recognized the permission The app got the permission automatically Now able to read SMS messages of Google Voice
Pileup 2: Permission Preempting
current OS “future” OS
16
updating
You define a permission that I never heard of
I also want to define that permission, but you did first
Pileup 3: Shared UID Grabbing
current OS “future” OS
17
updating
You claim a Shared UID that I never heard of
I also want to claim that Shared UID, but you did first
Pileup 4: Data Contamination
current OS “future” OS
18
updating
You take a package name that I never heard of
I also want to take that package name, so I kick you out. But I
will use the data you left.
19
Attack Demo II
• Hijacking mobile browserStep I
A malicious app installed on Android 2.3 takes the same package name of future browser: com.google.android.browser
The app placed malicious data to its own directoryStep II
The device is upgraded from Android 2.3 to 4.0 The OS update logic kicked out the malicious app But kept its data and merged it into the new browser app
Cache, cookies, settings of the browser are all contaminated All webpages were hijacked
20
Six Pileup Vulnerabilities
5. Denial of Services 1- Exploiting permission tree Disable permissions
6. Denial of Services 2- Blocking Google Play Services Cause malfunction of other apps
Root Cause• Conservative strategy
21current OS “future” OS
updating
Existing Apps, Properties, Attributes
New ones added by OS update
22
Impact
• Pileup are pervasive– All Android versions are vulnerable
• since the first Android• all AOSP (Android Open Source Project) versions • all 3,522 customized versions by different
manufacturers and carriers across the world– 1552 from Samsung– 377 from LG– 1593 from HTC
– Affecting 1 Billion Android users worldwide
Malware Distribution
• Malware: easy to spread• App stores: all accepted our malware
23
24
Contents
• Introduction• Pileup Vulnerabilities• Exploit Opportunities• Systematic Analysis• Mitigation – Scanner App• Discussion• Conclusion
25
Exploit opportunities
• New resources added in Android update (permissions, packages, share UIDs) – Affected by Android versions, device models,
different manufacturers and carriers• Pileup attacks must target on new resources of
each specific Android update– Android version– Device model– Manufacturers– Carriers
26
Exploit Opportunities
• Data sources
All AOSPGoogle Nexus Family
3,511 customized Android of Samsung
Up to Android 4.4
Nexus 7, Nexus 10, Nexus Q, Galaxy Nexus, Nexus S, etc.
217 models, 267 carriers
27
Measurement of Exploit Opportunities
• A lot of exploit opportunities• Among the thousands of customized
Android, 50% of Android updates added at least
• 38 sensitive permissions (dangerous/system/signature level permissions)
• 23 new packages (new system apps) • 1 new shared UID
Measurement of Exploit Opportunities
• Impacts of carriers– different carriers means different exploit
opportunities
29
Database of Exploit Opportunities
• For every specific customizations, all the exploit opportunities are documented in a Database, generating 2 million records
30
Contents
• Introduction• Pileup Vulnerabilities• Exploit Opportunities• Systematic Analysis• Mitigation – Scanner App• Discussion• Conclusion
Systematic Analysis - SecUp• Vulnerability detector: detect Pileup flaws in any customized source code• Exploit Opportunity analyzer: extract exploit opportunities in
corresponding OS image• Risk Database: store exploit opportunities• Scanner app: protect users against Pileup
Android Images
Risks Report
Architecture of SecUP
Risk DB
Opportunityanalyzer
Vulnerabilitydetector
AndroidSource Code
flaw detected
detected flaws exploit
opportunities
Scanner app
query exploit opportunities
Opportunities are stored for each specific Android customization
2 million records after scanning over 3,500 Android images
Systematic Analysis - SecUp• Vulnerability detector: detect Pileup flaws in any customized source code• Exploit Opportunity analyzer: extract exploit opportunities in
corresponding OS image• Risk Database: store exploit opportunities• Scanner app: protect users against Pileup
Android Images
Risks Report
Architecture of SecUP
Risk DB
Opportunityanalyzer
Vulnerabilitydetector
AndroidSource Code
flaw detected
detected flaws exploit
opportunities
Scanner app
query exploit opportunities
Vulnerability Detector
• Input: Android source code• Output: detected flaws• PMS (PackageManagerService)
VeriFast
Diff computation
Code generation
Flaw detectedFull
verification
Reference PMS
new PMS
New or customized
Formal Verification
• Assertions– Two principles:
1. A non-system app should not gain any more privileges during update
2. A non-system app should not compromise the integrity or availability of the new Android
– Two stages:1. Set new attributes (e.g. UID of new system app)2. Register new properties (e.g. permissions defined by new system
apps)
BasePermission bp = mSettings.mPermissions.get( PermissionName );Assert (bp.pkgFlags & SYSTEM ) !=0);
35
Contents
• Introduction• Pileup Vulnerabilities• Exploit Opportunities• Systematic Analysis• Mitigation – Scanner App• Discussion• Conclusion
Patch Progress
• Oct. 14, 2013– Pileup reported to Google
• Jan. 08, 2014– Google told us they released a patch for
permission preempting to vendors• Not sure when vendors release the patch to
users• Google created tracking number for all other
pileup flaws
37
Frequent Updates
• From Android 1.0 to 4.4, All 19 major Android versions are released every 3.8 months
Hey users, the new Android system is better. Please upgrade.
38
An Interesting Paradox
• Android Update is the very fundamental mechanism to fix security bugs
• With Pileup, –Encouraging users to update is to
encourage them to be attacked
39
Scanner App
• Secure Update Scanner– Installed on Android devices– Used before each OS update– Scan malware exploiting Pileup– Powered by the DB with 2 million records– Accurately detect malware targeting on each
specific Android update
40
Secure Update Scanner
• Free on Google Play, Amazon AppStore, etc.
41
App Popularity
• Number of Downloads– 70,687 as of May 16.
• High rating: 4.2 out of 5 by 647 users on Google Play
42
App Popularity
• Users Origins– 163 countries and districts
• United States, France, Germany, Spain, Italy, China, Portugal, Canada, United Kingdom, Poland, Switzerland, Belgium, India, Australia, Brazil, Thailand, Austria, Netherlands, Hong Kong, Malaysia, Taiwan, Morocco, Singapore, Indonesia, Mexico, Algeria, Ireland, Philippines, South Africa, Greece, Egypt, Russia, Pakistan, Saudi Arabia, Sweden, Vietnam, Romania, Tunisia, Honduras, Iraq, Norway, New Zealand, Nigeria, Eritrea, Japan, Denmark, Luxembourg, Ivory Coast, Burkina Faso, Bulgaria, Bangladesh, Argentina, United Arab Emirates, Mauritius, Ecuador, Albania, Colombia, Israel, Panama, Iran, Hungary, Serbia, Kuwait, Myanmar, Finland, Turkey, French Polynesia, Haiti, Ukraine, Uruguay, New Caledonia, Czech Republic, Guatemala, Ghana, South Korea, Senegal, Sri Lanka, Kenya, Slovakia, Cyprus, Croatia, Qatar, Peru, Bahrain, Yemen, Lebanon, Jamaica, Reunion, Paraguay, Macao, Cameroon, Djibouti, Sudan, Chile, Venezuela, Georgia, Trinidad and Tobago, Puerto Rico, Costa Rica, Monaco, Lithuania, Gabon, Tanzania, Slovenia, Madagascar, Angola, Estonia, Mongolia, Jordan, Benin, Barbados, Namibia, Mali, Nicaragua, Afghanistan, Dominican Republic, Uzbekistan, Uganda, Malta, Palestine, Burundi, The Democratic Republic Of Congo, El Salvador, Niger, Cambodia, Brunei, South Sudan, Curacao, Zimbabwe, Nepal, Suriname, Tajikistan, Bosnia and Herzegovina, Mozambique, Mauritania, Jersey, Ethiopia, Laos, Montenegro, Fiji, Rwanda, Oman, Libya, Bolivia, Syria, Botswana, San Marino, Iceland, Guinea, Comoros, Azerbaijan, Greenland, Andorra, Latvia, Gambia, Martinique, Congo, Maldives, Moldova, Guam, Kyrgyzstan, Central African Republic, and Cape Verde
Discussion
• Services other than PMS in Android Update– UserManagerService, BackManagerService,
ServiceManager, etc.
• Other OSes may also subject to Pileup– Windows, iOS
• Can a normal user become admin after Windows Update?
44
Conclusion
• First systematic study of Android Update security– new threat to Android Update– root cause– exploit opportunities in over 3,500 Android customizations
• A scanner app to protect users before Android update
• Next time when you click to upgrade your Android, be aware that there is a risk
45
Media Coverage
• Tens of news agencies across the world
• English:
European (German, French, Italian, Portuguese, etc.):
Chinese:
46
SecureAndroidUpdate.org
47
Thanks!Q&A