Upgrading Your Android, Elevating My Malware: Privilege Escalation Through Mobile OS Updating Luyi Xing 1, Xiaorui Pan 1, Rui Wang 2, Kan Yuan 1, and XiaoFeng

Embed Size (px)

Text of Upgrading Your Android, Elevating My Malware: Privilege Escalation Through Mobile OS Updating Luyi...

Upgrading Your Android, Elevating My Malware: Privilege Escalation Through Mobile OS UpdatingLuyi Xing1, Xiaorui Pan1, Rui Wang2, Kan Yuan1, and XiaoFeng Wang1

1Indiana University Bloomington2Microsoft Research35th IEEE Symposium on Security and Privacy (Oakland'14)2014/05/12 Seminar @ ADLab, CSIE, NCU1OutlineIntroductionPileup ExploitsFinding PileupsMeasurement and EvaluationConclusions2IntroductionMobile OS Updating (Android)More complexSandboxed appsLots of sensitive user dataUpdating live systemMore oftenMore files15,525 files from 4.0.4 to 4.1.2

Less steps (for user)Press one button3

IntroductionAndroid UpdatingDownload upgrading image through OTA (Over the Air)Reboot to recovery modeReplace some system files, such as bootloader, Package Manager Service (PMS), and APKs under /system directoryReboot to the new OSUpdate other components4IntroductionWhat PMS does when upgrading Android OSInstall or reinstall all system apps under /system, and then 3rd-party apps under /data/appRegister an apps permissions, shared UID, activities, intent filters, Decide what to do when a conflict occurs (duplicated attr. or prop.)Build a structure mSettings for existing apps, and include:mPackagesmUserIdsmSharedUsersmPermissionsetc.Check the mSettings when installing a new system packageIf having conflicts, decide case by case.5Duplicated attr or prop: package names, shared UID, or permissions 5IntroductionWhats wrong with PMS?Conservative strategyAvoid improperly replacing existing propertiesMaintain old user dataSame logic for both system upgrading and normal app installationWhen conflict occurs upon upgradingIf PMS chooses wrong attributes or properties to keep6Pileup ExploitsAdversary ModelMalicious apps have been installed on the victims devicesSuch malware can be uploaded to Google Play and 3rd-party marketsThe malware appears less dangerous than some legitimate appsNo dangerous permissions neededThe victims devices are going to be updatedSuch updates come with new security-critical privileges and capabilities7Pileup ExploitsPermission Harvesting and PreemptingShared UID GrabbingData ContaminationDenial of Services8Pileup Exploits Permission Harvesting and PreemptingPermission protection levels (link)normaldangeroussignaturesignatureOrSystemsystemdevelopment

PMS problematically handles the permissions inherited from the old system9Pileup Exploits Permission Harvesting and Preempting10InstalledmalwareBeforeupdatingClaimed for permissions of new OS or appsUpdating to new OSInstalling System appsDeclare new permissionsInstalling3rd-party appsAutomatically grant thepermissionsOld OS can not recognize these permissionsReinstalling the old malwareWithout usersconsentThese permissionsare restricted belowdangerous levelPMSPMSNo reportpermission3rd-party app10Pileup Exploits Permission Harvesting and Preempting11InstalledmalwareBeforeupdatingDeclared and defined the permissions the same as those of new system appsUpdating to new OSBuilding mSettings for old appsDeclare new permissionsInstalling3rd-party appsAutomatically declare and grant permissionsOld OS lets the malware declare themReinstalling theold malwareWithout usersconsentPMSPMSInstallingSystem appsPMSmPermissionscheckSkip ifconflictssignature - OKsystem - OKLower to normal OKChange the description OKExample: CertInstallerGoogle Cloud Messaging DemoWithout users interventionmalware, malwaresystem resourcepermissionsignature level, app requestpermissionappmalwarecertificatesign

malware, level, resource

Example CertInstaller: (android 2.0)

SD cardroot certificatepermission

Example Google Cloud Messaging:GCMgoogle, developer push messageclientClientapp .permission.C2D_MESSAGE permission, gmailpermission, pushgmailmessage11Pileup Exploits Permission Harvesting and Preempting12

Pileup Exploits Shared UID GrabbingShared UID (android:sharedUserId) (link)If 2 apps use the same sharedUserId, the OS will assign them the same UID when being installed.Application with the same user ID can access each other's data and, if desired, run in the same process.13Pileup Exploits Shared UID Grabbing14InstalledmalwareBeforeupdatingDeclared sharedUIDthe same as that of the new system appUpdating to new OSBuilding mSettings for old appsCancel installingInstalling3rd-party appsDownload another app to replace the canceled system appSigned by 3rd-partyReinstalling theold malwarePMSPMSInstallingSystem appsPMSmSettingsCheck sharedUIDCancel ifthe verification failed pkgSettingIf equals, load the setting and verify the signatureShared UID Grabbing: DEMOsystem app, pkgSetting, pkgSettingappold appsharedUID, pkgSettingmSettingsload14Pileup Exploits Shared UID Grabbing15

Pileup Exploits Data ContaminationAndroid keeps the data for both system and 3rd-party apps under directory /data/data/This directory is owned by a unique Linux UID16Pileup Exploits Data Contamination17InstalledmalwareBeforeupdatingUsed package name the same as that of the new system appUpdating to new OSBuilding mSettings for old appsInstalling3rd-party appsSharedUID is emptyCancel installing themalwarePMSPMSInstallingSystem appsPMSmSettingsCheck

pkgSettingIf found the same,compare sharedUID/data/data/

Data of the malwarepkgSettingBoth sharedUIDs are empty. Load the malwares settingSharedUID is emptyconflictData Contamination:Demo1 inject scripts to cachesDemo2 bookmark phishingDemo3 Login CSRFAndroid 2.3 default browser com.android.browserAndroid 4.0 default browser com.google.android.browser17Pileup Exploits Denial of ServicesA permission typically can only be defined before an app has been installed. exception: Permission TreePermission tree (link)An app can define a base name (root) of a tree of permissions.Once declaring the tree, the app controls the whole name space defined by the root.During runtime, the app can add individual permission within the tree.18Pileup Exploits Denial of Services19InstalledmalwareBeforeupdatingDeclared permissiontreethat covers permissions of the new system appUpdating to new OSBuilding mSettings for old appsInstalling3rd-party appsReinstalling theold malwarePMSPMSInstallingSystem appsPMSmPermissio-ntreesCheck Declare new permissionsIf found covering, registration will failpermission.ADD_VOICEMAIL

google.apps.permission.GOOGLE_AUTH google.apps.permission19Pileup Exploits Denial of ServicesBlocking Google Play ServicesFrom Android 2.3 to 4.0, after all apps installation complete, Google Play is then downloaded and installed as a 3rd-party app.A malware on 2.3.6 could use the same package name as Google Play, and blocks the installation of Google Play when upgrading to 4.0Many apps rely on Google Play Services20Finding PileupsSecUP Architecture21

1.source codemanufacturer image2.PMS code, 3.imagesystem apps, appspermissions, Risk DB4.Scanner app, manafacturer, model, version, Risk DB5.ScannerOSapp, Risk DBpermission6.appmanufacturer, 21Finding PileupsDetecting Update FlawsManually built reference PMS (AOSP 4.0.4)Every other version of PMS is compared to the reference PMS, and is automatically annotatedReuse when possibleAutomatically create new annotationManual adjustments if needed22

Finding PileupsAssertions for pileup detectionGenerally, 2 security constraints for PMS:A non-system app and its dynamic content should not gain any more privileges on the new OS than they have on the old Android.A non-system app should not compromise the integrity and the availability of the new Android (e.g. changing the settings and data)23Finding PileupsIf Assertion (1) is FALSE and Assertion (2) is TRUE(Assertion (1) == FALSE) pkgSetting is originally from non-system app(Assertion (2) == TRUE) attribute in pkg is assigned to the original value of pkgSetting right after init A non-system old app is affecting the new system app24

Finding PileupsIf Assertion (3) is FALSE1. ((bp.pkgFlags & 1) != 0) == FALSE non-system old app2. (bp.sourcePkg.equals(pkg.pkgName)) == FALSE the old app name is NOT equal to the new system app name If new permission name exists on old OS, and it is from non-system old app, and the is not equal25

25Finding PileupsFinding Exploit OpportunitiesDifferent Android versions, manufacturers, device models, and carriers (Wireless Service Provider) are affected under different exploit opportunities.Image scanCompare system attributes and properties on 2 consecutive versions from the same manufacturer, device model, region, and carrier.Find out those newly added permissions or other attributes and props.26

38 Google Nexus images3511 Samsung images

image, system.img, /system/ Mount the image, /system/ APKapktoolAPK, permission, shared UID, package name, attributes and properties70026Finding PileupsPileup Scanner (Google Play)The app only asks for the INTERNET permission.1. Gather information from android.os.Build2. Query the database for the exploit opportunites 3. Call API getInstalledPackages to get the names of installed packages, and use getPackageInfo to retrieve the information27

Measurement and EvaluationAndroid image collection38 images for Google Nexus devicesNexus7, Nexus10, Nexus Q, Galaxy Nexus, Nexus SFrom 2.3.6 to 4.33,511 images for Samsung devices217 devices models, 267 carriersFrom 2.3 to 4.3Source code of AOSP versions and customized versions1,522 from Samsung, 377 from LG, 1,593 from HTC28Measurement and EvaluationLimitation Permission harvestingRegistration of non-system apps propertyAssertions do not coverGoogle Play Services DoSGoogle Play is installed under the /data/app directory on Android 4.0.4 3rd-party29Measurement and EvaluationMeasurement of OpportunitiesFrom the 38 Google and 3,511 Samsung images741 update instances30

Measurement and EvaluationSensitive permissions at least dangerous protection levelRestrictive above dangerous

31

50%, 38new