Presentation is loading. Please wait.

Presentation is loading. Please wait.

Upgrading Your Android, Elevating My Malware: Privilege Escalation Through Mobile OS Updating Luyi Xing 1, Xiaorui Pan 1, Rui Wang 2, Kan Yuan 1, and XiaoFeng.

Published byClarissa Payne Modified over 9 years ago

Similar presentations

Presentation on theme: "Upgrading Your Android, Elevating My Malware: Privilege Escalation Through Mobile OS Updating Luyi Xing 1, Xiaorui Pan 1, Rui Wang 2, Kan Yuan 1, and XiaoFeng."— Presentation transcript:

1 Upgrading Your Android, Elevating My Malware: Privilege Escalation Through Mobile OS Updating Luyi Xing 1, Xiaorui Pan 1, Rui Wang 2, Kan Yuan 1, and XiaoFeng Wang 1 1 Indiana University Bloomington 2 Microsoft Research 35 th IEEE Symposium on Security and Privacy (Oakland'14) 左昌國 2014/05/12 Seminar @ ADLab, CSIE, NCU

2 Outline Introduction Pileup Exploits Finding Pileups Measurement and Evaluation Conclusions 2

3 Introduction Mobile OS Updating (Android) More complex Sandboxed apps Lots of sensitive user data Updating live system More often More files 15,525 files from 4.0.4 to 4.1.2 Less steps (for user) Press one button 3

4 Introduction Android Updating Download upgrading image through OTA (Over the Air) Reboot to recovery mode Replace some system files, such as bootloader, Package Manager Service (PMS), and APKs under /system directory Reboot to the new OS Update other components 4

5 Introduction What PMS does when upgrading Android OS Install or reinstall all system apps under /system, and then 3rd- party apps under /data/app Register an app’s permissions, shared UID, activities, intent filters, …… Decide what to do when a conflict occurs (duplicated attr. or prop.) Build a structure mSettings for existing apps, and include: mPackages mUserIds mSharedUsers mPermissions etc. Check the mSettings when installing a new system package If having conflicts, decide case by case. 5

6 Introduction What’s wrong with PMS? Conservative strategy Avoid improperly replacing existing properties Maintain old user data Same logic for both system upgrading and normal app installation When conflict occurs upon upgrading… If PMS chooses wrong attributes or properties to keep… 6

7 Pileup Exploits Adversary Model Malicious apps have been installed on the victim’s devices Such malware can be uploaded to Google Play and 3 rd -party markets The malware appears less dangerous than some legitimate apps No dangerous permissions needed The victim’s devices are going to be updated Such updates come with new security-critical privileges and capabilities 7

8 Pileup Exploits Permission Harvesting and Preempting Shared UID Grabbing Data Contamination Denial of Services 8

9 Pileup Exploits – Permission Harvesting and Preempting Permission protection levels (link)link normal dangerous signature signatureOrSystem system development PMS problematically handles the permissions inherited from the old system 9

10 Pileup Exploits – Permission Harvesting and Preempting 10 Installed malware Before updating Claimed for permissions of new OS or apps Updating to new OS Installing System apps Declare new permissions Declare new permissions Installing 3 rd -party apps Automatically grant the permissions Automatically grant the permissions Old OS can not recognize these permissions Reinstalling the old malware Without user’s consent Without user’s consent These permissions are restricted below “ dangerous ” level PMS No report

11 Pileup Exploits – Permission Harvesting and Preempting 11 Installed malware Before updating Declared and defined the permissions the same as those of new system apps Updating to new OS Building mSettings for old apps Declare new permissions Declare new permissions Installing 3 rd -party apps Automatically declare and grant permissions Old OS lets the malware declare them Reinstalling the old malware Without user’s consent Without user’s consent PMS Installing System apps PMS mPermissions check Skip if conflicts “ signature ” - OK “ system ” - OK Lower to “ normal ” – OK Change the description – OK Example: CertInstaller Google Cloud MessagingGoogle Cloud Messaging DemoDemo Without user’s intervention

12 Pileup Exploits – Permission Harvesting and Preempting 12

13 Pileup Exploits – Shared UID Grabbing Shared UID ( android:sharedUserId ) (link)link If 2 apps use the same sharedUserId, the OS will assign them the same UID when being installed. Application with the same user ID can access each other's data and, if desired, run in the same process. 13

14 Pileup Exploits – Shared UID Grabbing 14 Installed malware Before updating Declared sharedUID the same as that of the new system app Declared sharedUID the same as that of the new system app Updating to new OS Building mSettings for old apps Cancel installing Installing 3 rd -party apps Download another app to replace the canceled system app Signed by 3 rd - party Reinstalling the old malware PMS Installing System apps PMS mSettings Check sharedUID Cancel if the verification failed pkgSetting If equals, load the setting and verify the signature Shared UID Grabbing: DEMO

15 Pileup Exploits – Shared UID Grabbing 15

16 Pileup Exploits – Data Contamination Android keeps the data for both system and 3 rd -party apps under directory /data/data/ This directory is owned by a unique Linux UID 16

17 Pileup Exploits – Data Contamination 17 Installed malware Before updating Used package name the same as that of the new system app Updating to new OS Building mSettings for old apps Installing 3 rd -party apps SharedUID is empty Cancel installing the malware PMS Installing System apps PMS mSettings Check pkgSetting If found the same, compare sharedUID /data/data/ Data of the malware /data/data/ Data of the malware pkgSetting ∵ Both sharedUIDs are empty.  Load the malware’s setting SharedUID is empty conflict Data Contamination: Demo1Demo1 – inject scripts to caches Demo2Demo2 – bookmark phishing Demo3Demo3 – Login CSRF

18 Pileup Exploits – Denial of Services A permission typically can only be defined before an app has been installed.  exception: Permission Tree Permission tree (link)link An app can define a base name (root) of a tree of permissions. Once declaring the tree, the app controls the whole name space defined by the root. During runtime, the app can add individual permission within the tree. 18

19 Pileup Exploits – Denial of Services 19 Installed malware Before updating Declared permissiontree that covers permissions of the new system app Declared permissiontree that covers permissions of the new system app Updating to new OS Building mSettings for old apps Installing 3 rd -party apps Reinstalling the old malware PMS Installing System apps PMS mPermissio- ntrees Check Declare new permissions If found covering, registration will fail permission.ADD_VOICEMAIL google.apps.permission.GOOGLE_AUTH  google.apps.permission

20 Pileup Exploits – Denial of Services Blocking Google Play Services From Android 2.3 to 4.0, after all apps’ installation complete, Google Play is then downloaded and installed as a 3 rd -party app. A malware on 2.3.6 could use the same package name as Google Play, and blocks the installation of Google Play when upgrading to 4.0 Many apps rely on Google Play Services 20

21 Finding Pileups SecUP Architecture 21

22 Finding Pileups Detecting Update Flaws Manually built reference PMS (AOSP 4.0.4) Every other version of PMS is compared to the reference PMS, and is automatically annotated Reuse when possible Automatically create new annotation Manual adjustments if needed 22

23 Finding Pileups Assertions for pileup detection Generally, 2 security constraints for PMS: A non-system app and its dynamic content should not gain any more privileges on the new OS than they have on the old Android. A non-system app should not compromise the integrity and the availability of the new Android (e.g. changing the settings and data) 23

24 Finding Pileups If Assertion (1) is FALSE and Assertion (2) is TRUE ( Assertion (1) == FALSE )  pkgSetting is originally from non-system app ( Assertion (2) == TRUE )  attribute in pkg is assigned to the original value of pkgSetting right after init  A non-system old app is affecting the new system app 24

25 Finding Pileups If Assertion (3) is FALSE 1. ( (bp.pkgFlags & 1) != 0 ) == FALSE  non-system old app 2. ( bp.sourcePkg.equals(pkg.pkgName) ) == FALSE  the old app name is NOT equal to the new system app name  If new permission name exists on old OS, and it is from non- system old app, and the is not equal 25

26 Finding Pileups Finding Exploit Opportunities Different Android versions, manufacturers, device models, and carriers (Wireless Service Provider) are affected under different exploit opportunities.  Image scan Compare system attributes and properties on 2 consecutive versions from the same manufacturer, device model, region, and carrier. Find out those newly added permissions or other attributes and props. 26

27 Finding Pileups Pileup Scanner (Google Play)Google Play The app only asks for the INTERNET permission. 1. Gather information from android.os.Build 2. Query the database for the exploit opportunites 3. Call API getInstalledPackages to get the names of installed packages, and use getPackageInfo to retrieve the information 27

28 Measurement and Evaluation Android image collection 38 images for Google Nexus devices Nexus7, Nexus10, Nexus Q, Galaxy Nexus, Nexus S From 2.3.6 to 4.3 3,511 images for Samsung devices 217 devices models, 267 carriers From 2.3 to 4.3 Source code of AOSP versions and customized versions 1,522 from Samsung, 377 from LG, 1,593 from HTC 28

29 Measurement and Evaluation Limitation Permission harvesting Registration of non-system app’s property Assertions do not cover Google Play Services DoS Google Play is installed under the /data/app directory on Android 4.0.4  3 rd -party 29

30 Measurement and Evaluation Measurement of Opportunities From the 38 Google and 3,511 Samsung images 741 update instances 30

31 Measurement and Evaluation Sensitive permissions  at least dangerous protection level Restrictive  above dangerous 31

32 Measurement and Evaluation At least one new shared UID was added in 50% update instances 32

33 Measurement and Evaluation Impacts of customizations Though Google and AOSP make the biggest system overhaul from 2.3.X to 4.0.X and show a trend of less aggressive updating afterwards, Samsung continues to bring in more new stuffs. 33

34 Measurement and Evaluation 4.0 - 4.1 DCM (Docomo), TMB (T-Mobile) 4.1 - 4.2 DBT (Deutsche Bundespost Telekom), INU, SER 34

35 Measurement and Evaluation Evaluating Scanner Effectiveness: Install top 100 free apps from Google Play Install system apps that could be updated through Google Play Install a set of attack apps Update Android version one by one, until 4.3  All malicious apps detected and no false positives Performance 35

36 Conclusion Android update, in order to ensure the smooth process without endangering user assets, becomes error-prone. This paper reported the first systematic study of the problem. Revealed Pileup vulnerabilities Performed large-scale measurement to confirm the presence of such flaws in all Android versions. To mitigate the threat, this paper proposed SecUP to detect Pileup vulnerabilities. 36

Download ppt "Upgrading Your Android, Elevating My Malware: Privilege Escalation Through Mobile OS Updating Luyi Xing 1, Xiaorui Pan 1, Rui Wang 2, Kan Yuan 1, and XiaoFeng."

Similar presentations

Syracuse University, New York, USA

Syracuse University, New York, USA
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
MOOC on M4D 2013 I NTRODUCTION TO THE A NDROID P LATFORM Ashish Agrawal Indian Institute of Technology Kanpur.

MOOC on M4D 2013 I NTRODUCTION TO THE A NDROID P LATFORM Ashish Agrawal Indian Institute of Technology Kanpur.
Android Security. N-Degree of Separation Applications can be thought as composed by Main Functionality Several Non-functional Concerns Security is a non-functional.

Android Security. N-Degree of Separation Applications can be thought as composed by Main Functionality Several Non-functional Concerns Security is a non-functional.
Luyi Xing1, Xiaorui Pan1, Rui Wang2, Kan Yuan1, and XiaoFeng Wang1

Luyi Xing1, Xiaorui Pan1, Rui Wang2, Kan Yuan1, and XiaoFeng Wang1
Analysis of the Communication between Colluding Applications on Modern Smartphones Claudio Marforio 1, Hubert Ritzdorf 1, Aurélien Francillon 2, Srdjan.

Analysis of the Communication between Colluding Applications on Modern Smartphones Claudio Marforio 1, Hubert Ritzdorf 1, Aurélien Francillon 2, Srdjan.
Safe IT – Protect your computer and Family from unwanted programs viruses and websites.

Safe IT – Protect your computer and Family from unwanted programs viruses and websites.
Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.

Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.
Security in By: Abdulelah Algosaibi Supervised by: Prof. Michael Rothstein Summer II 2010: CS 6/79995 Operating System Security.

Security in By: Abdulelah Algosaibi Supervised by: Prof. Michael Rothstein Summer II 2010: CS 6/79995 Operating System Security.
ANDROID PROGRAMMING MODULE 1 – GETTING STARTED

ANDROID PROGRAMMING MODULE 1 – GETTING STARTED
Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.

Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.
William Enck, Machigar Ongtang, and Patrick McDaniel.

William Enck, Machigar Ongtang, and Patrick McDaniel.
Android Security What is out there? Waqar Aziz. Android Market Share - I 2.

Android Security What is out there? Waqar Aziz. Android Market Share - I 2.
IOS & Android Security, Hacking and Tweaking Workshop D.Papamartzivanos University Of the Aegean – Info Sec Lab Android Security – Cydia Substrate Dimitris.

IOS & Android Security, Hacking and Tweaking Workshop D.Papamartzivanos University Of the Aegean – Info Sec Lab Android Security – Cydia Substrate Dimitris.
CS 153 Design of Operating Systems Spring 2015 Lecture 24: Android OS.

CS 153 Design of Operating Systems Spring 2015 Lecture 24: Android OS.
Threat Modeling for Cloud Computing (some slides are borrowed from Dr. Ragib Hasan) Keke Chen 1.

Threat Modeling for Cloud Computing (some slides are borrowed from Dr. Ragib Hasan) Keke Chen 1.
Presentation By Deepak Katta

Presentation By Deepak Katta
Efficient Privilege De-Escalation for Ad Libraries in Mobile Apps Bin Liu (SRA), Bin Liu (CMU), Hongxia Jin (SRA), Ramesh Govindan (USC)

Efficient Privilege De-Escalation for Ad Libraries in Mobile Apps Bin Liu (SRA), Bin Liu (CMU), Hongxia Jin (SRA), Ramesh Govindan (USC)
Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University.

Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University.
Motivation. Part of Deutsche Telekom project:

Motivation. Part of Deutsche Telekom project:

Similar presentations

Ads by Google