Presentation is loading. Please wait.

Presentation is loading. Please wait.

Luyi Xing1, Xiaorui Pan1, Rui Wang2, Kan Yuan1, and XiaoFeng Wang1

Published byHugo Joseph Modified over 9 years ago

Similar presentations

Presentation on theme: "Luyi Xing1, Xiaorui Pan1, Rui Wang2, Kan Yuan1, and XiaoFeng Wang1"— Presentation transcript:

1 Luyi Xing1, Xiaorui Pan1, Rui Wang2, Kan Yuan1, and XiaoFeng Wang1
Upgrading Your Android, Elevating My Malware: Privilege Escalation Through Mobile OS Updating Luyi Xing1, Xiaorui Pan1, Rui Wang2, Kan Yuan1, and XiaoFeng Wang1 1Indiana University 2Microsoft Research

2 Contents Introduction Pileup Vulnerabilities Exploit Opportunities
Systematic Analysis Mitigation – Scanner App Discussion Conclusion

3 Contents Introduction Pileup Vulnerabilities Exploit Opportunities
Systematic Analysis Mitigation – Scanner App Discussion Conclusion

4 Introduction Operating System (OS) update is supposed to make the system more secure, reliable and usable fix security bugs Enhance security protection, add new functionalities Our research is to show Android OS update itself has security vulnerabilities Let’s talk about OS update

5 Introduction Android ecosystem is fragmented Dec. 2011 Oct. 2013
Feb. 2011 Dec. 2011 Latest KitKat was released in Oct It gets 5% after half year. Gingerbread which was release in Feb. 2011, still nearly 20 percent share. Dec Such a fragmented ecosystem gives the attack much chance to make exploit on the OS update With such a fragmented market, let’s see what will happen in terms of OS update Oct. 2013 Data provided by Google ending on April 1st, 2014

6 Introduction Following threat model is practical
Assume there is a malicious app on the device running any Android version Thanks to fragmentation, the attacker has the opportunity to study every single detail of the “future” OS (higher-version OS) When OS update happens, can the attacker leverage the knowledge of the newer OS? e.g., to obtain more permissions, knock out new system apps, manipulate the data of new system apps, etc.

7 Contents Introduction Pileup Vulnerabilities Exploit Opportunities
Finding Pileups Mitigation – Scanner App Discussion and related work Conclusion

8 Pileup Vulnerabilities
First systematic security analysis of mobile OS update mechanism Focused on Package Manager Service (PMS) as a first step Most critical component in OS update It installs new system apps, new properties/attributes during OS update Discovered a new category of vulnerabilities in OS update installation logic Pileup

9 What is Pileup? Pileup (Privilege escalation through OS updating)
A totally new category of vulnerabilities Neither on “future” OS Not attack on current OS

10 What is Pileup? Pileup (Privilege escalation through OS updating)
A totally new category of vulnerabilities Attacks on the OS updating process

11 In general, how attacks work?
A little background information: Android OS update usually adds new system apps, new permissions and other attribute

12 Android device running any Android version
During the OS update, the malicious app obtains previously claimed privileges or attributes, e.g. obtains new permissions, replaces system apps, injects malicious data into system apps, etc. Malicious app which exploits Pileup flaws installed Reads your messages, passwords, call logs, access your banking accounts… Claiming a set of carefully selected privileges or attributes only available on the higher OS version Android OS updates to a higher version

13 Six Pileup Vulnerabilities

14 Pileup 1: Permission Harvesting
Now I have the permission and will grant it to you You request a permission that I never heard of updating “future” OS current OS

15 Attack Demo I Eavesdrop on Google Voice messages Step I Step II
A malicious app installed on Android 2.3 requests a permission "com.google.googlevoice.RECEIVE_SMS" The permission is to be added on Android 4.0 for receiving Google Voice SMS Before OS update, Android did not recognize the permission Therefore did not ask the user whether to grant the permission to the malicious app Step II The device is upgraded from 2.3 to 4.0 The OS recognized the permission The app got the permission automatically Now able to read SMS messages of Google Voice Background

16 Pileup 2: Permission Preempting
I also want to define that permission, but you did first You define a permission that I never heard of updating “future” OS current OS

17 Pileup 3: Shared UID Grabbing
I also want to claim that Shared UID, but you did first You claim a Shared UID that I never heard of updating “future” OS current OS

18 Pileup 4: Data Contamination
I also want to take that package name, so I kick you out. But I will use the data you left. You take a package name that I never heard of updating “future” OS current OS

19 Attack Demo II Hijacking mobile browser Step I Step II
A malicious app installed on Android 2.3 takes the same package name of future browser: com.google.android.browser The app placed malicious data to its own directory Step II The device is upgraded from Android 2.3 to 4.0 The OS update logic kicked out the malicious app But kept its data and merged it into the new browser app Cache, cookies, settings of the browser are all contaminated All webpages were hijacked

20 Six Pileup Vulnerabilities
Denial of Services 1- Exploiting permission tree Disable permissions Denial of Services 2- Blocking Google Play Services Cause malfunction of other apps

21 Root Cause Conservative strategy New ones added by OS update Existing
Apps, Properties, Attributes Make a graph presentation for this page updating “future” OS current OS

22 Impact Pileup are pervasive All Android versions are vulnerable
since the first Android all AOSP (Android Open Source Project) versions all 3,522 customized versions by different manufacturers and carriers across the world 1552 from Samsung 377 from LG 1593 from HTC Affecting 1 Billion Android users worldwide

23 Malware Distribution Malware: easy to spread
App stores: all accepted our malware

24 Contents Introduction Pileup Vulnerabilities Exploit Opportunities
Systematic Analysis Mitigation – Scanner App Discussion Conclusion

25 Exploit opportunities
New resources added in Android update (permissions, packages, share UIDs) Affected by Android versions, device models, different manufacturers and carriers Pileup attacks must target on new resources of each specific Android update Android version Device model Manufacturers Carriers

26 Exploit Opportunities
Data sources All AOSP Google Nexus Family 3,511 customized Android of Samsung Nexus 7, Nexus 10, Nexus Q, Galaxy Nexus, Nexus S, etc. 217 models, 267 carriers Up to Android 4.4

27 Measurement of Exploit Opportunities
A lot of exploit opportunities Among the thousands of customized Android, 50% of Android updates added at least 38 sensitive permissions (dangerous/system/signature level permissions) 23 new packages (new system apps) 1 new shared UID Db

28 Measurement of Exploit Opportunities
Impacts of carriers different carriers means different exploit opportunities We find that the customizations by carriers means different number of exploit opportunities. However, generally, every carrier adds …

29 Database of Exploit Opportunities
For every specific customizations, all the exploit opportunities are documented in a Database, generating 2 million records Db

30 Contents Introduction Pileup Vulnerabilities Exploit Opportunities
Systematic Analysis Mitigation – Scanner App Discussion Conclusion

31 Systematic Analysis - SecUp
Vulnerability detector: detect Pileup flaws in any customized source code Exploit Opportunity analyzer: extract exploit opportunities in corresponding OS image Risk Database: store exploit opportunities Scanner app: protect users against Pileup Opportunities are stored for each specific Android customization Architecture of SecUP Android Source Code Vulnerability detector flaw detected Risk DB 2 million records after scanning over 3,500 Android images exploit opportunities Scanner app query exploit opportunities detected flaws Android Images Risks Report Opportunity analyzer

32 Systematic Analysis - SecUp
Vulnerability detector: detect Pileup flaws in any customized source code Exploit Opportunity analyzer: extract exploit opportunities in corresponding OS image Risk Database: store exploit opportunities Scanner app: protect users against Pileup Architecture of SecUP Android Source Code Vulnerability detector flaw detected Risk DB exploit opportunities Scanner app query exploit opportunities detected flaws Android Images Risks Report Opportunity analyzer

33 Vulnerability Detector
New or customized Input: Android source code Output: detected flaws PMS (PackageManagerService) Reference PMS VeriFast Flaw detected new PMS Diff computation Code generation Full verification

34 Formal Verification Assertions Two principles: Two stages:
A non-system app should not gain any more privileges during update A non-system app should not compromise the integrity or availability of the new Android Two stages: Set new attributes (e.g. UID of new system app) Register new properties (e.g. permissions defined by new system apps) BasePermission bp = mSettings.mPermissions.get( PermissionName ); Assert (bp.pkgFlags & SYSTEM ) !=0);

35 Contents Introduction Pileup Vulnerabilities Exploit Opportunities
Systematic Analysis Mitigation – Scanner App Discussion Conclusion

36 Patch Progress Oct. 14, 2013 Pileup reported to Google Jan. 08, 2014 Google told us they released a patch for permission preempting to vendors Not sure when vendors release the patch to users Google created tracking number for all other pileup flaws

37 Frequent Updates From Android 1.0 to 4.4, All 19 major Android versions are released every 3.8 months Hey users, the new Android system is better. Please upgrade. for new features and better security. before device manufacturers can adopt new fix from Google and apply to the devices on market. Since the first Android, Google released each major Android version in every 4 months in average.

38 An Interesting Paradox
Android Update is the very fundamental mechanism to fix security bugs With Pileup, Encouraging users to update is to encourage them to be attacked When the scan is complete without finding malware, the user can have the peace of mind to upgrade Accurately detect

39 Scanner App Secure Update Scanner Installed on Android devices
Used before each OS update Scan malware exploiting Pileup Powered by the DB with 2 million records Accurately detect malware targeting on each specific Android update When the scan is complete without finding malware, the user can have the peace of mind to upgrade Accurately detect

40 Secure Update Scanner Free on Google Play, Amazon AppStore, etc.

41 App Popularity Number of Downloads
70,687 as of May 16. High rating: 4.2 out of 5 by 647 users on Google Play

42 App Popularity Users Origins 163 countries and districts
United States, France, Germany, Spain, Italy, China, Portugal, Canada, United Kingdom, Poland, Switzerland, Belgium, India, Australia, Brazil, Thailand, Austria, Netherlands, Hong Kong, Malaysia, Taiwan, Morocco, Singapore, Indonesia, Mexico, Algeria, Ireland, Philippines, South Africa, Greece, Egypt, Russia, Pakistan, Saudi Arabia, Sweden, Vietnam, Romania, Tunisia, Honduras, Iraq, Norway, New Zealand, Nigeria, Eritrea, Japan, Denmark, Luxembourg, Ivory Coast, Burkina Faso, Bulgaria, Bangladesh, Argentina, United Arab Emirates, Mauritius, Ecuador, Albania, Colombia, Israel, Panama, Iran, Hungary, Serbia, Kuwait, Myanmar, Finland, Turkey, French Polynesia, Haiti, Ukraine, Uruguay, New Caledonia, Czech Republic, Guatemala, Ghana, South Korea, Senegal, Sri Lanka, Kenya, Slovakia, Cyprus, Croatia, Qatar, Peru, Bahrain, Yemen, Lebanon, Jamaica, Reunion, Paraguay, Macao, Cameroon, Djibouti, Sudan, Chile, Venezuela, Georgia, Trinidad and Tobago, Puerto Rico, Costa Rica, Monaco, Lithuania, Gabon, Tanzania, Slovenia, Madagascar, Angola, Estonia, Mongolia, Jordan, Benin, Barbados, Namibia, Mali, Nicaragua, Afghanistan, Dominican Republic, Uzbekistan, Uganda, Malta, Palestine, Burundi, The Democratic Republic Of Congo, El Salvador, Niger, Cambodia, Brunei, South Sudan, Curacao, Zimbabwe, Nepal, Suriname, Tajikistan, Bosnia and Herzegovina, Mozambique, Mauritania, Jersey, Ethiopia, Laos, Montenegro, Fiji, Rwanda, Oman, Libya, Bolivia, Syria, Botswana, San Marino, Iceland, Guinea, Comoros, Azerbaijan, Greenland, Andorra, Latvia, Gambia, Martinique, Congo, Maldives, Moldova, Guam, Kyrgyzstan, Central African Republic, and Cape Verde

43 Discussion Services other than PMS in Android Update
UserManagerService, BackManagerService, ServiceManager, etc. Other OSes may also subject to Pileup Windows, iOS Can a normal user become admin after Windows Update?

44 Conclusion First systematic study of Android Update security
new threat to Android Update root cause exploit opportunities in over 3,500 Android customizations A scanner app to protect users before Android update Next time when you click to upgrade your Android, be aware that there is a risk

45 Media Coverage Tens of news agencies across the world English:
European (German, French, Italian, Portuguese, etc.): Chinese:

46 SecureAndroidUpdate.org

47 Thanks! Q&A

Download ppt "Luyi Xing1, Xiaorui Pan1, Rui Wang2, Kan Yuan1, and XiaoFeng Wang1"

Similar presentations

® 2009-2010. Students 9,866,143 Students 9,866,143 Students 382,637Volunteers.

® Students 9,866,143 Students 9,866,143 Students 382,637Volunteers.
World Education Statistics. Notes on Categories Used Regional tables More developed regions Northern America comprises Canada and the United States. Asia.

World Education Statistics. Notes on Categories Used Regional tables More developed regions Northern America comprises Canada and the United States. Asia.
Sida’s Humanitarian Work. Sida’s Strategy for Humanitarian Work 2008-2010 Based on the Government’s Humanitarian Policy (2005). Aim: Save lives, alleviate.

Sida’s Humanitarian Work. Sida’s Strategy for Humanitarian Work Based on the Government’s Humanitarian Policy (2005). Aim: Save lives, alleviate.
Slide 1 Welcome Address Regulating Authorities E&P Service Industry E&P Operators.

Slide 1 Welcome Address Regulating Authorities E&P Service Industry E&P Operators.
Roaming offers May 2014.

Roaming offers May 2014.
Democracy In Colonial America

Democracy In Colonial America
1 d 2 w Award programme Example: NH Hoteles Launch March 2010 All users are entitled to a certificate as part of the PR/ marketing programme. Recently.

1 d 2 w Award programme Example: NH Hoteles Launch March 2010 All users are entitled to a certificate as part of the PR/ marketing programme. Recently.
What are the ways government systems distribute power?

What are the ways government systems distribute power?
Material Wellbeing.

Material Wellbeing.
Palestine: A Market for the Patient December 2012 “Good Things Come to Those Who Wait”

Palestine: A Market for the Patient December 2012 “Good Things Come to Those Who Wait”
Race and Ethnicity.

Race and Ethnicity.
World Peace Ceremony Featuring Young People Around the World Celebrating the INTERNATIONAL DAY OF PEACE.

World Peace Ceremony Featuring Young People Around the World Celebrating the INTERNATIONAL DAY OF PEACE.
WELCOME TO PEACE DECEMBER LIGHTING CEREMONY NOVEMBER 30 TH 2014.

WELCOME TO PEACE DECEMBER LIGHTING CEREMONY NOVEMBER 30 TH 2014.
Build 2015 4/16/2017 © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION.

Build /16/2017 © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION.
The Political Geography of AIDS

The Political Geography of AIDS
World Education Services

World Education Services
The Global Gender Gap Report 2013. Contents —Global Gender Gap Index Methodology —Selected Rankings 2013 —Global & Regional Performance 2013 —Dynamics.

The Global Gender Gap Report Contents —Global Gender Gap Index Methodology —Selected Rankings 2013 —Global & Regional Performance 2013 —Dynamics.
United States - 1887. India - 1898 Cabo Verde - 1901.

United States India Cabo Verde
THE WORLD The world map on this slide is currently ‘grouped’ together with no place names. This is good for ‘copying and pasting’ into other presentations.

THE WORLD The world map on this slide is currently ‘grouped’ together with no place names. This is good for ‘copying and pasting’ into other presentations.
UNITED NATIONS FINANCIAL SITUATION 11 October 2011 Angela Kane Under-Secretary-General for Management.

UNITED NATIONS FINANCIAL SITUATION 11 October 2011 Angela Kane Under-Secretary-General for Management.

Similar presentations

Ads by Google