Presentation is loading. Please wait.

Presentation is loading. Please wait.

Upgrading Your Android, Elevating My Malware: Privilege Escalation Through Mobile OS Updating Luyi Xing 1, Xiaorui Pan 1, Rui Wang 2, Kan Yuan 1, and XiaoFeng.

Similar presentations


Presentation on theme: "Upgrading Your Android, Elevating My Malware: Privilege Escalation Through Mobile OS Updating Luyi Xing 1, Xiaorui Pan 1, Rui Wang 2, Kan Yuan 1, and XiaoFeng."— Presentation transcript:

1 Upgrading Your Android, Elevating My Malware: Privilege Escalation Through Mobile OS Updating Luyi Xing 1, Xiaorui Pan 1, Rui Wang 2, Kan Yuan 1, and XiaoFeng Wang 1 1 Indiana University 2 Microsoft Research 1

2 Contents Introduction Pileup Vulnerabilities Exploit Opportunities Systematic Analysis Mitigation – Scanner App Discussion Conclusion 2

3 Contents Introduction Pileup Vulnerabilities Exploit Opportunities Systematic Analysis Mitigation – Scanner App Discussion Conclusion 3

4 Introduction Operating System (OS) update is supposed to make the system more secure, reliable and usable fix security bugs Enhance security protection, add new functionalities Our research is to show – Android OS update itself has security vulnerabilities 4

5 Introduction Android ecosystem is fragmented Data provided by Google ending on April 1 st, 2014 Feb Dec Oct

6 Introduction Following threat model is practical Assume there is a malicious app on the device running any Android version Thanks to fragmentation, the attacker has the opportunity to study  every single detail of the “future” OS (higher-version OS) When OS update happens, can the attacker leverage the knowledge of the newer OS?  e.g., to obtain more permissions, knock out new system apps, manipulate the data of new system apps, etc. 6

7 Contents Introduction Pileup Vulnerabilities Exploit Opportunities Finding Pileups Mitigation – Scanner App Discussion and related work Conclusion 7

8 Pileup Vulnerabilities First systematic security analysis of mobile OS update mechanism Focused on Package Manager Service (PMS) as a first step  Most critical component in OS update  It installs new system apps, new properties/attributes during OS update Discovered a new category of vulnerabilities in OS update installation logic Pileup 8

9 What is Pileup? Pileup (Privilege escalation through OS updating) A totally new category of vulnerabilities Not attack on current OS Neither on “future” OS 9

10 What is Pileup? Pileup (Privilege escalation through OS updating) A totally new category of vulnerabilities Attacks on the OS updating process 10

11 In general, how attacks work? 11 A little background information: – Android OS update usually adds new system apps, new permissions and other attribute

12 Android device running any Android version Malicious app which exploits Pileup flaws installed Claiming a set of carefully selected privileges or attributes only available on the higher OS version Android OS updates to a higher version During the OS update, the malicious app obtains previously claimed privileges or attributes, e.g. obtains new permissions, replaces system apps, injects malicious data into system apps, etc. Reads your messages, passwords, call logs, access your banking accounts… 12

13 13 Six Pileup Vulnerabilities

14 Pileup 1: Permission Harvesting current OS “future” OS 14 updating You request a permission that I never heard of Now I have the permission and will grant it to you

15 Attack Demo I Eavesdrop on Google Voice messages Step I  A malicious app installed on Android 2.3 requests a permission " com.google.googlevoice.RECEIVE_SMS " The permission is to be added on Android 4.0 for receiving Google Voice SMS Before OS update, Android did not recognize the permission Therefore did not ask the user whether to grant the permission to the malicious app Step II  The device is upgraded from 2.3 to 4.0 The OS recognized the permission The app got the permission automatically Now able to read SMS messages of Google Voice 15

16 Pileup 2: Permission Preempting current OS “future” OS 16 updating You define a permission that I never heard of I also want to define that permission, but you did first

17 Pileup 3: Shared UID Grabbing current OS “future” OS 17 updating You claim a Shared UID that I never heard of I also want to claim that Shared UID, but you did first

18 Pileup 4: Data Contamination current OS “future” OS 18 updating You take a package name that I never heard of I also want to take that package name, so I kick you out. But I will use the data you left.

19 Attack Demo II Hijacking mobile browser Step I  A malicious app installed on Android 2.3 takes the same package name of future browser: com.google.android.browser  The app placed malicious data to its own directory Step II  The device is upgraded from Android 2.3 to 4.0 The OS update logic kicked out the malicious app But kept its data and merged it into the new browser app  Cache, cookies, settings of the browser are all contaminated All webpages were hijacked 19

20 Six Pileup Vulnerabilities 5.Denial of Services 1- Exploiting permission tree  Disable permissions 6.Denial of Services 2- Blocking Google Play Services  Cause malfunction of other apps 20

21 Root Cause Conservative strategy 21 current OS “future” OS updating Existing Apps, Properties, Attributes New ones added by OS update

22 Impact Pileup are pervasive – All Android versions are vulnerable since the first Android all AOSP (Android Open Source Project) versions all 3,522 customized versions by different manufacturers and carriers across the world – 1552 from Samsung – 377 from LG – 1593 from HTC – Affecting 1 Billion Android users worldwide 22

23 Malware Distribution Malware: easy to spread App stores: all accepted our malware 23

24 Contents Introduction Pileup Vulnerabilities Exploit Opportunities Systematic Analysis Mitigation – Scanner App Discussion Conclusion 24

25 Exploit opportunities New resources added in Android update (permissions, packages, share UIDs) – Affected by Android versions, device models, different manufacturers and carriers Pileup attacks must target on new resources of each specific Android update – Android version – Device model – Manufacturers – Carriers 25

26 Exploit Opportunities Data sources All AOSP Google Nexus Family 3,511 customized Android of Samsung Up to Android 4.4 Nexus 7, Nexus 10, Nexus Q, Galaxy Nexus, Nexus S, etc. 217 models, 267 carriers 26

27 Measurement of Exploit Opportunities A lot of exploit opportunities Among the thousands of customized Android, 50% of Android updates added at least 38 sensitive permissions (dangerous/system/signature level permissions) 23 new packages (new system apps) 1 new shared UID 27

28 Measurement of Exploit Opportunities Impacts of carriers – different carriers means different exploit opportunities

29 Database of Exploit Opportunities For every specific customizations, all the exploit opportunities are documented in a Database, generating 2 million records 29

30 Contents Introduction Pileup Vulnerabilities Exploit Opportunities Systematic Analysis Mitigation – Scanner App Discussion Conclusion 30

31 Systematic Analysis - SecUp Vulnerability detector: detect Pileup flaws in any customized source code Exploit Opportunity analyzer: extract exploit opportunities in corresponding OS image Risk Database: store exploit opportunities Scanner app: protect users against Pileup Android Images Risks Report Architecture of SecUP Risk DB Opportunity analyzer Vulnerability detector Android Source Code flaw detected detected flaws exploit opportunities Scanner app query exploit opportunities Opportunities are stored for each specific Android customization 2 million records after scanning over 3,500 Android images

32 Systematic Analysis - SecUp Vulnerability detector: detect Pileup flaws in any customized source code Exploit Opportunity analyzer: extract exploit opportunities in corresponding OS image Risk Database: store exploit opportunities Scanner app: protect users against Pileup Android Images Risks Report Architecture of SecUP Risk DB Opportunity analyzer Vulnerability detector Android Source Code flaw detected detected flaws exploit opportunities Scanner app query exploit opportunities

33 Vulnerability Detector Input: Android source code Output: detected flaws PMS (PackageManagerService) VeriFast Diff computation Code generation Flaw detected Full verification Reference PMS new PMS New or customized

34 Formal Verification Assertions – Two principles: 1.A non-system app should not gain any more privileges during update 2.A non-system app should not compromise the integrity or availability of the new Android – Two stages: 1.Set new attributes (e.g. UID of new system app) 2.Register new properties (e.g. permissions defined by new system apps) BasePermission bp = mSettings.mPermissions.get( PermissionName ); Assert (bp.pkgFlags & SYSTEM ) !=0);

35 Contents Introduction Pileup Vulnerabilities Exploit Opportunities Systematic Analysis Mitigation – Scanner App Discussion Conclusion 35

36 Patch Progress Oct. 14, 2013 – Pileup reported to Google Jan. 08, 2014 – Google told us they released a patch for permission preempting to vendors Not sure when vendors release the patch to users Google created tracking number for all other pileup flaws

37 Frequent Updates From Android 1.0 to 4.4, All 19 major Android versions are released every 3.8 months Hey users, the new Android system is better. Please upgrade. 37

38 An Interesting Paradox Android Update is the very fundamental mechanism to fix security bugs With Pileup, – Encouraging users to update is to encourage them to be attacked 38

39 Scanner App Secure Update Scanner – Installed on Android devices – Used before each OS update – Scan malware exploiting Pileup – Powered by the DB with 2 million records – Accurately detect malware targeting on each specific Android update 39

40 Secure Update Scanner Free on Google Play, Amazon AppStore, etc.Google Play 40

41 App Popularity Number of Downloads – 70,687 as of May 16. High rating : 4.2 out of 5 by 647 users on Google Play 41

42 App Popularity Users Origins – 163 countries and districts United States, France, Germany, Spain, Italy, China, Portugal, Canada, United Kingdom, Poland, Switzerland, Belgium, India, Australia, Brazil, Thailand, Austria, Netherlands, Hong Kong, Malaysia, Taiwan, Morocco, Singapore, Indonesia, Mexico, Algeria, Ireland, Philippines, South Africa, Greece, Egypt, Russia, Pakistan, Saudi Arabia, Sweden, Vietnam, Romania, Tunisia, Honduras, Iraq, Norway, New Zealand, Nigeria, Eritrea, Japan, Denmark, Luxembourg, Ivory Coast, Burkina Faso, Bulgaria, Bangladesh, Argentina, United Arab Emirates, Mauritius, Ecuador, Albania, Colombia, Israel, Panama, Iran, Hungary, Serbia, Kuwait, Myanmar, Finland, Turkey, French Polynesia, Haiti, Ukraine, Uruguay, New Caledonia, Czech Republic, Guatemala, Ghana, South Korea, Senegal, Sri Lanka, Kenya, Slovakia, Cyprus, Croatia, Qatar, Peru, Bahrain, Yemen, Lebanon, Jamaica, Reunion, Paraguay, Macao, Cameroon, Djibouti, Sudan, Chile, Venezuela, Georgia, Trinidad and Tobago, Puerto Rico, Costa Rica, Monaco, Lithuania, Gabon, Tanzania, Slovenia, Madagascar, Angola, Estonia, Mongolia, Jordan, Benin, Barbados, Namibia, Mali, Nicaragua, Afghanistan, Dominican Republic, Uzbekistan, Uganda, Malta, Palestine, Burundi, The Democratic Republic Of Congo, El Salvador, Niger, Cambodia, Brunei, South Sudan, Curacao, Zimbabwe, Nepal, Suriname, Tajikistan, Bosnia and Herzegovina, Mozambique, Mauritania, Jersey, Ethiopia, Laos, Montenegro, Fiji, Rwanda, Oman, Libya, Bolivia, Syria, Botswana, San Marino, Iceland, Guinea, Comoros, Azerbaijan, Greenland, Andorra, Latvia, Gambia, Martinique, Congo, Maldives, Moldova, Guam, Kyrgyzstan, Central African Republic, and Cape Verde 42

43 Discussion Services other than PMS in Android Update – UserManagerService, BackManagerService, ServiceManager, etc. Other OSes may also subject to Pileup – Windows, iOS Can a normal user become admin after Windows Update?

44 Conclusion First systematic study of Android Update security – new threat to Android Update – root cause – exploit opportunities in over 3,500 Android customizations A scanner app to protect users before Android update Next time when you click to upgrade your Android, be aware that there is a risk 44

45 Media Coverage Tens of news agencies across the world English:  European (German, French, Italian, Portuguese, etc.):  Chinese: 45

46 SecureAndroidUpdate.org 46

47 Thanks! Q&A 47


Download ppt "Upgrading Your Android, Elevating My Malware: Privilege Escalation Through Mobile OS Updating Luyi Xing 1, Xiaorui Pan 1, Rui Wang 2, Kan Yuan 1, and XiaoFeng."

Similar presentations


Ads by Google