Presentation on theme: "Luyi Xing1, Xiaorui Pan1, Rui Wang2, Kan Yuan1, and XiaoFeng Wang1"— Presentation transcript:
1 Luyi Xing1, Xiaorui Pan1, Rui Wang2, Kan Yuan1, and XiaoFeng Wang1 Upgrading Your Android, Elevating My Malware: Privilege Escalation Through Mobile OS UpdatingLuyi Xing1, Xiaorui Pan1, Rui Wang2, Kan Yuan1, and XiaoFeng Wang11Indiana University2Microsoft Research
4 IntroductionOperating System (OS) update is supposed to make the system more secure, reliable and usablefix security bugsEnhance security protection, add new functionalitiesOur research is to showAndroid OS update itself has security vulnerabilitiesLet’s talk about OS update
5 Introduction Android ecosystem is fragmented Dec. 2011 Oct. 2013 Feb. 2011Dec. 2011Latest KitKat was released in Oct It gets 5% after half year.Gingerbread which was release in Feb. 2011, still nearly 20 percent share.DecSuch a fragmented ecosystem gives the attack much chance to make exploit on the OS updateWith such a fragmented market, let’s see what will happen in terms of OS updateOct. 2013Data provided by Google ending on April 1st, 2014
6 Introduction Following threat model is practical Assume there is a malicious app on the device running any Android versionThanks to fragmentation, the attacker has the opportunity to studyevery single detail of the “future” OS (higher-version OS)When OS update happens, can the attacker leverage the knowledge of the newer OS?e.g., to obtain more permissions, knock out new system apps, manipulate the data of new system apps, etc.
7 Contents Introduction Pileup Vulnerabilities Exploit Opportunities Finding PileupsMitigation – Scanner AppDiscussion and related workConclusion
8 Pileup Vulnerabilities First systematic security analysis of mobile OS update mechanismFocused on Package Manager Service (PMS) as a first stepMost critical component in OS updateIt installs new system apps, new properties/attributes during OS updateDiscovered a new category of vulnerabilities in OS update installation logicPileup
9 What is Pileup? Pileup (Privilege escalation through OS updating) A totally new category of vulnerabilitiesNeither on “future” OSNot attack on current OS
10 What is Pileup? Pileup (Privilege escalation through OS updating) A totally new category of vulnerabilitiesAttacks on the OS updating process
11 In general, how attacks work? A little background information:Android OS update usually adds new system apps, new permissions and other attribute
12 Android device running any Android version During the OS update, the malicious app obtains previously claimed privileges or attributes, e.g. obtains new permissions, replaces system apps, injects malicious data into system apps, etc.Malicious app which exploits Pileup flaws installedReads your messages, passwords, call logs, access your banking accounts…Claiming a set of carefully selected privileges or attributes only available on the higher OS versionAndroid OS updates to a higher version
14 Pileup 1: Permission Harvesting Now I have the permissionand will grant it to youYou request a permission that I never heard ofupdating“future” OScurrent OS
15 Attack Demo I Eavesdrop on Google Voice messages Step I Step II A malicious app installed on Android 2.3 requests a permission "com.google.googlevoice.RECEIVE_SMS"The permission is to be added on Android 4.0 for receiving Google Voice SMSBefore OS update, Android did not recognize the permissionTherefore did not ask the user whether to grant the permission to the malicious appStep IIThe device is upgraded from 2.3 to 4.0The OS recognized the permissionThe app got the permission automaticallyNow able to read SMS messages of Google VoiceBackground
16 Pileup 2: Permission Preempting I also want to define that permission, but you did firstYou define a permission that I never heard ofupdating“future” OScurrent OS
17 Pileup 3: Shared UID Grabbing I also want to claim that Shared UID, but you did firstYou claim a Shared UID that I never heard ofupdating“future” OScurrent OS
18 Pileup 4: Data Contamination I also want to take that package name, so I kick you out. But I will use the data you left.You take a package name that I never heard ofupdating“future” OScurrent OS
19 Attack Demo II Hijacking mobile browser Step I Step II A malicious app installed on Android 2.3 takes the same package name of future browser: com.google.android.browserThe app placed malicious data to its own directoryStep IIThe device is upgraded from Android 2.3 to 4.0The OS update logic kicked out the malicious appBut kept its data and merged it into the new browser appCache, cookies, settings of the browser are all contaminatedAll webpages were hijacked
20 Six Pileup Vulnerabilities Denial of Services 1- Exploiting permission treeDisable permissionsDenial of Services 2- Blocking Google Play ServicesCause malfunction of other apps
21 Root Cause Conservative strategy New ones added by OS update Existing Apps, Properties, AttributesMake a graph presentation for this pageupdating“future” OScurrent OS
22 Impact Pileup are pervasive All Android versions are vulnerable since the first Androidall AOSP (Android Open Source Project) versionsall 3,522 customized versions by different manufacturers and carriers across the world1552 from Samsung377 from LG1593 from HTCAffecting 1 Billion Android users worldwide
23 Malware Distribution Malware: easy to spread App stores: all accepted our malware
25 Exploit opportunities New resources added in Android update (permissions, packages, share UIDs)Affected by Android versions, device models, different manufacturers and carriersPileup attacks must target on new resources of each specific Android updateAndroid versionDevice modelManufacturersCarriers
26 Exploit Opportunities Data sourcesAll AOSPGoogle Nexus Family3,511 customized Android of SamsungNexus 7, Nexus 10,Nexus Q, Galaxy Nexus, Nexus S, etc.217 models,267 carriersUp toAndroid 4.4
27 Measurement of Exploit Opportunities A lot of exploit opportunitiesAmong the thousands of customized Android, 50% of Android updates added at least38 sensitive permissions(dangerous/system/signature level permissions)23 new packages (new system apps)1 new shared UIDDb
28 Measurement of Exploit Opportunities Impacts of carriersdifferent carriers means different exploit opportunitiesWe find that the customizations by carriers means different number of exploit opportunities.However, generally, every carrier adds …
29 Database of Exploit Opportunities For every specific customizations, all the exploit opportunities are documented in a Database, generating 2 million recordsDb
31 Systematic Analysis - SecUp Vulnerability detector: detect Pileup flaws in any customized source codeExploit Opportunity analyzer: extract exploit opportunities in corresponding OS imageRisk Database: store exploit opportunitiesScanner app: protect users against PileupOpportunities are stored for each specific Android customizationArchitecture of SecUPAndroidSource CodeVulnerabilitydetectorflawdetectedRisk DB2 million records after scanning over 3,500 Android imagesexploitopportunitiesScanner appqueryexploit opportunitiesdetected flawsAndroid ImagesRisks ReportOpportunityanalyzer
32 Systematic Analysis - SecUp Vulnerability detector: detect Pileup flaws in any customized source codeExploit Opportunity analyzer: extract exploit opportunities in corresponding OS imageRisk Database: store exploit opportunitiesScanner app: protect users against PileupArchitecture of SecUPAndroidSource CodeVulnerabilitydetectorflawdetectedRisk DBexploitopportunitiesScanner appqueryexploit opportunitiesdetected flawsAndroid ImagesRisks ReportOpportunityanalyzer
33 Vulnerability Detector New or customizedInput: Android source codeOutput: detected flawsPMS (PackageManagerService)Reference PMSVeriFastFlaw detectednew PMSDiff computationCode generationFull verification
34 Formal Verification Assertions Two principles: Two stages: A non-system app should not gain any more privileges during updateA non-system app should not compromise the integrity or availability of the new AndroidTwo stages:Set new attributes (e.g. UID of new system app)Register new properties (e.g. permissions defined by new system apps)BasePermission bp = mSettings.mPermissions.get( PermissionName );Assert (bp.pkgFlags & SYSTEM ) !=0);
36 Patch ProgressOct. 14, 2013Pileup reported to GoogleJan. 08, 2014Google told us they released a patch for permission preempting to vendorsNot sure when vendors release the patch to usersGoogle created tracking number for all other pileup flaws
37 Frequent UpdatesFrom Android 1.0 to 4.4, All 19 major Android versions are released every 3.8 monthsHey users, the new Android system is better. Please upgrade.for newfeatures and better security.before device manufacturers can adopt new fix from Google and apply to the devices on market.Since the first Android, Google released each major Android version in every 4 months in average.
38 An Interesting Paradox Android Update is the very fundamental mechanism to fix security bugsWith Pileup,Encouraging users to update is to encourage them to be attackedWhen the scan is complete without finding malware, the user can have the peace of mind to upgradeAccurately detect
39 Scanner App Secure Update Scanner Installed on Android devices Used before each OS updateScan malware exploiting PileupPowered by the DB with 2 million recordsAccurately detect malware targeting on each specific Android updateWhen the scan is complete without finding malware, the user can have the peace of mind to upgradeAccurately detect
40 Secure Update ScannerFree on Google Play, Amazon AppStore, etc.
41 App Popularity Number of Downloads 70,687 as of May 16.High rating: 4.2 out of 5 by 647 users on Google Play
42 App Popularity Users Origins 163 countries and districts United States, France, Germany, Spain, Italy, China, Portugal, Canada, United Kingdom, Poland, Switzerland, Belgium, India, Australia, Brazil, Thailand, Austria, Netherlands, Hong Kong, Malaysia, Taiwan, Morocco, Singapore, Indonesia, Mexico, Algeria, Ireland, Philippines, South Africa, Greece, Egypt, Russia, Pakistan, Saudi Arabia, Sweden, Vietnam, Romania, Tunisia, Honduras, Iraq, Norway, New Zealand, Nigeria, Eritrea, Japan, Denmark, Luxembourg, Ivory Coast, Burkina Faso, Bulgaria, Bangladesh, Argentina, United Arab Emirates, Mauritius, Ecuador, Albania, Colombia, Israel, Panama, Iran, Hungary, Serbia, Kuwait, Myanmar, Finland, Turkey, French Polynesia, Haiti, Ukraine, Uruguay, New Caledonia, Czech Republic, Guatemala, Ghana, South Korea, Senegal, Sri Lanka, Kenya, Slovakia, Cyprus, Croatia, Qatar, Peru, Bahrain, Yemen, Lebanon, Jamaica, Reunion, Paraguay, Macao, Cameroon, Djibouti, Sudan, Chile, Venezuela, Georgia, Trinidad and Tobago, Puerto Rico, Costa Rica, Monaco, Lithuania, Gabon, Tanzania, Slovenia, Madagascar, Angola, Estonia, Mongolia, Jordan, Benin, Barbados, Namibia, Mali, Nicaragua, Afghanistan, Dominican Republic, Uzbekistan, Uganda, Malta, Palestine, Burundi, The Democratic Republic Of Congo, El Salvador, Niger, Cambodia, Brunei, South Sudan, Curacao, Zimbabwe, Nepal, Suriname, Tajikistan, Bosnia and Herzegovina, Mozambique, Mauritania, Jersey, Ethiopia, Laos, Montenegro, Fiji, Rwanda, Oman, Libya, Bolivia, Syria, Botswana, San Marino, Iceland, Guinea, Comoros, Azerbaijan, Greenland, Andorra, Latvia, Gambia, Martinique, Congo, Maldives, Moldova, Guam, Kyrgyzstan, Central African Republic, and Cape Verde
43 Discussion Services other than PMS in Android Update UserManagerService, BackManagerService, ServiceManager, etc.Other OSes may also subject to PileupWindows, iOSCan a normal user become admin after Windows Update?
44 Conclusion First systematic study of Android Update security new threat to Android Updateroot causeexploit opportunities in over 3,500 Android customizationsA scanner app to protect users before Android updateNext time when you click to upgrade your Android, be aware that there is a risk
45 Media Coverage Tens of news agencies across the world English: European (German, French, Italian, Portuguese, etc.):Chinese:
Your consent to our cookies if you continue to use this website.