1 / 47

Upgrading Your Android, Elevating My Malware: Privilege Escalation Through Mobile OS Updating

Upgrading Your Android, Elevating My Malware: Privilege Escalation Through Mobile OS Updating. Luyi Xing 1 , Xiaorui Pan 1 , Rui Wang 2 , Kan Yuan 1 , and XiaoFeng Wang 1 1 Indiana University 2 Microsoft Research. Contents. Introduction Pileup Vulnerabilities

hamilton-tanner
Download Presentation

Upgrading Your Android, Elevating My Malware: Privilege Escalation Through Mobile OS Updating

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Upgrading Your Android, Elevating My Malware: Privilege Escalation Through Mobile OS Updating Luyi Xing1, Xiaorui Pan1, Rui Wang2, Kan Yuan1, and XiaoFeng Wang1 1Indiana University 2Microsoft Research

  2. Contents • Introduction • Pileup Vulnerabilities • Exploit Opportunities • Systematic Analysis • Mitigation – Scanner App • Discussion • Conclusion

  3. Contents • Introduction • Pileup Vulnerabilities • Exploit Opportunities • Systematic Analysis • Mitigation – Scanner App • Discussion • Conclusion

  4. Introduction • Operating System (OS) update is supposed to make the system more secure, reliable and usable • fix security bugs • Enhance security protection, add new functionalities • Our research is to show • Android OS update itself has security vulnerabilities

  5. Introduction • Android ecosystem is fragmented Feb. 2011 Dec. 2011 Oct. 2013 Data provided by Google ending on April 1st, 2014

  6. Introduction • Following threat model is practical • Assume there is a malicious app on the device running any Android version • Thanks to fragmentation, the attacker has the opportunity to study • every single detail of the “future” OS (higher-version OS) • When OS update happens, can the attacker leverage the knowledge of the newer OS? • e.g., to obtain more permissions, knock out new system apps, manipulate the data of new system apps, etc.

  7. Contents • Introduction • Pileup Vulnerabilities • Exploit Opportunities • Finding Pileups • Mitigation –Scanner App • Discussion and related work • Conclusion

  8. Pileup Vulnerabilities • First systematic security analysis of mobile OS update mechanism • Focused on Package Manager Service (PMS) as a first step • Most critical component in OS update • It installs new system apps, new properties/attributes during OS update • Discovered a new category of vulnerabilities in OS update installation logic • Pileup

  9. What is Pileup? • Pileup (Privilege escalation through OS updating) • A totally new category of vulnerabilities Not attack on current OS Neither on “future” OS

  10. What is Pileup? • Pileup (Privilege escalation through OS updating) • A totally new category of vulnerabilities Attacks on the OS updating process

  11. In general, how attacks work? • A little background information: • Android OS update usually adds new system apps, new permissions and other attribute

  12. Android device running any Android version During the OS update, the malicious app obtains previously claimed privileges or attributes, e.g. obtains new permissions, replaces system apps, injects malicious data into system apps, etc. Malicious app which exploits Pileup flaws installed Reads your messages, passwords, call logs, access your banking accounts… Claiming a set of carefully selected privileges or attributes only available on the higher OS version Android OS updates to a higher version

  13. Six Pileup Vulnerabilities

  14. Pileup 1: Permission Harvesting Now I have the permission and will grant it to you You request a permission that I never heard of updating “future” OS current OS

  15. Attack Demo I • Eavesdrop on Google Voice messages • Step I • A malicious app installed on Android 2.3 requests a permission "com.google.googlevoice.RECEIVE_SMS" • The permission is to be added on Android 4.0 for receiving Google Voice SMS • Before OS update, Android did not recognize the permission • Therefore did not ask the user whether to grant the permission to the malicious app • Step II • The device is upgraded from 2.3 to 4.0 • The OS recognized the permission • The app got the permissionautomatically • Now able to read SMS messages of Google Voice

  16. Pileup 2: Permission Preempting I also want to define that permission, but you did first Youdefine apermission that I never heard of updating “future” OS current OS

  17. Pileup 3: Shared UID Grabbing I also want to claimthat Shared UID, but you did first Youclaima Shared UID that I never heard of updating “future” OS current OS

  18. Pileup 4: Data Contamination I also want to takethat package name, so I kick you out. But I will use the data you left. Youtakea package name that I never heard of updating “future” OS current OS

  19. Attack Demo II • Hijacking mobile browser • Step I • A malicious app installed on Android 2.3 takes the same package name of future browser: com.google.android.browser • The app placed malicious data to its own directory • Step II • The device is upgraded from Android 2.3 to 4.0 • The OS update logic kicked out the malicious app • But kept its data and merged it into the new browser app • Cache, cookies, settings of the browser are all contaminated • All webpages were hijacked

  20. Six Pileup Vulnerabilities • Denial of Services 1- Exploiting permission tree • Disable permissions • Denial of Services 2- Blocking Google Play Services • Cause malfunction of other apps

  21. Root Cause • Conservative strategy • New ones added by OS update • Existing • Apps, Properties, Attributes updating “future” OS current OS

  22. Impact • Pileup are pervasive • All Android versions are vulnerable • since the first Android • all AOSP (Android Open Source Project) versions • all 3,522 customized versions by different manufacturers and carriers across the world • 1552 from Samsung • 377 from LG • 1593 from HTC • Affecting 1 Billion Android users worldwide

  23. Malware Distribution • Malware: easy to spread • App stores: all accepted our malware

  24. Contents • Introduction • Pileup Vulnerabilities • Exploit Opportunities • Systematic Analysis • Mitigation –Scanner App • Discussion • Conclusion

  25. Exploit opportunities • New resources added in Android update (permissions, packages, share UIDs) • Affected by Android versions, device models, different manufacturers and carriers • Pileup attacks must target on new resources of each specific Android update • Android version • Device model • Manufacturers • Carriers

  26. All AOSP • Google Nexus Family • 3,511 customized Android of Samsung Exploit Opportunities • Data sources Nexus 7, Nexus 10, Nexus Q, Galaxy Nexus, Nexus S, etc. 217 models, 267 carriers Up to Android 4.4

  27. Measurement of Exploit Opportunities • A lot of exploit opportunities • Among the thousands of customized Android, 50% of Android updates added at least • 38 sensitive permissions (dangerous/system/signature level permissions) • 23 new packages (new system apps) • 1 new shared UID

  28. Measurement of Exploit Opportunities • Impacts of carriers • different carriers means different exploit opportunities

  29. Database of Exploit Opportunities • For every specific customizations, all the exploit opportunities are documented in a Database, generating 2 million records

  30. Contents • Introduction • Pileup Vulnerabilities • Exploit Opportunities • Systematic Analysis • Mitigation – Scanner App • Discussion • Conclusion

  31. Systematic Analysis -SecUp • Vulnerabilitydetector: detect Pileup flaws in any customized source code • Exploit Opportunityanalyzer: extract exploit opportunities in corresponding OS image • Risk Database: store exploit opportunities • Scanner app: protect users against Pileup exploit opportunities Opportunities are stored for each specific Android customization Architecture of SecUP Android Source Code flaw detected Vulnerability detector Risk DB 2 million records after scanning over 3,500 Android images exploit opportunities query detected flaws Scanner app Risks Report Android Images Opportunity analyzer

  32. Systematic Analysis - SecUp • Vulnerabilitydetector: detect Pileup flaws in any customized source code • Exploit Opportunityanalyzer: extract exploit opportunities in corresponding OS image • Risk Database: store exploit opportunities • Scanner app: protect users against Pileup exploit opportunities Architecture of SecUP Android Source Code flaw detected Vulnerability detector Risk DB exploit opportunities query detected flaws Scanner app Risks Report Android Images Opportunity analyzer

  33. Vulnerability Detector New or customized • Input: Android source code • Output: detected flaws • PMS (PackageManagerService) VeriFast Reference PMS Flaw detected new PMS Full verification Code generation Diff computation

  34. Formal Verification • Assertions • Two principles: • A non-system app should not gain any more privileges during update • A non-system app should not compromise the integrity or availability of the new Android • Two stages: • Set new attributes (e.g. UID of new system app) • Register new properties (e.g. permissions defined by new system apps) BasePermissionbp = mSettings.mPermissions.get( PermissionName ); Assert (bp.pkgFlags&SYSTEM ) !=0);

  35. Contents • Introduction • Pileup Vulnerabilities • Exploit Opportunities • Systematic Analysis • Mitigation – Scanner App • Discussion • Conclusion

  36. Patch Progress • Oct. 14, 2013 • Pileup reported to Google • Jan. 08, 2014 • Google told us they released a patch for permission preempting to vendors • Not sure when vendors release the patch to users • Google created tracking number for all other pileup flaws

  37. Frequent Updates • From Android 1.0 to 4.4, All 19 major Android versions are released every 3.8 months Hey users, the new Android system is better. Please upgrade.

  38. An Interesting Paradox • Android Update is the very fundamental mechanism to fix security bugs • With Pileup, • Encouraging users to update is to encourage them to be attacked

  39. Scanner App • Secure Update Scanner • Installed on Android devices • Used before each OS update • Scan malware exploiting Pileup • Powered by the DB with 2 million records • Accurately detect malware targeting on each specific Android update

  40. Secure Update Scanner • Free on Google Play, Amazon AppStore, etc.

  41. App Popularity • Number of Downloads • 70,687 as of May 16. • High rating: 4.2 out of 5 by 647 users on Google Play

  42. App Popularity • Users Origins • 163 countries and districts • United States, France, Germany, Spain, Italy, China, Portugal, Canada, United Kingdom, Poland, Switzerland, Belgium, India, Australia, Brazil, Thailand, Austria, Netherlands, Hong Kong, Malaysia, Taiwan, Morocco, Singapore, Indonesia, Mexico, Algeria, Ireland, Philippines, South Africa, Greece, Egypt, Russia, Pakistan, Saudi Arabia, Sweden, Vietnam, Romania, Tunisia, Honduras, Iraq, Norway, New Zealand, Nigeria, Eritrea, Japan, Denmark, Luxembourg, Ivory Coast, Burkina Faso, Bulgaria, Bangladesh, Argentina, United Arab Emirates, Mauritius, Ecuador, Albania, Colombia, Israel, Panama, Iran, Hungary, Serbia, Kuwait, Myanmar, Finland, Turkey, French Polynesia, Haiti, Ukraine, Uruguay, New Caledonia, Czech Republic, Guatemala, Ghana, South Korea, Senegal, Sri Lanka, Kenya, Slovakia, Cyprus, Croatia, Qatar, Peru, Bahrain, Yemen, Lebanon, Jamaica, Reunion, Paraguay, Macao, Cameroon, Djibouti, Sudan, Chile, Venezuela, Georgia, Trinidad and Tobago, Puerto Rico, Costa Rica, Monaco, Lithuania, Gabon, Tanzania, Slovenia, Madagascar, Angola, Estonia, Mongolia, Jordan, Benin, Barbados, Namibia, Mali, Nicaragua, Afghanistan, Dominican Republic, Uzbekistan, Uganda, Malta, Palestine, Burundi, The Democratic Republic Of Congo, El Salvador, Niger, Cambodia, Brunei, South Sudan, Curacao, Zimbabwe, Nepal, Suriname, Tajikistan, Bosnia and Herzegovina, Mozambique, Mauritania, Jersey, Ethiopia, Laos, Montenegro, Fiji, Rwanda, Oman, Libya, Bolivia, Syria, Botswana, San Marino, Iceland, Guinea, Comoros, Azerbaijan, Greenland, Andorra, Latvia, Gambia, Martinique, Congo, Maldives, Moldova, Guam, Kyrgyzstan, Central African Republic, and Cape Verde

  43. Discussion • Services other than PMS in Android Update • UserManagerService, BackManagerService, ServiceManager, etc. • Other OSes may also subject to Pileup • Windows, iOS • Can a normal user become admin after Windows Update?

  44. Conclusion • First systematic study of Android Update security • new threat to Android Update • root cause • exploit opportunities in over 3,500 Android customizations • A scanner app to protect users before Android update • Next time when you click to upgrade your Android, be aware that there is a risk

  45. Media Coverage • Tens of news agencies across the world • English: • European (German, French, Italian, Portuguese, etc.): • Chinese:

  46. SecureAndroidUpdate.org

  47. Thanks!Q&A

More Related