Upgrading Your Android, Elevating My Malware: Privilege Escalation Through Mobile OS Updating Luyi Xing 1, Xiaorui Pan 1, Rui Wang 2, Kan Yuan 1, and XiaoFeng

  • Published on
    28-Dec-2015

  • View
    214

  • Download
    2

Embed Size (px)

Transcript

<p>Upgrading Your Android, Elevating My Malware: Privilege Escalation Through Mobile OS UpdatingLuyi Xing1, Xiaorui Pan1, Rui Wang2, Kan Yuan1, and XiaoFeng Wang1</p> <p>1Indiana University Bloomington2Microsoft Research35th IEEE Symposium on Security and Privacy (Oakland'14)2014/05/12 Seminar @ ADLab, CSIE, NCU1OutlineIntroductionPileup ExploitsFinding PileupsMeasurement and EvaluationConclusions2IntroductionMobile OS Updating (Android)More complexSandboxed appsLots of sensitive user dataUpdating live systemMore oftenMore files15,525 files from 4.0.4 to 4.1.2</p> <p>Less steps (for user)Press one button3</p> <p>IntroductionAndroid UpdatingDownload upgrading image through OTA (Over the Air)Reboot to recovery modeReplace some system files, such as bootloader, Package Manager Service (PMS), and APKs under /system directoryReboot to the new OSUpdate other components4IntroductionWhat PMS does when upgrading Android OSInstall or reinstall all system apps under /system, and then 3rd-party apps under /data/appRegister an apps permissions, shared UID, activities, intent filters, Decide what to do when a conflict occurs (duplicated attr. or prop.)Build a structure mSettings for existing apps, and include:mPackagesmUserIdsmSharedUsersmPermissionsetc.Check the mSettings when installing a new system packageIf having conflicts, decide case by case.5Duplicated attr or prop: package names, shared UID, or permissions 5IntroductionWhats wrong with PMS?Conservative strategyAvoid improperly replacing existing propertiesMaintain old user dataSame logic for both system upgrading and normal app installationWhen conflict occurs upon upgradingIf PMS chooses wrong attributes or properties to keep6Pileup ExploitsAdversary ModelMalicious apps have been installed on the victims devicesSuch malware can be uploaded to Google Play and 3rd-party marketsThe malware appears less dangerous than some legitimate appsNo dangerous permissions neededThe victims devices are going to be updatedSuch updates come with new security-critical privileges and capabilities7Pileup ExploitsPermission Harvesting and PreemptingShared UID GrabbingData ContaminationDenial of Services8Pileup Exploits Permission Harvesting and PreemptingPermission protection levels (link)normaldangeroussignaturesignatureOrSystemsystemdevelopment</p> <p>PMS problematically handles the permissions inherited from the old system9Pileup Exploits Permission Harvesting and Preempting10InstalledmalwareBeforeupdatingClaimed for permissions of new OS or appsUpdating to new OSInstalling System appsDeclare new permissionsInstalling3rd-party appsAutomatically grant thepermissionsOld OS can not recognize these permissionsReinstalling the old malwareWithout usersconsentThese permissionsare restricted belowdangerous levelPMSPMSNo reportpermission3rd-party app10Pileup Exploits Permission Harvesting and Preempting11InstalledmalwareBeforeupdatingDeclared and defined the permissions the same as those of new system appsUpdating to new OSBuilding mSettings for old appsDeclare new permissionsInstalling3rd-party appsAutomatically declare and grant permissionsOld OS lets the malware declare themReinstalling theold malwareWithout usersconsentPMSPMSInstallingSystem appsPMSmPermissionscheckSkip ifconflictssignature - OKsystem - OKLower to normal OKChange the description OKExample: CertInstallerGoogle Cloud Messaging DemoWithout users interventionmalware, malwaresystem resourcepermissionsignature level, app requestpermissionappmalwarecertificatesign</p> <p>malware, level, resource</p> <p>Example CertInstaller: (android 2.0)</p> <p>SD cardroot certificatepermission</p> <p>Example Google Cloud Messaging:GCMgoogle, developer push messageclientClientapp .permission.C2D_MESSAGE permission, gmailpermission, pushgmailmessage11Pileup Exploits Permission Harvesting and Preempting12</p> <p>Pileup Exploits Shared UID GrabbingShared UID (android:sharedUserId) (link)If 2 apps use the same sharedUserId, the OS will assign them the same UID when being installed.Application with the same user ID can access each other's data and, if desired, run in the same process.13Pileup Exploits Shared UID Grabbing14InstalledmalwareBeforeupdatingDeclared sharedUIDthe same as that of the new system appUpdating to new OSBuilding mSettings for old appsCancel installingInstalling3rd-party appsDownload another app to replace the canceled system appSigned by 3rd-partyReinstalling theold malwarePMSPMSInstallingSystem appsPMSmSettingsCheck sharedUIDCancel ifthe verification failed pkgSettingIf equals, load the setting and verify the signatureShared UID Grabbing: DEMOsystem app, pkgSetting, pkgSettingappold appsharedUID, pkgSettingmSettingsload14Pileup Exploits Shared UID Grabbing15</p> <p>Pileup Exploits Data ContaminationAndroid keeps the data for both system and 3rd-party apps under directory /data/data/This directory is owned by a unique Linux UID16Pileup Exploits Data Contamination17InstalledmalwareBeforeupdatingUsed package name the same as that of the new system appUpdating to new OSBuilding mSettings for old appsInstalling3rd-party appsSharedUID is emptyCancel installing themalwarePMSPMSInstallingSystem appsPMSmSettingsCheck </p> <p>pkgSettingIf found the same,compare sharedUID/data/data/</p> <p>Data of the malwarepkgSettingBoth sharedUIDs are empty. Load the malwares settingSharedUID is emptyconflictData Contamination:Demo1 inject scripts to cachesDemo2 bookmark phishingDemo3 Login CSRFAndroid 2.3 default browser com.android.browserAndroid 4.0 default browser com.google.android.browser17Pileup Exploits Denial of ServicesA permission typically can only be defined before an app has been installed. exception: Permission TreePermission tree (link)An app can define a base name (root) of a tree of permissions.Once declaring the tree, the app controls the whole name space defined by the root.During runtime, the app can add individual permission within the tree.18Pileup Exploits Denial of Services19InstalledmalwareBeforeupdatingDeclared permissiontreethat covers permissions of the new system appUpdating to new OSBuilding mSettings for old appsInstalling3rd-party appsReinstalling theold malwarePMSPMSInstallingSystem appsPMSmPermissio-ntreesCheck Declare new permissionsIf found covering, registration will failpermission.ADD_VOICEMAIL</p> <p>google.apps.permission.GOOGLE_AUTH google.apps.permission19Pileup Exploits Denial of ServicesBlocking Google Play ServicesFrom Android 2.3 to 4.0, after all apps installation complete, Google Play is then downloaded and installed as a 3rd-party app.A malware on 2.3.6 could use the same package name as Google Play, and blocks the installation of Google Play when upgrading to 4.0Many apps rely on Google Play Services20Finding PileupsSecUP Architecture21</p> <p>1.source codemanufacturer image2.PMS code, 3.imagesystem apps, appspermissions, Risk DB4.Scanner app, manafacturer, model, version, Risk DB5.ScannerOSapp, Risk DBpermission6.appmanufacturer, 21Finding PileupsDetecting Update FlawsManually built reference PMS (AOSP 4.0.4)Every other version of PMS is compared to the reference PMS, and is automatically annotatedReuse when possibleAutomatically create new annotationManual adjustments if needed22</p> <p>Finding PileupsAssertions for pileup detectionGenerally, 2 security constraints for PMS:A non-system app and its dynamic content should not gain any more privileges on the new OS than they have on the old Android.A non-system app should not compromise the integrity and the availability of the new Android (e.g. changing the settings and data)23Finding PileupsIf Assertion (1) is FALSE and Assertion (2) is TRUE(Assertion (1) == FALSE) pkgSetting is originally from non-system app(Assertion (2) == TRUE) attribute in pkg is assigned to the original value of pkgSetting right after init A non-system old app is affecting the new system app24</p> <p>Finding PileupsIf Assertion (3) is FALSE1. ((bp.pkgFlags &amp; 1) != 0) == FALSE non-system old app2. (bp.sourcePkg.equals(pkg.pkgName)) == FALSE the old app name is NOT equal to the new system app name If new permission name exists on old OS, and it is from non-system old app, and the is not equal25</p> <p>25Finding PileupsFinding Exploit OpportunitiesDifferent Android versions, manufacturers, device models, and carriers (Wireless Service Provider) are affected under different exploit opportunities.Image scanCompare system attributes and properties on 2 consecutive versions from the same manufacturer, device model, region, and carrier.Find out those newly added permissions or other attributes and props.26</p> <p>38 Google Nexus images3511 Samsung images</p> <p>image, system.img, /system/ Mount the image, /system/ APKapktoolAPK, permission, shared UID, package name, attributes and properties70026Finding PileupsPileup Scanner (Google Play)The app only asks for the INTERNET permission.1. Gather information from android.os.Build2. Query the database for the exploit opportunites 3. Call API getInstalledPackages to get the names of installed packages, and use getPackageInfo to retrieve the information27</p> <p>Measurement and EvaluationAndroid image collection38 images for Google Nexus devicesNexus7, Nexus10, Nexus Q, Galaxy Nexus, Nexus SFrom 2.3.6 to 4.33,511 images for Samsung devices217 devices models, 267 carriersFrom 2.3 to 4.3Source code of AOSP versions and customized versions1,522 from Samsung, 377 from LG, 1,593 from HTC28Measurement and EvaluationLimitation Permission harvestingRegistration of non-system apps propertyAssertions do not coverGoogle Play Services DoSGoogle Play is installed under the /data/app directory on Android 4.0.4 3rd-party29Measurement and EvaluationMeasurement of OpportunitiesFrom the 38 Google and 3,511 Samsung images741 update instances30</p> <p>Measurement and EvaluationSensitive permissions at least dangerous protection levelRestrictive above dangerous</p> <p>31</p> <p>50%, 38new sensitive permission, 31new restrictive permission31Measurement and EvaluationAt least one new shared UID was added in 50% update instances32</p> <p>Measurement and EvaluationImpacts of customizationsThough Google and AOSP make the biggest system overhaul from 2.3.X to 4.0.X and show a trend of less aggressive updating afterwards, Samsung continues to bring in more new stuffs.33</p> <p>Measurement and Evaluation4.0 - 4.1DCM (Docomo), TMB (T-Mobile)4.1 - 4.2DBT (Deutsche Bundespost Telekom), INU, SER34</p> <p>34Measurement and EvaluationEvaluating ScannerEffectiveness: Install top 100 free apps from Google PlayInstall system apps that could be updated through Google PlayInstall a set of attack appsUpdate Android version one by one, until 4.3All malicious apps detected and no false positivesPerformance35</p> <p>Local time: check the apps on the devicesTotal Scan Time = Query time + Local time35ConclusionAndroid update, in order to ensure the smooth process without endangering user assets, becomes error-prone.This paper reported the first systematic study of the problem.Revealed Pileup vulnerabilitiesPerformed large-scale measurement to confirm the presence of such flaws in all Android versions.To mitigate the threat, this paper proposed SecUP to detect Pileup vulnerabilities. 36</p>