Android Exploits

Table of Contents

1 Overview

  1. This page and related articles give brief technical descriptions of a few past exploits that happened on Android. Discovered in the past 2 years. Or, classics. Not exhaustive.
  2. Preventing/ Mitgating/ Detecting exploits is an expectation of all OS, and system software.

1.1 Objectives

  1. Objective: Provide technical descriptions accessible to students of Android Security.
  2. Objective: Become familiar with CVE, and the description structure of a CVE.
  3. Objective: Have a decent technical understanding of vulnerabilities and their exploits.
  4. Objective: Be able to apply a patch and rebuild and deploy the new ROM. A patch to mitigate/ fix the vulnerability is provided by experts.
  5. Objective: Be able to understand Why Do Bugs Happen?!

2 Bugs, Vulnerabilities, Exploits

  1. Bug -> Vulnerability -> Exploit -> Attack
  2. There is no consensus on the definition of what "exploits" are, and what we mean by "prevention", even though the expectations are understood.
  3. A few specific classes of security exploits are described below.
  4. Underneath all these exploits is the technique known as privilege escalation.

2.1 What is a Bug?

  1. A crash is a bug. Officially, a Denial-of-Service.
  2. A hang is a bug. Officially, a DoS.
  3. What else is a bug? In a course on Software Engineering, we define a bug as a deviation from the spec. A bug in the code of the kernel, framework, and apps.
  4. But, Linux and Android on top, do not have a spec, informal or formal [based on math + logic + grammar]. What we do have are expectations. Functional, performance and other expectations. A deviation from these is a bug.

2.2 What is a Vulnerability?

  1. A vulnerability is a description of the possibility to bring about an action that was unintended.
  2. Often based on supplying unexpected inputs. Fuzzing?
  3. Not all bugs are [security] vulnerabilities. E.g., an arithmetic bug. An array bounds bug is almost always a vulnerability.
  4. Arbitrary code execution
  5. TBD Exploits are crafted to escalate a software bug and enable . Loopholes or Logic Bugs Memory Corruption Information Disclosure

2.3 What is an Exploit?

  1. An exploit is a demo of bringing about an action that was unintended.

2.4 What is an Attack?

  1. An attack is a "packaged" and delivered demo of bringing about an action that was unintended.

2.5 Can we define Malware?

  1. Can we write a program that detects "malware"?
  2. We can "after the fact": After we declare, by consensus, a specific malware.

2.6 Linux Exploits v Android Exploits

  1. Over the years there have been many bugs. In the 1000s.
  2. Can Linux exploits become Android exploits?
  3. Are there Android exploits that are not Linux exploits?

2.7 Current Bug-Status of OS Kernels

  1. All OS kernels, Linux, MacOS, Windows, are buggy. OS kernels have not yet reached a state of being bug free. A security issue in a bug makes it vulnerable. An exploit presents an actual use of this vulnerability in demonstrating the security issue.
  2. https://www.cvedetails.com/product/47/Linux-Linux-Kernel.html Linux Kernel Vulnerability Statistics 1999 - 2018. Recommended Visit.
  3. See Coverity articles for Linux kernel bugs. https://scan.coverity.com/projects/linux

2.8 Current Bug Status of Android

  1. https://source.android.com/security/overview/reports Sketches the architectural details of Detection, Mitigation, Prevention, and Repair.
  2. Android Security Yearly reports by Google: 2017, 2016, 2015, 2014
  3. https://source.android.com/security/bulletin "Monthly device updates are an important tool to keep Android users safe and protect their devices. This page contains the available Android Security Bulletins, …"
  4. An example bulletin: https://source.android.com/security/bulletin/2019-03-01.html

2.9 Why do Bugs/ …/ Exploits Happen?!

  1. Sloppiness in programming. Including poor mastery over the semantics of PLs. E.g., "memory safety".
  2. Design Weaknesses in network protocols, CPU design, …

3 Detection, Prevention, Mitigation, Repair

  1. Systems are [now] expected to include attack Detection, Mitigation, Prevention, Repair. This is beyond "proper" functionality and performance.
  2. What are the priorities among Detection, Mitigation, Prevention, Repair?
  3. Status report: Failed.
  4. Example: Bug Prevention: Secure Programming education and practice.
  5. Example: Code injection: Prevent via ASLR. ROP. Flow analysis
  6. Consequence: Loss of assets. Sensationalism.
  7. ../Detection
  8. ../Prevention
  9. ../Mitigation
  10. ../Repair

4 CVE - Common Vulnerabilities and Exposures

  1. Objective: Be aware of past exploits. Collect technical descriptions.
  2. https://cve.mitre.org/ Primary data base. All OS, all CPUs.
  3. Android specific CVEs
  4. https://www.owasp.org/ Open Web Application Security Project (OWASP)

4.1 OWASP Top 10 Mobile Risks

  1. Insecure Data Storage
  2. Weak Server Side Controls
  3. Insufficient Transport Layer Protection
  4. Client Side Injection
  5. Poor Authorization and Authentication
  6. Improper Session Handling
  7. Security Decisions Via Untrusted Inputs
  8. Side Channel Data Leakage
  9. Broken Cryptography
  10. Sensitive Information Disclosure

4.2 OWASP Top 10 2017 Security Risks

  1. Injection. …
  2. Broken Authentication. …
  3. Sensitive Data Exposure. …
  4. XML External Entities (XEE) …
  5. Broken Access Control. …
  6. Cross-Site Scripting. …
  7. Insecure Deserialization. …
  8. Using Components With Known Vulnerabilities.
  9. https://www.cloudflare.com/learning/security/threats/owasp-top-10/ What Is OWASP? What Are The OWASP Top 10?

5 Exploit Categories

Android has had the exploits categorized below. Some of the exploits are Android specific, while many others are inherited from TCP/IP layer, and Linux OS layer.

[WIP Note to myslef: merge with ./Malware ]

5.1 Code Injection

  1. Evading ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention). ASLR is a memory exploitation mitigation technique used in modern OS.
    1. BufferOverflow, aka StackSmashing, is a bug exploitation. The bug is an out-of-bounds array index. The exploit inserts code on the run-time stack, and changes the stack-top stored return address to point to this code. Typical exploit results in spawning a root owned shell. Hundreds of such attacks happened in the 1970 – 2010.
    2. Heap overflow, pritf-format are similar.
    3. ASLR was designed to mitigate these.
  2. ROP "Return Oriented Programming" gadget harvesting leading to aribrary code execution. ROP strings together pieces of existing code from libraries and running processes, ending with a return machine instruction (gadgets).
  3. https://www.google.com/search?&q=ROP++gadget+harvesting
  4. Lecture Notes on ./Injection

5.2 TCP/IP Exploits

  1. ./TCP Explores weaknesses and bugs in TCP/IP. All such exploits are valid across all OS, including Android, Linux, MacOS, and Windows
  2. ./ARP cache poisoning
  3. ./DNS cache poisoning

5.3 WPA Wireless Protected Access

  1. WPA (not 2) has been cracked since 199x TBD.
  2. WPA2 has been cracked in 2017 due to a flaw in the protocol (https://papers.mathyvanhoef.com/ccs2017.pdf). This is a proof-of-concept exploit, and like all headline-making network security stories, it has a name. It's called KRACK, for Key Reinstallation Attack.Oct 16, 2017
  3. KRACK is short for "Key Reinstallation AttaCK." https://www.krackattacks.com/ Scripts are available on github, and contain detailed instructions on how to use them.
  4. "KRACK kills your wi-fi privacy. The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites."
  5. "This attack exploits a vulnerability in Wireless Protected Access (WPA), both WPA and WPA2 encryption implementations that allow the attacker to decrypt all Wi-Fi traffic into plaintext. Additionally, some implementation methods can allow an attacker to perform Man in the Middle or Packet Injection attacks that can give access and control to the attacker." https://www.swordshield.com/blog/krack-exploit-explained/ 2017
  6. Hack WPA & WPA2 Wi-Fi Passwords with a Pixie-Dust Attack 2018

5.4 Pocket Spy

  1. ./KeyLogger
  2. ./PocketSpy
  3. Proactive Forensics ROM

5.5 LibC

  1. LibC stands for the standrd library of C. Linux distributions use glibc. Versions of Android use smaller-sized pruned versions of LibC such as Bionic. See also https://www.fefe.de/dietlibc/.
  2. https://www.cvedetails.com/vulnerability-list/vendor_id-72/product_id-767/GNU-Glibc.html
  3. ROP (aka LibC return).

5.6 HeartBleed SSL

  1. HeartBleed http://heartbleed.com/ The Heartbleed Bug is a serious vulnerability in the OpenSSL cryptographic software library that was in use for years until 2014.
  2. CVE-2014-0160 is the official reference to this bug. CVE (Common Vulnerabilities and Exposures) is the Standard for Information Security Vulnerability Names maintained by MITRE. Due to co-incident discovery a duplicate CVE, CVE-2014-0346, which was assigned to us, should not be used, since others independently went public with the CVE-2014-0160 identifier.

5.7 Specific Exploits

  1. ./SimpleLocker An example ransomware of 201x. Dissected. With explanation.
  2. ./Browser
  3. ./ClipBoard
  4. ./SMS
  5. ./ShellShock
  6. ./StageFright
  7. StackPivot SimExecFlow LoadLibrary Shellcode

6 Android "Hacking" Tools

  1. Mobile Apps (Hack On Android)
  2. AndroRat - Android Remote Administrative Tool
  3. cspoilt - A tool that enumerates local hosts, finds vulnerabilities and their exploits, cracks Wi-Fi password, installs backdoors blablabla!!!
  4. Hackode - All In One Android Pentest Tool
  5. zANTI - Network mapping, port discovery, sniffing, packet manipulation, DoS, MITM blablabla!!
  6. FaceNiff - Intercept and sniff WiFi network traffic for Social Media packets
  7. Droidsheep - Android application that analyzes security in wireless networks and also captures Twitter, Linked, Facebook, and other accounts
  8. USB Cleaver - Silently recover information from a target Windows 2000 or higher computer, including password hashes, LSA secrets, IP information
  9. Shark - Network Packate analysis tool
  10. DroidBox - Dynamic analysis of Android apps
  11. Wi-Fi Kill - Disable other Users from WiFi Access
  12. EMET https://support.microsoft.com/en-us/kb/2458544 The Enhanced Mitigation Experience Toolkit
  13. Information Tools used are public and free EMET (Microsoft) Anti Exploit (Malware Bytes) Hitman Alert (Surfright)
  14. More on ../Tools

6.1 Books on Android Exploits

  1. [Selected List; web search for links. E.g., Android Exploitation.]
  2. A survey of Android exploits in the wild - The Android operating system Exploitation Survey
  3. Popular Android Exploits - Introduction to Android Exploits.
  4. Own your Android! Yet Another Universal Root - Android root exploitation
  5. ASDC12-Smart-Bombs-Mobile-Vulnerability-and-Exploitation - Mobile Vulnerability Exploitation
  6. BlueBorne - Android Exploit - Exploiting an RCE Over the Air
  7. Evolution of Android Exploits - Evolution of Android exploits from a statistical analysis tool perspective
  8. Hacking Androids for Fun and for Profit - Android Exploitation

7 References

  1. Bhat, Parnika, and Kamlesh Dutta. "A Survey on Various Threats and Current State of Security in Android Platform." ACM Computing Surveys (CSUR) 52, no. 1 (2019): 21. {This is a high quality article. WSU Library provides PDF access.} Recommended Reading.
  2. Meng, Huasong, Vrizlynn LL Thing, Yao Cheng, Zhongmin Dai, and Li Zhang. "A survey of Android exploits in the wild." Computers & Security 76 (2018): 71-91. Recommended Reading.
  3. https://github.com/sundaysec/Android-Exploits, A collection of Android Exploits and Hacks, 2018. Recommended Reading.
  4. https://www.exploit-db.com/?platform=android Android Exploit Database. Recommended Reading.
  5. https://www.cvedetails.com/product/47/Linux-Linux-Kernel.html Linux Kernel Vulnerability Statistics 1999 - 2018. Required Visits.
  6. https://github.com/xairy/kernel-exploits "A bunch of proof-of-concept exploits for the Linux kernel" 2016 – current. Recommended Visits.
  7. Prabhaker Mateti, “Security Issues in the TCP/IP Suite”, in Security in Distributed and Networking Systems, pp. 3 — 30, Editors: Yang Xiao and Yi Pan, World Scientific Publishing Co., ISBN 978-981-270- 807-6, Aug 2007. Recommended Reading.
  8. Statement of Ethics CEG 4440: Android Internals and Security, Instructor: Dr Prabhaker Mateti. Required Reading.

8 End

Copyright © 2019 www.wright.edu/~pmateti • 2019-04-03