Upgrading Your Android, Elevating My Malware: Privilege

Download Report

Transcript Upgrading Your Android, Elevating My Malware: Privilege 

Upgrading Your Android,
Elevating My Malware:
Privilege Escalation Through Mobile OS
Updating
Luyi Xing1, Xiaorui Pan1, Rui Wang2, Kan Yuan1, and XiaoFeng Wang1
1Indiana University
2Microsoft Research
1
Contents
•
•
•
•
•
•
•
Introduction
Pileup Vulnerabilities
Exploit Opportunities
Systematic Analysis
Mitigation – Scanner App
Discussion
Conclusion
2
Contents
•
•
•
•
•
•
•
Introduction
Pileup Vulnerabilities
Exploit Opportunities
Systematic Analysis
Mitigation – Scanner App
Discussion
Conclusion
3
Introduction
• Operating System (OS) update is supposed to
make the system more secure, reliable and
usable
 fix security bugs
 Enhance security protection, add new functionalities
• Our research is to show
– Android OS update itself has security vulnerabilities
4
Introduction
• Android ecosystem is fragmented
Feb. 2011
Dec. 2011
Oct. 2013
Data provided by Google ending on April 1st, 2014
5
Introduction
• Following threat model is practical
Assume there is a malicious app on the device running
any Android version
Thanks to fragmentation, the attacker has the
opportunity to study
 every single detail of the “future” OS (higher-version OS)
When OS update happens, can the attacker leverage
the knowledge of the newer OS?
 e.g., to obtain more permissions, knock out new
system apps, manipulate the data of new system
apps, etc.
6
Contents
•
•
•
•
•
•
•
Introduction
Pileup Vulnerabilities
Exploit Opportunities
Finding Pileups
Mitigation – Scanner App
Discussion and related work
Conclusion
7
Pileup Vulnerabilities
• First systematic security analysis of mobile OS
update mechanism
 Focused on Package Manager Service (PMS) as a first step
 Most critical component in OS update
 It installs new system apps, new properties/attributes during OS
update
• Discovered a new category of vulnerabilities in
OS update installation logic
• Pileup
8
What is Pileup?
• Pileup (Privilege escalation through OS
updating)
 A totally new category of vulnerabilities
Not attack on
current OS
Neither on
“future” OS
9
What is Pileup?
• Pileup (Privilege escalation through OS
updating)
 A totally new category of vulnerabilities
Attacks on the OS updating process
10
In general, how attacks work?
• A little background information:
– Android OS update usually adds new system apps,
new permissions and other attribute
11
Android device
running any
Android version
Malicious app
which exploits
Pileup flaws
installed
Claiming a set of
carefully selected
privileges or
attributes only
available on the
higher OS version
During the OS update, the
malicious app obtains
previously claimed privileges
or attributes, e.g. obtains new
permissions, replaces system
apps, injects malicious data
into system apps, etc.
Reads your messages,
passwords, call logs, access
your banking accounts…
Android OS
updates to a
higher version
12
Six Pileup
Vulnerabilities
13
Pileup 1: Permission Harvesting
You request a permission
that I never heard of
Now I have the permission
and will grant it to you
updating
current OS
“future” OS
14
Attack Demo I
• Eavesdrop on Google Voice messages
 Step I
 A malicious app installed on Android 2.3 requests a permission
"com.google.googlevoice.RECEIVE_SMS"
 The permission is to be added on Android 4.0 for receiving Google Voice SMS
 Before OS update, Android did not recognize the permission
 Therefore did not ask the user whether to grant the permission to the
malicious app
 Step II
 The device is upgraded from 2.3 to 4.0
 The OS recognized the permission
 The app got the permission automatically
 Now able to read SMS messages of Google Voice
15
Pileup 2: Permission Preempting
You define a permission that
I never heard of
I also want to define that
permission, but you did first
updating
current OS
“future” OS
16
Pileup 3: Shared UID Grabbing
You claim a Shared UID that I
never heard of
I also want to claim that
Shared UID, but you did first
updating
current OS
“future” OS
17
Pileup 4: Data Contamination
I also want to take that package
name, so I kick you out. But I
will use the data you left.
You take a package name
that I never heard of
updating
current OS
“future” OS
18
Attack Demo II
• Hijacking mobile browser
 Step I
 A malicious app installed on Android 2.3 takes the same package
name of future browser: com.google.android.browser
 The app placed malicious data to its own directory
 Step II
 The device is upgraded from Android 2.3 to 4.0
 The OS update logic kicked out the malicious app
 But kept its data and merged it into the new browser app
 Cache, cookies, settings of the browser are all contaminated
 All webpages were hijacked
19
Six Pileup Vulnerabilities
5. Denial of Services 1- Exploiting permission
tree
 Disable permissions
6. Denial of Services 2- Blocking Google Play
Services
 Cause malfunction of other apps
20
Root Cause
• Conservative strategy
New ones added by
OS update
Existing
Apps, Properties, Attributes
updating
current OS
“future” OS
21
Impact
• Pileup are pervasive
– All Android versions are vulnerable
• since the first Android
• all AOSP (Android Open Source Project) versions
• all 3,522 customized versions by different
manufacturers and carriers across the world
– 1552 from Samsung
– 377 from LG
– 1593 from HTC
– Affecting 1 Billion Android users worldwide
22
Malware Distribution
• Malware: easy to spread
• App stores: all accepted our malware
Contents
•
•
•
•
•
•
•
Introduction
Pileup Vulnerabilities
Exploit Opportunities
Systematic Analysis
Mitigation – Scanner App
Discussion
Conclusion
24
Exploit opportunities
• New resources added in Android update
(permissions, packages, share UIDs)
– Affected by Android versions, device models,
different manufacturers and carriers
• Pileup attacks must target on new resources
of each specific Android update
– Android version
– Device model
– Manufacturers
– Carriers
25
Exploit Opportunities
• Data sources
All AOSP
Up to
Android 4.4
Google
Nexus
Family
3,511
customized
Android of
Samsung
Nexus 7, Nexus 10,
Nexus Q, Galaxy Nexus,
Nexus S, etc.
217 models,
267 carriers
26
Measurement of Exploit Opportunities
• A lot of exploit opportunities
• Among the thousands of customized
Android, 50% of Android updates
added at least
• 38 sensitive permissions
(dangerous/system/signature level permissions)
• 23 new packages (new system apps)
• 1 new shared UID
27
Measurement of Exploit Opportunities
• Impacts of carriers
– different carriers means different exploit
opportunities
Database of Exploit Opportunities
• For every specific customizations, all the
exploit opportunities are documented
in a Database, generating 2 million
records
29
Contents
•
•
•
•
•
•
•
Introduction
Pileup Vulnerabilities
Exploit Opportunities
Systematic Analysis
Mitigation – Scanner App
Discussion
Conclusion
30
Systematic Analysis - SecUp
• Vulnerability detector: detect Pileup flaws in any customized source code
• Exploit Opportunity analyzer: extract exploit opportunities in
corresponding OS image
• Risk Database: store exploit opportunities
• Scanner app: protect users against Pileup
Architecture of SecUP
Android
Source Code
Vulnerability
detector
detected flaws
Android
Images
Opportunity
analyzer
flaw
detected
Opportunities are stored for
each specific Android
customization
2 million records after
Risk DB scanning over 3,500
Android images
exploit
query
opportunities
Scanner
app
Risks
Report
Systematic Analysis - SecUp
• Vulnerability detector: detect Pileup flaws in any customized source code
• Exploit Opportunity analyzer: extract exploit opportunities in
corresponding OS image
• Risk Database: store exploit opportunities
• Scanner app: protect users against Pileup
Architecture of SecUP
Android
Source Code
Vulnerability
detector
detected flaws
Android
Images
Opportunity
analyzer
flaw
detected
Risk DB
query
exploit
opportunities
Scanner
app
Risks
Report
Vulnerability Detector
• Input: New or customized Android source code
• Output: detected flaws
• PMS (PackageManagerService)
Reference
PMS
new
PMS
Diff
computation
VeriFast
Code
generation
Full
verification
Flaw
detected
Formal Verification
• Assertions
– Two principles:
1. A non-system app should not gain any more privileges during
update
2. A non-system app should not compromise the integrity or
availability of the new Android
– Two stages:
1. Set new attributes (e.g. UID of new system app)
2. Register new properties (e.g. permissions defined by new system
apps)
BasePermission bp = mSettings.mPermissions.get( PermissionName );
Assert (bp.pkgFlags & SYSTEM ) !=0);
Contents
•
•
•
•
•
•
•
Introduction
Pileup Vulnerabilities
Exploit Opportunities
Systematic Analysis
Mitigation – Scanner App
Discussion
Conclusion
35
Patch Progress
• Oct. 14, 2013
– Pileup reported to Google
• Jan. 08, 2014
– Google told us they released a patch for
permission preempting to vendors
• Not sure when vendors release the patch to
users
• Google created tracking number for all other
pileup flaws
Frequent Updates
• From Android 1.0 to 4.4, All 19 major Android
versions are released every 3.8 months
Hey users, the new
Android system is better.
Please upgrade.
37
An Interesting Paradox
• Android Update is the very fundamental
mechanism to fix security bugs
• With Pileup,
–Encouraging users to update is to
encourage them to be attacked
38
Scanner App
• Secure Update Scanner
– Installed on Android devices
– Used before each OS update
– Scan malware exploiting Pileup
– Powered by the DB with 2 million records
– Accurately detect malware targeting on each
specific Android update
39
Secure Update Scanner
• Free on Google Play, Amazon AppStore, etc.
40
App Popularity
• Number of Downloads
– 70,687 as of May 16.
• High rating: 4.2 out of 5 by 647 users on Google
Play
41
App Popularity
• Users Origins
– 163 countries and districts
•
United States, France, Germany, Spain, Italy, China, Portugal, Canada, United Kingdom, Poland,
Switzerland, Belgium, India, Australia, Brazil, Thailand, Austria, Netherlands, Hong Kong, Malaysia,
Taiwan, Morocco, Singapore, Indonesia, Mexico, Algeria, Ireland, Philippines, South Africa, Greece,
Egypt, Russia, Pakistan, Saudi Arabia, Sweden, Vietnam, Romania, Tunisia, Honduras, Iraq, Norway,
New Zealand, Nigeria, Eritrea, Japan, Denmark, Luxembourg, Ivory Coast, Burkina Faso, Bulgaria,
Bangladesh, Argentina, United Arab Emirates, Mauritius, Ecuador, Albania, Colombia, Israel, Panama,
Iran, Hungary, Serbia, Kuwait, Myanmar, Finland, Turkey, French Polynesia, Haiti, Ukraine, Uruguay,
New Caledonia, Czech Republic, Guatemala, Ghana, South Korea, Senegal, Sri Lanka, Kenya, Slovakia,
Cyprus, Croatia, Qatar, Peru, Bahrain, Yemen, Lebanon, Jamaica, Reunion, Paraguay, Macao,
Cameroon, Djibouti, Sudan, Chile, Venezuela, Georgia, Trinidad and Tobago, Puerto Rico, Costa Rica,
Monaco, Lithuania, Gabon, Tanzania, Slovenia, Madagascar, Angola, Estonia, Mongolia, Jordan, Benin,
Barbados, Namibia, Mali, Nicaragua, Afghanistan, Dominican Republic, Uzbekistan, Uganda, Malta,
Palestine, Burundi, The Democratic Republic Of Congo, El Salvador, Niger, Cambodia, Brunei, South
Sudan, Curacao, Zimbabwe, Nepal, Suriname, Tajikistan, Bosnia and Herzegovina, Mozambique,
Mauritania, Jersey, Ethiopia, Laos, Montenegro, Fiji, Rwanda, Oman, Libya, Bolivia, Syria, Botswana,
San Marino, Iceland, Guinea, Comoros, Azerbaijan, Greenland, Andorra, Latvia, Gambia, Martinique,
Congo, Maldives, Moldova, Guam, Kyrgyzstan, Central African Republic, and Cape Verde
42
Discussion
• Services other than PMS in Android Update
– UserManagerService, BackManagerService,
ServiceManager, etc.
• Other OSes may also subject to Pileup
– Windows, iOS
• Can a normal user become admin after Windows
Update?
Conclusion
• First systematic study of Android Update
security
– new threat to Android Update
– root cause
– exploit opportunities in over 3,500 Android customizations
• A scanner app to protect users before Android
update
• Next time when you click to upgrade your
Android, be aware that there is a risk
44
Media Coverage
• Tens of news agencies across the world
• English:
 European
(German,
French,
Italian,
Portuguese,
etc.):
 Chinese:
45
SecureAndroidUpdate.org
46
Thanks!
Q&A
47