Upgrading Your Android, Elevating My Malware: Privilege Escalation Through Mobile OS Updating

Pileup Vulnerabilities in OS Updating

People tend to believe that an OS upgrade makes their mobile devices much securer and more reliable, because the new OS version presumably fixes security loopholes and enhances the system’s security protection. However, our recent study on the current Android upgrade mechanism brings to light a whole new set of vulnerabilities pervasively existing in almost all Android versions, which allow a seemingly harmless malicious app (“unprivileged app” in the security term) running on a version of Android to automatically acquire significant capabilities without users’ consent once they upgrade to newer versions! Such capabilities include automatically obtaining all new permissions added by the newer version OS, replacing system-level apps with malicious ones, injecting malicious scripts into arbitrary webpages, etc. We call these vulnerabilities Pileup flaws (privilege escalation through updating). In total, we discovered six Pileup flaws in the code of Android OS. We further confirmed the presence of the issues in all AOSP (Android Open Source Project) versions and 3,522 source code versions customized by Samsung, LG and HTC across the world. Those flaws affect all the Android devices worldwide, posing serious threats to billions of Android users who are actually encouraged to update their systems.

A distinctive feature of the threat is that the attack is not aimed at a vulnerability in the current system. Instead, it exploits the flaws in the updating mechanism of the “future” OS, which the current system will be upgraded to. More specifically, through the app running on a lower version Android, the adversary can strategically claim a set of carefully selected privileges or attributes only available on the higher OS version. For example, the app can define a new system permission such as android.permission.READ_PROFILE (read the user’s personal profile data) on Android 2.3.6, which is to be added on 4.0.x. It can also use the shared user ID (UID) (a string specified within an app’s manifest file) of a new system app on 4.0.x, its package name and other attributes. Since these privileges and attributes do not exist in the old system (2.3.6 in the example), the malicious app can silently acquire them (self-defined permission, shared UID and package name, etc.). When the system is being updated to the new one, the Pileup flaws within the new Package Manager will be automatically exploited. Consequently, such an app can stealthily obtain related system privileges, resources or capabilities. In the above example, once the phone is upgraded to 4.0.x, the app immediately gets android.permission.READ_PROFILE without the user’s consent and even becomes its owner, capable of setting its protection level and description. Also, the preempted shared UID enables the malicious app to substitute for system apps such as Google Calendar, and the package name trick was found to work on the Android browser, allowing the malicious app to contaminate its cookies, cache, security configurations and bookmarks, etc.

The consequences of the attacks are dire, depending on the exploit opportunities on different Android devices, that is, the natures of the new resources on the target version of an update. As examples, on various versions of Android, an upgrade allows the unprivileged malware to get the permissions for accessing voicemails, user credentials, call logs, notifications of other apps, sending SMS, starting any activity regardless of permission protection or export state, etc.; the malware can also gain complete control of new signature and system permissions, lowering their protection levels to “normal” and arbitrarily changing their descriptions that the user needs to read when deciding on whether to grant them to an app; it can even replace the official Google Calendar app with a malicious one to get the phone user’s events, drop Javascript code in the data directory to be used by the new Android browser so as to steal the user’s sensitive data, or prevent her from installing critical system apps such as Google Play Services. We performed a measurement on those exploit opportunities, which shows how they are distributed across Android versions and vendors. Figure 1 compares the average numbers of the exploit opportunities provided by AOSP, Google and Samsung, when the system is upgraded from 2.3.X to 4.0.X, then to 4.1.X, 4.2.X, 4.3.X and 4.4.X consecutively. As we can see from the figure, not only do the manufacturers introduce more opportunities than AOSP, but Samsung adds more than Google. Also interestingly, though Google and AOSP apparently make the biggest system overhaul from 2.3.X to 4.0.X and show a trend of less aggressive updating afterwards, Samsung continues to bring in more new stuffs from 4.1.X to 4.2.X and to 4.3.X, at the cost of increased security risks.

Figure 1. Exploit opportunities

To show that malicious apps exploiting Pileup flaws can be accepted by today’s Android app stores such as Google Play, Amazon’s appstore for Android, etc., we developed a number of such apps and submitted them to various app markets. We successfully published the malicious apps on Google Play store to request new dangerous permissions added by newer Android OS and new system apps, to define new “Dangerous”, “Signature”, “SignatureOrSystem” permissions and to take shared UID of system apps. We have also successfully published those apps to other app markets such as Amazon AppStore for Android, GetJar, etc. We immediately removed the apps from the markets once they are approved for publication.

---

Attack Demos

Below is a list of video demos which show how a seemingly harmless app can exploit Pileup flaws to cause various bad consequences, including stealing all of your Google Voice messages, hacking your Google account, stealing your passwords for banking sites, etc., once you upgrade to newer version of Android.

Description of the demos:

• Demo 1: A seemingly harmless app without a permission gets the permission to eavesdrop on all of your Google Voice messages after OS update.
• Demo 2: An un-privileged app injects malicious scripts into Android browser if you upgrade the Android OS, compromising your web accounts on any websites, e.g. Google.com.
• Demo 3: An un-privileged app tampers with built-in bookmarks of Android browser once you upgrade the OS. It causes phishing attacks targeting at your bank accounts.

---

Media Coverage

                   

---

Defense Discussion: we have a security app to protect you

Because Pileup flaws profoundly degrade security of Android devices by exploiting Android Update, this further leads to an embarrassing situation for the Android ecosystem. On the one hand, OS updates are very important or even critical if they include urgent fixes for security bugs; on the other hand, with Pileup flaws, every OS update offers bad guys opportunities to attack Android users. We believe that a security app dedicated to Pileup flaws is very necessary. Users can use such an app to make sure their devices are free of malware before they run Android Update. Therefore, we developed an app called Secure Update Scanner for this purpose. The app scans the user’s device to detect any malicious apps which exploit Pileup flaws and provides useful instructions to guide users uninstall malicious apps if discovered and securely update their devices afterwards.

We suggest users install the Secure Update Scanner app on their devices and run it before every system update. It only takes a few seconds to finish the scan. The app is available for free on Google Play, Amazon AppStore for Android, SlideMe, and 360 Mobile Assistant (for Chinese users).

·         Google Play: https://play.google.com/store/apps/details?id=com.iu.seccheck

·         Amazon AppStore for Android: http://www.amazon.com/gp/product/B00IZOHC40

·         SlideMe: http://slideme.org/application/secure-update-scanner

·         360 Mobile Assistant: http://zhushou.360.cn/detail/index/soft_id/1594856

New: Our Secure Update Scanner app has been trusted by users from all over the world. As of now, we have observed users from 163 countries/districts installing and using our app for the security of their devices and more are joining the list. Here is the full list: United States, France, Germany, Spain, Italy, China, Portugal, Canada, United Kingdom, Poland, Switzerland, Belgium, India, Australia, Brazil, Thailand, Austria, Netherlands, Hong Kong, Malaysia, Taiwan, Morocco, Singapore, Indonesia, Mexico, Algeria, Ireland, Philippines, South Africa, Greece, Egypt, Russia, Pakistan, Saudi Arabia, Sweden, Vietnam, Romania, Tunisia, Honduras, Iraq, Norway, New Zealand, Nigeria, Eritrea, Japan, Denmark, Luxembourg, Ivory Coast, Burkina Faso, Bulgaria, Bangladesh, Argentina, United Arab Emirates, Mauritius, Ecuador, Albania, Colombia, Israel, Panama, Iran, Hungary, Serbia, Kuwait, Myanmar, Finland, Turkey, French Polynesia, Haiti, Ukraine, Uruguay, New Caledonia, Czech Republic, Guatemala, Ghana, South Korea, Senegal, Sri Lanka, Kenya, Slovakia, Cyprus, Croatia, Qatar, Peru, Bahrain, Yemen, Lebanon, Jamaica, Reunion, Paraguay, Macao, Cameroon, Djibouti, Sudan, Chile, Venezuela, Georgia, Trinidad and Tobago, Puerto Rico, Costa Rica, Monaco, Lithuania, Gabon, Tanzania, Slovenia, Madagascar, Angola, Estonia, Mongolia, Jordan, Benin, Barbados, Namibia, Mali, Nicaragua, Afghanistan, Dominican Republic, Uzbekistan, Uganda, Malta, Palestine, Burundi, The Democratic Republic Of Congo, El Salvador, Niger, Cambodia, Brunei, South Sudan, Curacao, Zimbabwe, Nepal, Suriname, Tajikistan, Bosnia and Herzegovina, Mozambique, Mauritania, Jersey, Ethiopia, Laos, Montenegro, Fiji, Rwanda, Oman, Libya, Bolivia, Syria, Botswana, San Marino, Iceland, Guinea, Comoros, Azerbaijan, Greenland, Andorra, Latvia, Gambia, Martinique, Congo, Maldives, Moldova, Guam, Kyrgyzstan, Central African Republic, and Cape Verde.

There are some other potential mitigations, one of which is to only install apps from Google Play store. A caution is that we are not sure whether Google can/will block all malicious apps. Because according to our tests described in this article (paragraph 4), Google Play actually approved a number of malicious apps we submitted (we immediately removed the apps once approved). Another mitigation is to use a generic anti-virus security app such as Lookout, Avast Mobile Security & Antivirus, 360 Mobile Safe, and many others. However, because Pileup flaws are a new category of complex problems never known before, we believe those generic security apps cannot be easily tuned to detect the malware exploiting Pileup. Our Secure Update Scanner app can achieve high accuracy of detection because it is powered by a vulnerability database with over two million records collected through analyzing thousands of Android factory images.

---

Responsible Disclosure

We have reported the six vulnerabilities to Google on October 14, 2013. On January 08, 2014, Google told us that they had released a patch for the permission-preempting bug (internal tracking # 11242510) to Android vendors. We are not aware of any timeline for the vendors to release their patches to users but will update the website as soon as we get this information. Google also created tracking numbers for other 5 issues we reported. The Android ecosystem is well known for its slow paces in deploying new updates. For example, the latest Android OS KitKat was released on October 31, 2013, but it has only reached 2.5% of the market share after 4+ months. We expect that a complete fix for the problems we discovered will take long time as well.

---

Publication

This research is a joint work of Indiana University and Microsoft Research. We have written a research paper which describes in details about our investigation results and corresponding tools we developed. The paper has been accepted to the 35th IEEE Symposium on Security and Privacy, which is a flagship conference in security. We will present the research work at the conference in May, 2014. Here is the reference of the work.