the heavy metal that poisoned the droid
play

The heavy metal that poisoned the droid Tyrone Erasmus Introduction - PowerPoint PPT Presentation

Sep 08, 2023 •16 likes •576 views

The heavy metal that poisoned the droid Tyrone Erasmus Introduction Android Security Model Static vs. Dynamic analysis Mercury: New framework on the block Finding OEM problems Techniques for malware How do we fix this?

  1. The heavy metal that poisoned the droid Tyrone Erasmus

  2. • Introduction • Android Security Model • Static vs. Dynamic analysis • Mercury: New framework on the block • Finding OEM problems • Techniques for malware • How do we fix this? • Conclusion

  3. /usr/bin/whoami • Consultant @ MWR InfoSecurity • My 25% time == Android research • Interested in many areas of exploitation

  4. Introduction • Why android?

  5. Security Model • User-based permissions model • Each app runs as separate UID • Differs from conventional computing • Except when shared UIDs are used • App resource isolation

  6. Security Model

  7. Security Model Application 1 Application 2 shared_prefs shared_prefs files files cache cache databases databases UNIX permissions!

  8. Security Model • App manifest = all configuration + security parameters

  9. Security Model Memory corruption vulnerabilities: • Native elements that can be overflowed • Code execution: • In context of exploited app • With permissions of app • Want more privileges? YOU vs. KERNEL

  10. IPC Apps use Inter-Process Communication • Defined communication over sandbox • Exported IPC endpoints are defined in AndroidManifest.xml

  11. IPC - Activities • Visual element of an application

  12. IPC – Services • Background workers • Provides no user interface • Can perform long-running tasks

  13. IPC – Broadcast Receivers • Get notified of system and application events • According to what has been registered • android.permission.RECEIVE_SMS

  14. IPC – Content Providers • Data storehouse • Often uses SQLite • Methods that are based on SQL queries

  15. IPC Summary • All can be exported • Explicitly by exported=true • Implicitly by <intent-filter> • Content Provider exported by default • Often overlooked by developers

  16. IPC Summary Simple Application Rich Application Activity Activity Service Broadcast receiver Content provider

  17. What they all say • Permissions and developer name Hmmm...

  18. Scary Contradictions • Apps containing root exploits • Browser vulnerabilities • Cross-application exploitation

  19. Cross-application exploitation • What can 1 app do to another? • Completely unprivileged • Malware implications • Android-specific attack surface

  20. Static analysis Examine Write Download Extract Understand Decompile attack custom apps manifests entry points vectors POCs

  21. Static analysis • Iterative • Create/ Time consuming Amend Code Analyse Compile Test Upload

  22. Why Dynamic analysis ? VS. • Time-efficient • Better coverage • Re-usable modules

  23. New tool - Mercury • “The heavy metal that poisoned the droid” • Developed by me 

  24. Mercury...What is it? • Platform for effective vulnerability hunting • Collection of tools from single console • Modular == easy expansion • Automation • Simplified interfacing with external tools

  25. Mercury...Why does it exist!? • Testing framework vs. custom scripts • INTERNET permission – malware can do it too! • Share POCs – community additions

  26. Mercury...How does it work? Client/Server model • Low privileges on server app • Intuitive client on pc Client Server ( On PC) ( On Device)

  27. Mercury...Show me your skills • Find package info • Attack surface • IPC info • Interacting with IPC endpoints • Shell

  28. Interesting fact #1 ANY app can see verbose system info • Installed apps • Platform/device specifics • Phone identity

  29. Impact Profile your device • Get exploits for vulnerable apps • Better targeting for root exploits • Use this info track you • Only Required permission: INTERNET

  30. Interesting fact #2 • Any app with no permissions can read your SD card • It is the law of the UNIXverse

  31. Impact • A malicious app can upload the contents of your SD card to the internet • Photos • Videos • Documents • Anything else interesting? • Only Required permission: INTERNET

  32. Debuggable apps • More than 5% of Market apps • Allow malicious apps to escalate privileges • debuggable=true Open @jdwp-control socket 

  33. Mercury...So I can extend it? • Remove custom-apps == Quick tests • Create new tools • Share exploit POCs on GitHub • Some cool modules included already: • Device information • Netcat shell • Information pilfering OEM apps

  34. Mercury...Dropbox example • Custom exploit app • No structure for debugging

  35. OEM apps • Pre-installed apps often == vulnerabilities • Many security researchers target these apps

  36. OEM apps Lets find some leaky content providers! • Promise of: • Information pilfering glory • Rampant SQLi • No custom app development

  37. Research findings Leaks instant messages from: • Google Talk • Windows Live Messenger • Yahoo! Messenger

  38. Research findings Leaks: • Facebook • MySpace • Twitter • LinkedIn

  39. OEM apps HTCloggers.apk allows any app with INTERNET • ACCESS_COARSE_LOCATION • ACCESS_FINE_LOCATION • ACCESS_LOCATION_EXTRA_COMMANDS • ACCESS_WIFI_STATE • BATTERY_STATS • DUMP • GET_ACCOUNTS • GET_PACKAGE_SIZE • GET_TASKS • READ_LOGS • READ_SYNC_SETTINGS • READ_SYNC_STATS

  40. Research findings Leaks: • Email address and password • Email content • IM & IM contacts

  41. Research findings Leaks: • SMS using SQLi • Credits to Mike Auty – MWR Labs • Feels so 2000’s

  42. OEM apps Steps to win: • Webkit vulnerability • Browser has INSTALL_PACKAGES • Exported recording service • Bugging device 

  43. Research findings Leaks: • SMS • Emails • IMs • Social Networking messages

  44. Research findings Leaks: • Portable Wi-Fi hotspot • SSID • WPA2 password

  45. Research findings • Have found more than 10 similar type vulnerabilities • Across many OEM apps

  46. Research findings - Impact An app with 0 granted permissions can get: • Email address and password • Email contents • SMS • IM & IM contacts • Social networking messages • Call logs • Notes • Current city • Portable Wi-Fi hotspot credentials

  47. Why is this happening? Manufacturers bypass OS features • Lack of knowledge? • Tight deadlines?

  48. Malware deluxe Building a user profile • Installed package info • Upload entire SD card • Pilfer from leaky content providers • Get device/platform info

  49. Malware deluxe Useful binaries for device/platform info • toolbox • dumpsys • busybox Promise of: • Useful info

  50. Malware deluxe Dirty tricks • Pipe a shell using nc • Crash the logreaders Promise of: • Shells - everybody loves ‘ em  • Someone actually doing this 

  51. Malware deluxe Fresh exploits • Installed apps + versions • Download latest available exploits • Exploit vulnerable apps for fun/profit • Same goes for root exploits

  52. Android the blabbermouth Permissions required: android.permission.INTERNET

  53. Which would you install?

  54. How do developers fix this? • Can’t help Android vulnerabilities • Can make secure apps • Stop information being stolen from your app • Check exposure with Mercury

  55. Mercury – Future plans • Testing ground for exploits of all kind • Full exploitation suite?

  56. return 0; • Feedback forms • Questions?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Everything Goes Through The Binder A Hack in Three Acts Act I Know Your Droid Act II

Everything Goes Through The Binder A Hack in Three Acts Act I Know Your Droid Act II

MAN IN THE BINDER: HE WHO CONTROLS IPC, CONTROLS THE DROID Everything Goes Through The Binder A Hack in Three Acts Act I Know Your Droid Act II Atuack Your Droid Act III Prepare Your Droid Meet The Cast The Authors Nitay

1.16k views • 61 slides
Identification of particulate heavy metal pollution sources in urban river sediment using

Identification of particulate heavy metal pollution sources in urban river sediment using

Identification of particulate heavy metal pollution sources in urban river sediment using scanning electron microscopy coupled with energy dispersive spectrometer (SEM-EDS) Cindy Rianti PRIADI Laboratoire des Sciences du Climat et de

293 views • 27 slides
Dynamics of heavy metal (Ni, Cu) and sulfur (S) content in tree-ring of larch affected by

Dynamics of heavy metal (Ni, Cu) and sulfur (S) content in tree-ring of larch affected by

Dynamics of heavy metal (Ni, Cu) and sulfur (S) content in tree-ring of larch affected by industrial pollution from the Norilsk smelters A.I. Fertikov 1,2 , A.V. Kirdyanov 2 , A.S. Shishikin 2 1 Siberian Federal University, Krasnoyarsk

477 views • 19 slides
Plant protein production under the effect of wastewaters and heavy metal pollution D.

Plant protein production under the effect of wastewaters and heavy metal pollution D.

Plant protein production under the effect of wastewaters and heavy metal pollution D. Papaioannou, I. K. Kalavrouziotis, P. H. Koukoulakis, F. Papadopoulos, P. Psoma, A. Mehra Prof. Dr. Ioannis K. Kalavrouziotis Hellenic Open University

326 views • 16 slides
Mercury in Fish What is Mercury? Mercury (Hg), a toxic element, is a famous heavy metal found in

Mercury in Fish What is Mercury? Mercury (Hg), a toxic element, is a famous heavy metal found in

Mercury in Fish What is Mercury? Mercury (Hg), a toxic element, is a famous heavy metal found in the earths crust. It enters our environment through: Natural Sources - weathering of rocks, volcanic eruptions and deep-sea vents. Man-made

328 views • 4 slides
Client Name Corrosion, Erosion, and Wetted Parts A Heavy Metal Discussion Location: Project

Client Name Corrosion, Erosion, and Wetted Parts A Heavy Metal Discussion Location: Project

Client Name Corrosion, Erosion, and Wetted Parts A Heavy Metal Discussion Location: Project Title By Eric Lofland Date Scope of This Presentation Explain some of the basic features of steels Define the principle problems in material

785 views • 55 slides
PLATFORM PRESENTATION SCHEDULE Heavy Metal and Organic Chemicals. Indumathi 5:15 1085. Indoor Air

PLATFORM PRESENTATION SCHEDULE Heavy Metal and Organic Chemicals. Indumathi 5:15 1085. Indoor Air

PLATFORM PRESENTATION SCHEDULE Heavy Metal and Organic Chemicals. Indumathi 5:15 1085. Indoor Air Quality Survey of Boston Nail M Nambi , and Ambika M, Salons. Meda Kisivuli , Liza Ansher, Ariana Tuesday Morning, June 26, 2012 4:25 808.

596 views • 13 slides
Heavy metal stabilization in EAFD 22-26 June 2015 using magnesia and Sorel cements E. Ntinoudi 1

Heavy metal stabilization in EAFD 22-26 June 2015 using magnesia and Sorel cements E. Ntinoudi 1

31 st International Conference of Society for Environmental Geochemistry &amp; Health Heavy metal stabilization in EAFD 22-26 June 2015 using magnesia and Sorel cements E. Ntinoudi 1 , H. Yiannoulakis 2 , Th. Zampetakis 2 , A.I. Bratislava

268 views • 14 slides
A Sense of Identity During the Tudor ages, knights fought battles dressed in heavy, metal

A Sense of Identity During the Tudor ages, knights fought battles dressed in heavy, metal

A Sense of Identity During the Tudor ages, knights fought battles dressed in heavy, metal armour. Even their faces were completely covered. This meant no one could tell who they were fighting! Knights began painting the colours and symbols

434 views • 15 slides
NWRDC Skyward Mobile Presentation Apple Products iPhone and iPad HTC Droid Phone and the Kindle

NWRDC Skyward Mobile Presentation Apple Products iPhone and iPad HTC Droid Phone and the Kindle

NWRDC Skyward Mobile Presentation Apple Products iPhone and iPad HTC Droid Phone and the Kindle Fire (uses Droid technology) Users can use the browser on any of these and like devices with the following URL http://mobile. DISTRICTNAME

581 views • 5 slides
iGEM 2009 Team Newcastle Introduction Environmental project Heavy metal pollution in soil

iGEM 2009 Team Newcastle Introduction Environmental project Heavy metal pollution in soil

iGEM 2009 Team Newcastle Introduction Environmental project Heavy metal pollution in soil Cadmium accumulation issue Image: http://www.enst.umd.edu/people/Weil/ResearchProjects.cfm Use of engineered micro-organisms What can our

973 views • 47 slides
The Heavy Metal Movement: Phase II A field and laboratory study of Panicum virgatum L. and its

The Heavy Metal Movement: Phase II A field and laboratory study of Panicum virgatum L. and its

The Heavy Metal Movement: Phase II A field and laboratory study of Panicum virgatum L. and its ability to phytoremediate soil from the Tar Creek Superfund Site McKalee Steen Grove High School Grove, OK Purpose The purpose of this project is

372 views • 25 slides
Heavy Metal Hazardous Waste Disposal Site Octavius V Catto School Redevelopment Project

Heavy Metal Hazardous Waste Disposal Site Octavius V Catto School Redevelopment Project

Delineation, Remediation and Redevelopment of a Heavy Metal Hazardous Waste Disposal Site Octavius V Catto School Redevelopment Project Camden, New Jersey J. Stuart Wiswall, P.G., LSRP Keating Environmental Management, Inc. Community

852 views • 52 slides
Phytoremediation of heavy metal-contaminated wastewater by some aquatic plants Nguyen Viet Hung,

Phytoremediation of heavy metal-contaminated wastewater by some aquatic plants Nguyen Viet Hung,

Phytoremediation of heavy metal-contaminated wastewater by some aquatic plants Nguyen Viet Hung, Nguyen Van Noi, Nguyen Dinh Bang Faculty of Chemistry, Hanoi University of Science, Vietnam National University Introduction ! With her Open

313 views • 17 slides
AVIATION ISNT JUST HEAVY METAL Kit agents &amp; manufacturers seminar February 2016

AVIATION ISNT JUST HEAVY METAL Kit agents &amp; manufacturers seminar February 2016

AVIATION ISNT JUST HEAVY METAL Kit agents &amp; manufacturers seminar February 2016 Kit agents &amp; manufacturers seminar February 2016 A leading organisation in powered sport flying c . 7,800 members Administers c.2,700

399 views • 14 slides
AN ANDR DROID OID S SECU CURE RE C COM OMMUNICATION UNICATION SYSTE TEM M U USING

AN ANDR DROID OID S SECU CURE RE C COM OMMUNICATION UNICATION SYSTE TEM M U USING

AN ANDR DROID OID S SECU CURE RE C COM OMMUNICATION UNICATION SYSTE TEM M U USING NG S STE TEGAN ANOGRAPH OGRAPHY Kleona Binjaku Elinda Kajo Mee DAAD Workshop &quot;Cooperation at Academic Informatics Education across

972 views • 23 slides
Generalized Continuum hypothesis. There is no infinite set whose cardinality is between the

Generalized Continuum hypothesis. There is no infinite set whose cardinality is between the

Generalized Continuum hypothesis. There is no infinite set whose cardinality is between the cardinality of an infinite set and its power set. The powerset of a set is the set of all subsets. Recall: powerset of the naturals is not countable.

503 views • 22 slides
COMP20121 The Implementation and Power of Computer Languages Power Part

COMP20121 The Implementation and Power of Computer Languages Power Part

COMP20121 The Implementation and Power of Computer Languages Power Part http://www.cs.man.ac.uk/ petera/2121/index.html . Peter Aczel room: CS2.52, tel: 56155 petera@cs.man.ac.uk email: School of Computer Science, University of

1.34k views • 116 slides
Before We Start Any questions? Turing Machines Languages Now our picture looks like

Before We Start Any questions? Turing Machines Languages Now our picture looks like

Before We Start Any questions? Turing Machines Languages Now our picture looks like The $64,000 Question Context Free Languages What is a language? Deterministic Context Free Languages What is a class of languages? Regular

305 views • 9 slides
Power generation &amp; health Understanding the problem Agreeing on solutions Planning

Power generation &amp; health Understanding the problem Agreeing on solutions Planning

8/8/18 Power generation &amp; health Understanding the problem Agreeing on solutions Planning cooperative action Tonights discussion Toxic pollution and health impacts Air pollution monitoring and access to data in your community

208 views • 20 slides
Neutron beam monitor for the high-intensity neutron total diffractometer NOVA H. Ohshita (KEK,

Neutron beam monitor for the high-intensity neutron total diffractometer NOVA H. Ohshita (KEK,

Neutron beam monitor for the high-intensity neutron total diffractometer NOVA H. Ohshita (KEK, IMSS) Contents Materials and Life Science Experimental Facility, MLF High-intensity neutron total diffractometer, NOVA Motivation

467 views • 21 slides
Get ready for Brexit Caroline Raine | Associate Director Regulatory Agenda Introduction and

Get ready for Brexit Caroline Raine | Associate Director Regulatory Agenda Introduction and

Get ready for Brexit Caroline Raine | Associate Director Regulatory Agenda Introduction and background to Brexit Key dates Regulations What should I do? How to prepare for Brexit Question and answer session Introduction and background

350 views • 16 slides
Robin Goettel and Terri Hallesy Illinois-Indiana Sea Grant Program

Robin Goettel and Terri Hallesy Illinois-Indiana Sea Grant Program

Robin Goettel and Terri Hallesy Illinois-Indiana Sea Grant Program

377 views • 19 slides
Climate Engineering with Aerosols -- Predictable Consequences? David S. Battisti, University of

Climate Engineering with Aerosols -- Predictable Consequences? David S. Battisti, University of

Climate Engineering with Aerosols -- Predictable Consequences? David S. Battisti, University of Washington Collaborators: Kelly McCusker, Cecilia Bitz and Phil Rasch Introduction: what is out there? Engineering through sulfate aerosols:

695 views • 33 slides

More recommend