The remote code execution on an Android device

By Mary Turner,2015-10-25 10:22
24 views 0
The remote code execution on an Android device

    The remote code execution on an Android device

    "You walk into a coffee shop and sat down. While waiting for the coffee, you take out your smartphonestarted to play a you download the game the other day. Then, you continue to work and email in the lift. You don't even know, have the address of the attacker to access the company network and constantly infection all your colleagues smartphone.

    Wait, what?

    We won't talk about Android on Bromium lab blog too much.But we like tinkering from time to time.Recently, my colleague Thomas Coudray and I explore the Android remote code execution vulnerability, want to understand vulnerability is how much of a problem in the real applications.

    Although elevated privileges technology is very common in Android (and formed the "root" convention) of the equipment, but the remote code execution is a rare and much more dangerous.It allows the attacker is not authorized by the user equipment perform specific code.This Bug special attention to people, because, even after 18 months after it was fixed, the installation of all the latest patches on an Android device can still be used.We wanted to see if this is true, the use of the holes need to how much effort.We found that the scenario is possible.

    We used two different methods to research this Bug.First, we try to use it in the similar public WIFI environment, that is you may encounter in the coffee shop to the environment.We launched some Android devices and cheap network equipment, began to attack.How big is the second step is to estimate the average user may encounter the worst case.To this end, we use the statistical analysis technology, take a look at how many there are leaks in the App and equipment.

    Beforestarting the details, first to know about the background of this Bug:

    Background knowledge

    It began in 2012, the Javascript addJavascriptInterface API in the remote code execution bugs, CVE - 2012-6636 (see for detailshereandhere).The Bug allows Javascript code to gain access to the system more privileges, it is not meant to developers.So far, so bad.MWRResearchers in the next few monthsThe results of the studyShows that there is a lot of the App using the framework of advertising supplier program, and the framework program usually affected by the Bug and download Javascript code at runtime.

    These factors combined means that a lot of App using unsafe way download Javascript code from the Internet, so malicious attacker to hijack download and launch a remote code execution of attack is not very hard.

    Haven't repair?

    The Android 4.2 fixes the potential loopholes in javascript.Unfortunately, because of backward compatibility, repair only means closed holes in a specific scenario.Real Android version fragmentation and the Android ads business model means that these scenes are not common.We examined 100000 the APK on Google Play, found about 12% even when running on the latest Android devices still have vulnerability risk.

    APK analysis results: half no loophole risk, because they target the SDK version is greater than or equal to 17;The remaining 31% did not use a loophole API;7% due to APK confusion or without error analysis.

    In addition, regardless of whether the vulnerability have been restored,More than 50% of theAndroid devices still use the below 4.2 version.For these devices, there is no fix, they still exist loophole risk.

    Technical point

    To repair success, invoke the addJavascriptInterface program must be compiled to 17 or more apis, which means your target Android version must be 4.2 and later.In order to compatible with more devices, App framework and procedures often API version compiled as low as possible.Focus is even running on hit a patch of Android 4.2, 4.3 or 4.4 devices, App still exist vulnerability risk.

    Advertising business model is very popular in the Android: is the App for free, developers secure income by display advertising to the users.In Android, there are more than 50 different advertising framework program, which makes the developers is easy to implement advertising function, in fact they often use more than one in the App advertising framework program.Some App find use as many as 20 (seehereFigure 4).Most of these framework program has this kind of behavior, when the app runs for the first time, they through HTTP download javascript library.This means that the App is usually not safely downloaded not validate javascript code, and the code to run in the environment can execute arbitrary code.

    Code execution means unlimited access to equipment

    So far, this vulnerability only allow an attacker to execute code in an android application environment.This is very bad, but still limited by the android permission system in separate applications to access data.However, once an attacker has a foothold in the system, it is similar to them may get extra privileges.Futex holes, for example (CVE - 2014-2014), it affects every Linux kernel version currently used, including android and, more recently, has been successfully for the first timeThe root of the Galaxy S5.Although they are not equivalent, but we still should cultivate "remote code execution" and "root" on the severity level equivalent to habit, because sooner or later, a determined hacker may jump from one place to another place, gain full control of the equipment.

    In the real world and the exploit

    We talked about how to take advantage of loopholes and bug why so serious.Now we are apart from analysis, verify holes how easy to use.

    In mid-may, we from Play random downloaded 102189 free app Store, and through the statistical analysis found that 12.8% of the risk of the underlying vulnerabilities as shown

    above.These APK using both the goal of low API version and addJavascriptInterface API.When these APK calls addJavascriptInterface loopholes in fact can be used, by means of man-in-the-middle attack when downloaded from the Internet insecurely javascript can initiate the middle attack.

    We will test by man-in-the-middle attack hijacked a safe download javascript, and inject some javascript script to detect addJavascriptInterface loopholes.

    To test the app

    We set up a ACTS as a transparent web agent middlemen wifi access point (AP).It is set to any access to the AP equipment through HTTP requests any script inject malicious code.AP set the password, in case someone misused, but this method can use public access to the AP.Even when the AP uncontrolled, DNS poisoning or ARP cache deception technology can also be used to achieve an intermediary agent, etc.Or you can install a legal AP to AP.That is to say, there are various methods to realize broker agent, using wifi anyone will access the network through our agents.

    Javascript dynamic means that we don't need to test a particular application or program to target advertising framework.When running, the malicious code scanning the entire javascript naming objects in space, looking for incorrectly use addJavascriptInterface API objects, then for each leak test.If found no holes, it quietly, don't affect the operation of the app.If successful, it will run a shell command tostart the calculator app (this is a tradition of vulnerability to expose, it shows that you have completed code to run, how you canstart the calculator, you proved that you can perform any code).

    The injection of javascript fragment

01 functionfindVulnerableObject(){

    02 for (varpropinwindow){

03 try {

04 //IfgetClass()doesn’tthrow,theobjectisvuln


    05 window[prop].getClass();

    06 return window[prop];

07 }

    08 catch (err){}

09 }

    10 return null ;

11 }

    After I set up the AP, from 13119 indicate the potential vulnerability of app randomly chose some, install them to access the AP a Nexus of 5 (running 4.4.3) and a samsung XE700t (4.2 x86 operating AOSP tablet).We juststart each App, do some simple interactive operation, is successfully applied in more than half of the triggered a remote code execution, they are loaded through an intermediary agent inject malicious code.

    For fun, we get into a javascript code in the app modified repeatedly, until the display Bromium logo to replace the original advertisement.

    Be disrupted and shows the app UI screenshot Bromium logo.

    All advertising provoked a curse

    By looking at the tracks of the TCP/IP packet soon found advertising framework program is jointly use addJavascriptInterface and insecure HTTP download the culprit.In the framework of our survey in the program does not have a use HTTPS, which means any app using these frameworks in the safely download javascript also vulnerable to attack.Previous studies have shown that 17% of app while using HTTPS, butImproper usage, but this is another matter.

    We have carefully check some app, see use what advertising framework.Such, the most often used (typically is also the most frequent updates), but we found that the use of a large number of framework are still not safely use addJavascriptInterface.In check app, there are more than 80% of the paid app contains at least one advertising framework.Generally speaking, in recognition of 2140 there were 4190 ads in the app framework.

    How much of a problem?

    All were unveiled at Google's Play Store app roughly downloads.Just as we confirmed the loophole by hand, a small number of cases is more than 150 million downloads.This is not to say that will ensure that there will be 150000000 units of equipment, with a hole for a device may have holes to install a number of different applications.But given in our analysis, we found that the proportion of 10% - the app has a potential risk, of which 50% of risky app by field test can be attacked, there is a very many leaky equipment.

    Also, don't forget to have 57% of the Android devices running on below 4.2 version.So even if tomorrow all have holes on the app and framework of the 4.2 patch, there are still more than half of Android devices can't repair the hole.

    Once you realize the remote code execution, before the end of the disaster situation described in a coffee shop, not what big progress.Initialize a matching root (unfortunately, quite a number of) on the android platform, a damaged equipment will become a broker, it

    will then enter any network.Attacks began to spread, therefore, for example, in the world of the mobile devices, common wifi network is so popular.

    Merge Device analyzer (Device Analyser) data

    Device analyzer (Device Analyser)Is another for statistical (data) source of android devices.One of these features is its track usersstart frequency of different applications.They use enough patience to each other with reference to the data on the list of potential defects application, gives the following results:

    Every user opens the application of the average number of potential defects

    Over the past year or so, the Device analyzer (Device Analyser) according to the equipment users every average 0.4-0.4 the application of potential vulnerabilities.Or in other words, the average has received several times a week (holes).We cannot assume that the application of the loopholes in version than we analyzed the version of the new, therefore, when our sample data is no longer the latest version, and is characterized by a sharp drop in graphics.If we have the latest version APK to our analysis, we are likely to see it is still in the 0.4 points.DA (equipment analyzer: Device Analyser) is a relatively small sample of data to make it to guide more conclusions about the android Device, on the whole is difficult.


    We found that by using a relatively simple intermediary agent technology, without a specific application or equipment can run remotely dangerous applications, even if the Android devices installed completely patches.Using static analysis we found that a considerable proportion of the application is likely still fragile, we confirmed that lack of a true resistance by random testing more than half of the application.

    Therefore, we suggest that when connected to an untrusted wi-fi don't use any Android applications display ads.

    We thank the Evozi provide their APK library, and analyze the data of the university of Cambridge equipment.

Report this document

For any questions or suggestions please email