Big Brother is watching. His name is Binder. Binder is the only vehicle of inter process communication in Android, making it a prime target for attackers. We'll provide a review of this sophisticated and little known mechanism, describe the multitude of dangers in its compromise and demonstrate several Binder-based data manipulation and theft attacks. In depth (presentation outline): * The Android malware world lags behind the PC in sophistication, but rapidly catching up. We believe the next generation of mobile malware is soon to come, and the Binder is a natural target. * Binder Background (what makes it special?): - The peculiarity of Android's architecture: on the idea of a userland OS built on top of the Linux kernel, and how Binder is critical to this concept. - The inevitable security trade-off in Android: Minimizing the attack surface against the kernel, at the cost of introducing Binder as a classic single-point-of-control. - How a developer sees the Binder (spoiler: he doesn't). * In depth Binder mechanics (how does it work?): - A detailed look at the data structures, classes and functions which define the behaviour of Binder, with a special focus on security-critical areas. - Hooking Binder: How and where to control Android's IPC mechanism. - Looking at the raw data travelling through Binder, and how to sift through it to find the interesting stuff (passwords, keyboard input, SMS, sound and many more). - Why modern mobile AVs are having a hard time detecting these methods of operation. * (Demonstrations) Comparing the "naive malware" approach and Man in the Binder philosophy to: -> Logging keyboard input. -> Capturing data sent between Activities. -> Modifying sensitive information at runtime (i.e. faking a financial transaction, banking-trojan style). * Mitigation: - Why code obfuscation and app wrapping won't help you. - Encrypting your data before it leaves the process (even within the same app!). - Example: using an in-app keyboard securely. We believe that this is ground-breaking work that has not been properly researched before: Binder’s central position in the Android architecture means that it is likely to become heavily attacked in the next few years. By shining a bright light on this topic, our research is a significant contribution to the security of the Android platform as a whole. An earlier version of this research was presented at Black Hat Europe 2014 and Kaspersky SAS2015. A white paper of the results up until a few months ago can be found here: https://www.blackhat.com/docs/eu-14/materials/eu-14-Artenstein-Man-In-The-Binder-He-Who-Controls-IPC-Controls-The-Droid.pdf

1. MAN IN THE BINDER:
HE WHO CONTROLS IPC, CONTROLS THE DROID

2. A Hack in Three Acts
Act I – Know Your Droid
Act II – Attack Your Droid
Act III – Prepare Your Droid

4. Nitay Artenstein Idan Revivo Michael Shalyt

5. Name: Kitty Bank
Occupation: Bank Application
“U want KitCoins – we haz it”

6. Name: Kitty-ninja
Occupation: Script kiddy
“Mommy, can I rob this bank?”

7. Name: Paw of Death
Occupation: Black belt ninja hacker
“To rob a bank, you must first
become the bank”

8. Name: System Service
Occupation: Sitting and
waiting to serve your needs
These things run Android!

9. Name: $ echo `uname –r`
Occupation: Holding the world
on its shoulders since 1.1.1970
Feeling neglected now that
system services get all the
attention on Android

10. Name: The Binder
Occupation: All Powerful
Mystery Character
?

12. An Application’s Life On Windows
Syscalls

13. An Application’s Life On Android
Syscalls
Syscalls
Syscalls

14. Android – The Real Picture
Syscalls
Syscalls

15. /dev/binder /dev/tty0
libbinder.so
kernel
/system/libbinder.so
/system/lib*.so
DalvikVM DalvikVM
syscallparcel parcel
Bank Application Process System Service Process
application
System services
proxy
libandroid_runtime.so
libandroid_runtime.so
System Service
• Binder has a userland
component and a kernel
one
• The driver receives the
Parcel via an ioctl syscall
and sends it to the
target processes

16. What’s a Parcel?

17. A Short Recap
libbinder.so
DalvikVM
Kitty Bank Process
Parcels
Syscalls
Parcels
Audio Manager

20. Round I
Key Logging

21. A n00b Attacker’s View of The System

22. What Would The n00b Attacker Do?

23. What Would The n00b Attacker Do?

24. What Would The n00b Attacker Do?

25. A Ninja Attacker’s View of The System

26. What Would The Ninja Attacker Do?

27. Key Logger Demo

28. What Would The Ninja Attacker Do?

29. Round II
Data Manipulation

30. A n00b Attacker’s View of The System
Activity Activity Activity

31. What Would The n00b Attacker Do?
Bye Kitty Bank , Hello Shi**y Bank

32. What Would The n00b Attacker Do?
Bye Kitty Bank , Hello Shi**y Bank

33. A Ninja Attacker’s View of The System
Activity Manager

34. In-app data goes through Binder???

35. A Ninja Attacker’s View of The System
Activity Manager

36. What Would The Ninja Attacker Do?
Activity Manager

37. A trillion dollars, anyone?

38. Data Manipulation
Demo

39. What Would The Ninja Attacker Do?

40. Round III
Intercepting SMS

41. A n00b Attacker’s View of The System
Telephony Manager

42. What Would The n00b Attacker Do?

43. What Would The n00b Attacker Do?

44. A Ninja Attacker’s View of The System
Telephony Manager

45. What Would The Ninja Attacker Do?

46. SMS internals
• The Telephony Manager notifies the SMS app
whenever an SMS is received
• The app queries the TM’s database via Binder:

47. SMS internals
• But what’s a Cursor object?
• It’s a messy abstraction of a response to a query

48. SMS internals
• Surprise: Under the hood, it’s just a Unix fd
• Now we’re in business!

49. What Would The Ninja Attacker Do?

50. Summary
What Just Happened?

51. Attacking The Binder
• Hook libbinder.so at the point where it sends an
ioctl to the kernel
• Stealth: dozens of places to hook
• But don’t you need root?

52. Attacking The Binder
Vulnerable
to known
rooting
exploits

53. Consider The Possibilities

54. Summary
Features:
• Versatility: one hook – multiple functionalities.
• App agnostic: no need to RE apps.
• Stealth: the Android security model limits 3rd
party security apps just like any other app.

55. Summary
• This is NOT a vulnerability. It’s like man-in-the-
browser, but for literally everything on Android.
• Root is assumed. Rooting won’t go away any
time soon.

56. Rumors
(You didn’t hear it from me…)

57. What are you trying to tell me?
That I can get all permissions on
a device?
No.
I’m trying to tell you that when
you’re ready, you won’t have to

59. Solutions – for developers
• Take control of your own process memory
space.
• Minimize the amount of data going to IPC, and
encrypt what has to go.

60. Solutions – for security industry
• Scan files like it’s the 90’s.
• Be brave – get root yourself:
• Runtime process scanning and monitoring.
• Software firewall (like Avast).
• Binder firewall/anomaly detection.
• Etc.

61. Further Reading
[1] White paper: “Man in the Binder”, Artenstein
and Revivo
[2] “On the Reconstruction of Android Malware
Behaviors”, Fatori, Tam et al
[3] “Binderwall: Monitoring and Filtering Android
Interprocess Communication”, Hausner