SlideShare a Scribd company logo

Yet Another Android Rootkit

FFRI, Inc.
FFRI, Inc.
Technology
1 of 50
Download to read offline
Fourteenforty Research Institute, Inc. 1 Fourteenforty Research Institute, Inc. Black Hat Abu Dhabi 2011 Yet Another Android Rootkit /protecting/system/is/not/enough/ Research Engineer – Tsukasa Oi Fourteenforty Research Institute, Inc. http://www.fourteenforty.jp
Fourteenforty Research Institute, Inc. • Gaining Administrative Privileges in Android OS – Normally, root cannot be used by Apps – Gaining root Privilege using... • Local Exploits (dangerous) • Fake Firmware Updates (relatively safe) • What for? – Customization, Overclocking – Malicious Use (e.g. DroidDream) • root in Android platform works differently – Permission Checks – Software-based UID/PID checks 2 Introduction: rooting Android
Fourteenforty Research Institute, Inc. • Vendors and Careers want to: – Protect Users – Protect Career-specific / Vendor-specific Services – Ensure Smartphones are not Altered and “Radio Legal” – Protect their Business Model  • Answer: “Protect Smartphones” – Prevent Firmware Modification – Patch Framework and Kernel in order to Secure the device 3 Introduction: Japanese smartphones
Fourteenforty Research Institute, Inc. • rooting and Android Security – Android Internals and Security Model – Bypassing Security and Gaining Privileges • Vendor-Specific Protection – Kernel-based Mechanism • Yet Another Android Rootkit – User-Mode Rootkit Bypassing Vendor-Specific Protections – Hook User Applications • So what was wrong? – Open source, Closed platform 4 Agenda
Fourteenforty Research Institute, Inc. ROOTING AND ANDROID SECURITY rooting Android is not the end of the story. 5
Fourteenforty Research Institute, Inc. • Five known root exploits affecting unmodified version of Android – CVE-2009-1185 (exploid) – [no CVE number] (rage against the cage) – CVE-2011-1149 (psneuter) – CVE-2011-1823 (GingerBreak) – CVE-2011-3874 (zergRush) • More of that: Chip/Vendor-specific Vulnerabilities 6 rooting is Sometimes Easy
Fourteenforty Research Institute, Inc. • Logic Errors in suid programs – Android Tablet [xxx]: OS command injection rooting : Vulnerabilities (1) 7 The attacker can invoke arbitrary command in root privileges. [REDACTED]
Fourteenforty Research Institute, Inc. • Improper User-supplied buffer access – Android smartphone [xxx]: Sensor Device Driver rooting : Vulnerabilities (2) 8 The attacker write [REDACTED] to arbitrary user memory, bypassing copy-on-write. Modifying setuid function (which affects all processes) can generate root-privilege processes. [REDACTED]
Fourteenforty Research Institute, Inc. • Gaining Privileges in Android system – root user in Android system is slightly different – The attacker want to take over the whole system • Vendor-Specific Protection – DroidDream won’t work properly on some Japanese Android phones – /system may be Read-Only • Is it possible to take over the system in protected smartphones? 9 rooting isn’t the end
Fourteenforty Research Institute, Inc. Android Internals: App Model • Applications are contained in the Package • Register how “classes” are invoked by Manifest – System calls application “classes” if requested – Activity, Broadcast, ... 10 Package.apk Activity Broadcast Receiver Invoke Application Callback on Event AndroidManifest.xml Android System Install
Fourteenforty Research Institute, Inc. Android Internals: Package • Package itself is only a ZIP archive • AndroidManifest.xml (Manifest) – Application information, permissions – How classes can be called (Activity, BroadcastReceiver...) 11 APK File (ZIP format) AndroidManifest.xml (Manifest) classes.dex (Program) lib/armeabi/* (Native code) ...
Fourteenforty Research Institute, Inc. Android Internals: App Model in File System 12 root file system (/) init init.rc vendor/ data/ system partition (/system) system/ bin/ app_process linker app/lib/ libdvm.so framework/ etc/ vendor/ (symlinked to /vendor) app/ lib/ data partition (/data) app/ lib/ app-private/ data/ build.prop ... default.prop ... ... ... Data Contains Dalvik Code Contains Native Code ... Dalvik host process Dalvik VM Library Trusted by App System Dynamic linker
Fourteenforty Research Institute, Inc. • Important Processes are: – init (The root of all processes) – Zygote Daemon (The root of Android Apps) – System Server (serves many System Services) 13 Android Internals: App Model in Lower Layer init Process Launches some Native Services Service 1 Service 2 ... init (PID=1) System Server App 1 App 2 App 3 ... System Server (serves Services) is directly forked from Zygote Daemon Zygote Daemon All normal Apps are forked from Zygote Daemon when requested
Fourteenforty Research Institute, Inc. Android Internals: Zygote 14 Zygote (app_process) Zygote Daemon Preloaded Libraries (including Dalvik VM itself) System Server App2 App3 fork and specialize for new process Invocation Request (UNIX Domain Socket) Shared Memory /dev/socket/zygote (POSIX permission: 0666)
Fourteenforty Research Institute, Inc. • Android Permission and Protection + Grant by Package Information (Permission Information) - Restrict by Package Location (System or User) - Restrict by Package Signature + Grant by UID/PID (Backdoor?) • Priorities of Activity (User-Interface Element) + Grant by Package Information (Intent Filters) - Restrict by Package Location (System Only) • Legacy Linux Security Model – Grant/Restrict: UID/GID/PID... 15 Android Security: Model
Fourteenforty Research Institute, Inc. • Abstract “Capability” in Android System – More than 100 (Internet connection, retrieve phone number...) • Permissions Checking – Software Checks – GID Checks (some permissions are associated with GIDs) 16 Android Security: Permission App1 App2 Permission: INTERNET The Internet
Fourteenforty Research Institute, Inc. • Permission for User App is Restricted – Some permissions are “protected” • Protection Level – Package Location (signatureOrSystem) – Package Signature (signature, signatureOrSystem) 17 Android Security: Permission Protection User App System App INSTALL_PACKAGES permission INSTALL_PACKAGES INSTALL_PACKAGES
Fourteenforty Research Institute, Inc. • All Permissions are granted for root processes – Permission Checks are not really Performed • GingerMaster (malware) utilizes this behavior – GingerMaster calls pm command via root shell script – pm is actually a Dalvik program 18 Android Security: Permission Protection User App System App INSTALL_PACKAGES permission UID=0 (root) INSTALL_PACKAGES
Fourteenforty Research Institute, Inc. Android Internals: Activity • Activity = Unit of “Action” with User Interface – Specifying object type (target) and action, Activity is called by the system automatically 19 “Memo” App (Choose Apps) “Mail” App “Twitter” App Post to Twitter Intent and multiple applications (Activities) startActivity
Fourteenforty Research Institute, Inc. • Prevent Activity Hooking – High-priority Activity can hide lower Activities • Only System Packages can use Higher Priority – e.g. Android Market (Vending.apk) 20 Android Security: Activity Priorities P=0P=100P=999 User ActivitySystem ActivityUser Activity P=0P=999 0P=100 User ActivityUser ActivitySystem Activity High Priority Low
Fourteenforty Research Institute, Inc. • Simply need to write System Locations – /system/app, /vendor/app... (Normally write-protected) • DEMO 21 Bypassing Security: Activity Priorities P=0P=0P=999 User ActivitySystem ActivitySYSTEM Activity Browser Hooks Real Web Browser High Priority Low
Fourteenforty Research Institute, Inc. • Write System Partition – Overwrite Framework, Applications • Use chroot – Make fake root and make system partition virtually • Use ptrace – Inject Malicious Hooks • root can spoil Android security mechanism. – Or is it? 22 Breaking Security: root can simply...
Fourteenforty Research Institute, Inc. VENDOR-SPECIFIC PROTECTION AOSP is not the everything. 23
Fourteenforty Research Institute, Inc. • Some Android devices have Additional Security Feature – Restrict root privileges to prevent devices to be overwritten • Modification to the Kernel / Board – NAND Lock – Secure [Authenticated] Boot – Integrity Checking – Linux Security Modules (LSM) 24 Vendor-Specific Protection
Fourteenforty Research Institute, Inc. • Reject all WRITE requests to important regions – Boot Loader – System Partition – Recovery Partition • Implemented as a NAND driver / LSM feature • pros. Strong – Prohibits ALL illegal writes in kernel mode • cons. Does not Protect Memory – Does not protect mount points as well – Still can use ptrace / chroot / pivot_root 25 Vendor-Specific: NAND Lock
Fourteenforty Research Institute, Inc. • Prevent Unsigned Boot Loader / Kernel to be Executed – Hardware Implementation: • e.g. nVidia Tegra – Software (Boot Loader) Implementation: • e.g. HTC Vision (Qualcomm’s Implementation) • pros. Hard to Defeat – Haven’t defeated directly • cons. Only Protects Boot Loader / Kernel – Does not Protect On-Memory Boot Loader / Kernel – Most implementations does not Protect System Partition 26 Vendor-Specific: Secure Boot
Fourteenforty Research Institute, Inc. • Verify loaded packages / programs are legitimate – Restrict some features if untrusted packages / programs are loaded • Sharp Corp. : Sphinx (Digest Manager) – Protected Storage in Kernel Mode – Digest Verifier in User-mode (dgstmgrd) • Exports Content Provider • pros. Ability to use Digital Signatures • cons. Easy to avoid if processes can be compromised – e.g. ptrace 27 Vendor-Specific: Integrity Verification
Fourteenforty Research Institute, Inc. • Security Framework in Linux Kernel – Used by SELinux (for example) • LSM to Protect Android System • Sharp Corp. : Deckard LSM / Miyabi LSM – Protect Mount Point (/system) – Prohibit ptrace – Prohibit chroot, pivot_root... • Fujitsu Toshiba Mobile Communications : fjsec – Protect Mount Point (/system) and the FeliCa [subset of NFC] device – Prohibit pivot_root – Path-based / Policy-based Restrictions • Kyocera Corp. : KCLSM 28 Vendor-Specific: Linux Security Modules (1)
Fourteenforty Research Institute, Inc. • LSM (and NAND lock) Stops DroidDream – DroidDream tries to remount /system read-write but it is prohibited by the LSM • pros. Mandatory and Strong – Difficult to Defeat – Capable to Hook System Calls • cons. Difficult to Protect “Everything” – ...unless you know all about Android Internals – That could lead to LSM bypassing • Some holes were fixed though... 29 Vendor-Specific: Linux Security Modules (2)
Fourteenforty Research Institute, Inc. • Restrictions – No Kernel-Mode – No /proc/*/mem, /dev/*mem – No ptrace – No chroot, pivot_root – No writes to system partitions (/system) • But Assume if the attacker can gain root Privileges – Possibility to take over whole system • User-Mode Rootkit 30 Bypassing All Protections
Fourteenforty Research Institute, Inc. YET ANOTHER ANDROID ROOTKIT /protecting/system/is/not/enough/ 31
Fourteenforty Research Institute, Inc. Injecting Hooks: 0 out of 3 32 Having Fun! Replace ClassModify Dalvik StateTaint Zygote Gaining root
Fourteenforty Research Institute, Inc. • Facts: – All normal Android Apps are forked from Zygote Daemon – Zygote Daemon forks child on request through UNIX-domain socket • Two plans: – Plan A: Hooking UNIX-domain Socket • Stealthy – Plan B: Generating two Zygote processes • Easy to implement • Flexible 33 Injecting Hooks: Taint Zygote (1)
Fourteenforty Research Institute, Inc. • Exploit race-condition during Initialization of Zygote Daemon – Time until the first process is requested – Window of Vulnerability is very wide (almost 2∼3 seconds) 34 Injecting Hooks: Taint Zygote (Plan A - 1) Zygote Daemon System Server /dev/socket/zygote bind: T0 listen: T1 connect: T2
Fourteenforty Research Institute, Inc. • Exploit race-condition during Initialization of Zygote Daemon – Time until the first process is requested – Window of Vulnerability is very wide (almost 2∼3 seconds) 35 Injecting Hooks: Taint Zygote (Plan A - 2) init (PID=1) Zygote Daemon System Server bind: T0 Pass file descriptor to new Zygote Daemon listen: T1 Start System Server (it does not use socket) connect: T2 Initialization (Preloading Classes, GC...) Window of Vulnerability
Fourteenforty Research Institute, Inc. • Perform Man-in-the-Middle Attack – System Server refers Rootkit’s Socket • Rootkit Injector can restore original Socket to make it stealth – New Apps are requested from one connection between System Server 36 Injecting Hooks: Taint Zygote (Plan A - 3) Zygote Daemon System Server Rootkit Injector Modify Request to Inject Payload written in Java /dev/socket/zygote (moved) /dev/socket/zygote (new; infected)
Fourteenforty Research Institute, Inc. • Pause original Zygote Daemon • Launch Tainted instance of Zygote – Many ways to launch tainted Zygote • Replace socket with rootkit’s one 37 Injecting Hooks: Taint Zygote (Plan B) Zygote Daemon System ServerInfected Zygote Performs like original Zygote (but can perform malicious) /dev/socket/zygote (new; infected) /dev/socket/zygote (moved or deleted)
Fourteenforty Research Institute, Inc. Injecting Hooks: 1 out of 3 38 Having Fun! Replace ClassModify Dalvik StateTaint Zygote Gaining root Tainted Process Real Program ... Rootkit Payload Tainted Zygote Taint Zygote to make tainted processes
Fourteenforty Research Institute, Inc. • Assume: The attacker can execute malicious Java class • Modify Dalvik VM state to inject hooks – Read/Write arbitrary memory required – sun.misc.Unsafe class • Dalvik VM (libdvm.so) exports many symbols – Including its Global State (gDvm) – Modifying gDvm enables hook injection 39 Injecting Hooks: Modify Dalvik State libdvm.so ... ... struct DvmGlobals gDvm loadedClasses ... ... struct HashTable info: Class A info: Class B ... Dalvik VM Global State All Classes Information Modify Class Metadata to Inject Hooks
Fourteenforty Research Institute, Inc. Injecting Hooks: 2 out of 3 40 Having Fun! Replace ClassModify Dalvik StateTaint Zygote Gaining root libdvm.so ... ... gDvm DvmGlobals ... ... loadedClasses HashTable Real Class ... ... Tainted Process Real Program ... Rootkit Payload Tainted Zygote Taint Zygote to make tainted processes Access Dalvik VM State Directly
Fourteenforty Research Institute, Inc. • Easy Implementation Plan: Swap two Classes – e.g. WebView ⇔ FakeWebView – Target = gDvm->loadedClasses – Replacing classes must have exactly same methods 41 Injecting Hooks: Class Replacement/Swapping struct HashTable K1: WebView K2: FakeWebView ... inherit Swap struct HashTable ... K1: FakeWebView K2: WebView before replacement after replacement WebView FakeWebView
Fourteenforty Research Institute, Inc. HashTable Real Class ... Injecting Hooks: Complete! 42 Having Fun! Replace ClassModify Dalvik StateTaint Zygote Gaining root libdvm.so ... ... gDvm DvmGlobals ... ... loadedClasses Fake Class Real Class ... Tainted Process Real Program ... Rootkit Payload Tainted Zygote Taint Zygote to make tainted processes Access Dalvik VM State Directly Replace class with rootkit’s one
Fourteenforty Research Institute, Inc. • By tainting Zygote, we can hook many of activities including method calls – Rootkit Payload can be implemented in Pure Java • Most of implementation are not so difficult – Be aware of these kind of attacks 43 Conclusion
Fourteenforty Research Institute, Inc. DEMO On-memory modification gives attackers ultimate flexibility. 44
Fourteenforty Research Institute, Inc. BOTTOM LINE Protecting system is not so easy. 45
Fourteenforty Research Institute, Inc. • This Android “weakness” is not a vulnerability alone • This malware is not a really advanced rootkit – Easy to detect, Easy to defeat • But it’s not the point. 46 This is not...
Fourteenforty Research Institute, Inc. • Protection: LSM... – Need to know Android Internals • Difference: Security Requirements – Some Japanese smartphones had higher security requirements – Different than Google expects 47 So, what was wrong?
Fourteenforty Research Institute, Inc. • Low Open Governance Index(1) – Not everything is shared • Vendor have to implement its own LSM and/or protection – Compatibility Issues – e.g. Deckard / Miyabi LSM prohibits all native debugging • Can Google or associations provide additional information to implement proper LSM? – To Defeat Compatibility Issues – To Make implementing Additional Security Easier 48 Android: Open source, Closed platform (1) http://www.visionmobile.com/research.php#OGI
Fourteenforty Research Institute, Inc. • Suggestion: Make policy guidelines to protect Android devices • Suggestion: Understand what’s happening inside the Android system • If the attacker can gain root privileges, the attacker can inject rootkit hooks and monitor App activities • This is easy to protect, but it implies many of other possibilities – Advanced Android malware? • Share the knowledge to protect Android devices! 49 Suggestions / Conclusions
Fourteenforty Research Institute, Inc. 50 Thank You! Fourteenforty Research Institute, Inc. http://www.fourteenforty.jp Research Engineer – Tsukasa Oi <oi@fourteenforty.jp>

Recommended

Applied Computer Science Concepts in Android
Applied Computer Science Concepts in AndroidApplied Computer Science Concepts in Android
Applied Computer Science Concepts in AndroidNational Cheng Kung University
 
Qi -- Lightweight Boot Loader Applied in Mobile and Embedded Devices
Qi -- Lightweight Boot Loader Applied in Mobile and Embedded DevicesQi -- Lightweight Boot Loader Applied in Mobile and Embedded Devices
Qi -- Lightweight Boot Loader Applied in Mobile and Embedded DevicesNational Cheng Kung University
 
Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)
Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)
Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)Toshiharu Harada, Ph.D
 
Android Internals
Android InternalsAndroid Internals
Android InternalsOpersys inc.
 
Pjproject su Android: uno scontro su più livelli
Pjproject su Android: uno scontro su più livelliPjproject su Android: uno scontro su più livelli
Pjproject su Android: uno scontro su più livelliGiacomo Bergami
 
안드로이드 MediaPlayer & VideoView
안드로이드 MediaPlayer & VideoView안드로이드 MediaPlayer & VideoView
안드로이드 MediaPlayer & VideoViewEunjoo Im
 
Hacking Android OS
Hacking Android OSHacking Android OS
Hacking Android OSJimmy Software
 
Discover System Facilities inside Your Android Phone
Discover System Facilities inside Your Android Phone Discover System Facilities inside Your Android Phone
Discover System Facilities inside Your Android Phone National Cheng Kung University
 

Recommended

Applied Computer Science Concepts in Android
Applied Computer Science Concepts in AndroidApplied Computer Science Concepts in Android
Applied Computer Science Concepts in AndroidNational Cheng Kung University
 
Qi -- Lightweight Boot Loader Applied in Mobile and Embedded Devices
Qi -- Lightweight Boot Loader Applied in Mobile and Embedded DevicesQi -- Lightweight Boot Loader Applied in Mobile and Embedded Devices
Qi -- Lightweight Boot Loader Applied in Mobile and Embedded DevicesNational Cheng Kung University
 
Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)
Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)
Learning, Analyzing and Protecting Android with TOMOYO Linux (JLS2009)Toshiharu Harada, Ph.D
 
Android Internals
Android InternalsAndroid Internals
Android InternalsOpersys inc.
 
Pjproject su Android: uno scontro su più livelli
Pjproject su Android: uno scontro su più livelliPjproject su Android: uno scontro su più livelli
Pjproject su Android: uno scontro su più livelliGiacomo Bergami
 
안드로이드 MediaPlayer & VideoView
안드로이드 MediaPlayer & VideoView안드로이드 MediaPlayer & VideoView
안드로이드 MediaPlayer & VideoViewEunjoo Im
 
Hacking Android OS
Hacking Android OSHacking Android OS
Hacking Android OSJimmy Software
 
Discover System Facilities inside Your Android Phone
Discover System Facilities inside Your Android Phone Discover System Facilities inside Your Android Phone
Discover System Facilities inside Your Android Phone National Cheng Kung University
 
Learn C Programming Language by Using GDB
Learn C Programming Language by Using GDBLearn C Programming Language by Using GDB
Learn C Programming Language by Using GDBNational Cheng Kung University
 
Booting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot imagesBooting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot imagesChris Simmonds
 
Android Booting Sequence
Android Booting SequenceAndroid Booting Sequence
Android Booting SequenceJayanta Ghoshal
 
Android crash debugging
Android crash debuggingAndroid crash debugging
Android crash debuggingAshish Agrawal
 
Dalvik Vm &amp; Jit
Dalvik Vm &amp; JitDalvik Vm &amp; Jit
Dalvik Vm &amp; JitAnkit Somani
 
Android OTA updates
Android OTA updatesAndroid OTA updates
Android OTA updatesGary Bisson
 
Customizing AOSP For Different Embedded Devices And Integration at Applicatio...
Customizing AOSP For Different Embedded Devices And Integration at Applicatio...Customizing AOSP For Different Embedded Devices And Integration at Applicatio...
Customizing AOSP For Different Embedded Devices And Integration at Applicatio...ijafrc
 
A War Story: Porting Android 4.0 to a Custom Board (ELCE 2012)
A War Story: Porting Android 4.0 to a Custom Board (ELCE 2012)A War Story: Porting Android 4.0 to a Custom Board (ELCE 2012)
A War Story: Porting Android 4.0 to a Custom Board (ELCE 2012)Matthias Brugger
 
Android booting sequece and setup and debugging
Android booting sequece and setup and debuggingAndroid booting sequece and setup and debugging
Android booting sequece and setup and debuggingUtkarsh Mankad
 
Android Custom Kernel/ROM design
Android Custom Kernel/ROM designAndroid Custom Kernel/ROM design
Android Custom Kernel/ROM designMuhammad Najmi Ahmad Zabidi
 
Practice of Android Reverse Engineering
Practice of Android Reverse EngineeringPractice of Android Reverse Engineering
Practice of Android Reverse EngineeringNational Cheng Kung University
 
TOMOYO Linux on Android
TOMOYO Linux on AndroidTOMOYO Linux on Android
TOMOYO Linux on AndroidToshiharu Harada, Ph.D
 
Android OS Porting: Introduction
Android OS Porting: IntroductionAndroid OS Porting: Introduction
Android OS Porting: IntroductionJollen Chen
 
Learning AOSP - Android Linux Device Driver
Learning AOSP - Android Linux Device DriverLearning AOSP - Android Linux Device Driver
Learning AOSP - Android Linux Device DriverNanik Tolaram
 
"Learning AOSP" - Android Hardware Abstraction Layer (HAL)
"Learning AOSP" - Android Hardware Abstraction Layer (HAL)"Learning AOSP" - Android Hardware Abstraction Layer (HAL)
"Learning AOSP" - Android Hardware Abstraction Layer (HAL)Nanik Tolaram
 
VCOC BonFIRE presentation at FIRE Engineering Workshop 2012
VCOC BonFIRE presentation at FIRE Engineering Workshop 2012VCOC BonFIRE presentation at FIRE Engineering Workshop 2012
VCOC BonFIRE presentation at FIRE Engineering Workshop 2012Andrés Gómez
 
"Open Source and Sun" by Vassilis Boulogiorgos @ eLiberatica 2007
"Open Source and Sun" by Vassilis Boulogiorgos @ eLiberatica 2007"Open Source and Sun" by Vassilis Boulogiorgos @ eLiberatica 2007
"Open Source and Sun" by Vassilis Boulogiorgos @ eLiberatica 2007eLiberatica
 
Profiling Multicore Systems to Maximize Core Utilization
Profiling Multicore Systems to Maximize Core Utilization Profiling Multicore Systems to Maximize Core Utilization
Profiling Multicore Systems to Maximize Core Utilization mentoresd
 
Staying ahead of the multi-core revolution with CDT debug
Staying ahead of the multi-core revolution with CDT debugStaying ahead of the multi-core revolution with CDT debug
Staying ahead of the multi-core revolution with CDT debugmarckhouzam
 
Learning AOSP - Android Booting Process
Learning AOSP - Android Booting ProcessLearning AOSP - Android Booting Process
Learning AOSP - Android Booting ProcessNanik Tolaram
 
How security broken? - Android internals and malware infection possibilities
How security broken? - Android internals and malware infection possibilitiesHow security broken? - Android internals and malware infection possibilities
How security broken? - Android internals and malware infection possibilitiesFFRI, Inc.
 
Mr201305 tizen security_eng
Mr201305 tizen security_engMr201305 tizen security_eng
Mr201305 tizen security_engFFRI, Inc.
 

More Related Content

What's hot

Booting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot imagesBooting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot imagesChris Simmonds
 
Android Booting Sequence
Android Booting SequenceAndroid Booting Sequence
Android Booting SequenceJayanta Ghoshal
 
Android crash debugging
Android crash debuggingAndroid crash debugging
Android crash debuggingAshish Agrawal
 
Dalvik Vm &amp; Jit
Dalvik Vm &amp; JitDalvik Vm &amp; Jit
Dalvik Vm &amp; JitAnkit Somani
 
Android OTA updates
Android OTA updatesAndroid OTA updates
Android OTA updatesGary Bisson
 
Customizing AOSP For Different Embedded Devices And Integration at Applicatio...
Customizing AOSP For Different Embedded Devices And Integration at Applicatio...Customizing AOSP For Different Embedded Devices And Integration at Applicatio...
Customizing AOSP For Different Embedded Devices And Integration at Applicatio...ijafrc
 
A War Story: Porting Android 4.0 to a Custom Board (ELCE 2012)
A War Story: Porting Android 4.0 to a Custom Board (ELCE 2012)A War Story: Porting Android 4.0 to a Custom Board (ELCE 2012)
A War Story: Porting Android 4.0 to a Custom Board (ELCE 2012)Matthias Brugger
 
Android booting sequece and setup and debugging
Android booting sequece and setup and debuggingAndroid booting sequece and setup and debugging
Android booting sequece and setup and debuggingUtkarsh Mankad
 
Android OS Porting: Introduction
Android OS Porting: IntroductionAndroid OS Porting: Introduction
Android OS Porting: IntroductionJollen Chen
 
Learning AOSP - Android Linux Device Driver
Learning AOSP - Android Linux Device DriverLearning AOSP - Android Linux Device Driver
Learning AOSP - Android Linux Device DriverNanik Tolaram
 
"Learning AOSP" - Android Hardware Abstraction Layer (HAL)
"Learning AOSP" - Android Hardware Abstraction Layer (HAL)"Learning AOSP" - Android Hardware Abstraction Layer (HAL)
"Learning AOSP" - Android Hardware Abstraction Layer (HAL)Nanik Tolaram
 
VCOC BonFIRE presentation at FIRE Engineering Workshop 2012
VCOC BonFIRE presentation at FIRE Engineering Workshop 2012VCOC BonFIRE presentation at FIRE Engineering Workshop 2012
VCOC BonFIRE presentation at FIRE Engineering Workshop 2012Andrés Gómez
 
"Open Source and Sun" by Vassilis Boulogiorgos @ eLiberatica 2007
"Open Source and Sun" by Vassilis Boulogiorgos @ eLiberatica 2007"Open Source and Sun" by Vassilis Boulogiorgos @ eLiberatica 2007
"Open Source and Sun" by Vassilis Boulogiorgos @ eLiberatica 2007eLiberatica
 
Profiling Multicore Systems to Maximize Core Utilization
Profiling Multicore Systems to Maximize Core Utilization Profiling Multicore Systems to Maximize Core Utilization
Profiling Multicore Systems to Maximize Core Utilization mentoresd
 
Staying ahead of the multi-core revolution with CDT debug
Staying ahead of the multi-core revolution with CDT debugStaying ahead of the multi-core revolution with CDT debug
Staying ahead of the multi-core revolution with CDT debugmarckhouzam
 
Learning AOSP - Android Booting Process
Learning AOSP - Android Booting ProcessLearning AOSP - Android Booting Process
Learning AOSP - Android Booting ProcessNanik Tolaram
 

What's hot (20)

Learn C Programming Language by Using GDB
Learn C Programming Language by Using GDBLearn C Programming Language by Using GDB
Learn C Programming Language by Using GDB
 
Booting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot imagesBooting Android: bootloaders, fastboot and boot images
Booting Android: bootloaders, fastboot and boot images
 
Android Booting Sequence
Android Booting SequenceAndroid Booting Sequence
Android Booting Sequence
 
Android crash debugging
Android crash debuggingAndroid crash debugging
Android crash debugging
 
Dalvik Vm &amp; Jit
Dalvik Vm &amp; JitDalvik Vm &amp; Jit
Dalvik Vm &amp; Jit
 
Android OTA updates
Android OTA updatesAndroid OTA updates
Android OTA updates
 
Customizing AOSP For Different Embedded Devices And Integration at Applicatio...
Customizing AOSP For Different Embedded Devices And Integration at Applicatio...Customizing AOSP For Different Embedded Devices And Integration at Applicatio...
Customizing AOSP For Different Embedded Devices And Integration at Applicatio...
 
A War Story: Porting Android 4.0 to a Custom Board (ELCE 2012)
A War Story: Porting Android 4.0 to a Custom Board (ELCE 2012)A War Story: Porting Android 4.0 to a Custom Board (ELCE 2012)
A War Story: Porting Android 4.0 to a Custom Board (ELCE 2012)
 
Android booting sequece and setup and debugging
Android booting sequece and setup and debuggingAndroid booting sequece and setup and debugging
Android booting sequece and setup and debugging
 
Android Custom Kernel/ROM design
Android Custom Kernel/ROM designAndroid Custom Kernel/ROM design
Android Custom Kernel/ROM design
 
Practice of Android Reverse Engineering
Practice of Android Reverse EngineeringPractice of Android Reverse Engineering
Practice of Android Reverse Engineering
 
TOMOYO Linux on Android
TOMOYO Linux on AndroidTOMOYO Linux on Android
TOMOYO Linux on Android
 
Android OS Porting: Introduction
Android OS Porting: IntroductionAndroid OS Porting: Introduction
Android OS Porting: Introduction
 
Learning AOSP - Android Linux Device Driver
Learning AOSP - Android Linux Device DriverLearning AOSP - Android Linux Device Driver
Learning AOSP - Android Linux Device Driver
 
"Learning AOSP" - Android Hardware Abstraction Layer (HAL)
"Learning AOSP" - Android Hardware Abstraction Layer (HAL)"Learning AOSP" - Android Hardware Abstraction Layer (HAL)
"Learning AOSP" - Android Hardware Abstraction Layer (HAL)
 
VCOC BonFIRE presentation at FIRE Engineering Workshop 2012
VCOC BonFIRE presentation at FIRE Engineering Workshop 2012VCOC BonFIRE presentation at FIRE Engineering Workshop 2012
VCOC BonFIRE presentation at FIRE Engineering Workshop 2012
 
"Open Source and Sun" by Vassilis Boulogiorgos @ eLiberatica 2007
"Open Source and Sun" by Vassilis Boulogiorgos @ eLiberatica 2007"Open Source and Sun" by Vassilis Boulogiorgos @ eLiberatica 2007
"Open Source and Sun" by Vassilis Boulogiorgos @ eLiberatica 2007
 
Profiling Multicore Systems to Maximize Core Utilization
Profiling Multicore Systems to Maximize Core Utilization Profiling Multicore Systems to Maximize Core Utilization
Profiling Multicore Systems to Maximize Core Utilization
 
Staying ahead of the multi-core revolution with CDT debug
Staying ahead of the multi-core revolution with CDT debugStaying ahead of the multi-core revolution with CDT debug
Staying ahead of the multi-core revolution with CDT debug
 
Learning AOSP - Android Booting Process
Learning AOSP - Android Booting ProcessLearning AOSP - Android Booting Process
Learning AOSP - Android Booting Process
 

Similar to Yet Another Android Rootkit

How security broken? - Android internals and malware infection possibilities
How security broken? - Android internals and malware infection possibilitiesHow security broken? - Android internals and malware infection possibilities
How security broken? - Android internals and malware infection possibilitiesFFRI, Inc.
 
Mr201305 tizen security_eng
Mr201305 tizen security_engMr201305 tizen security_eng
Mr201305 tizen security_engFFRI, Inc.
 
ToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsAditya K Sood
 
MR201408 SE for Android Overview
MR201408 SE for Android OverviewMR201408 SE for Android Overview
MR201408 SE for Android OverviewFFRI, Inc.
 
Lab Meeting - 20140902 - Root Guard-Protecting Rooted Android Phones
Lab Meeting - 20140902 - Root Guard-Protecting Rooted Android PhonesLab Meeting - 20140902 - Root Guard-Protecting Rooted Android Phones
Lab Meeting - 20140902 - Root Guard-Protecting Rooted Android PhonesSyuan Wang
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Stephan Chenette
 
CNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidCNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidSam Bowne
 
Extending Android's Platform Toolsuite
Extending Android's Platform ToolsuiteExtending Android's Platform Toolsuite
Extending Android's Platform ToolsuiteOpersys inc.
 
Android Internals at Linaro Connect Asia 2013
Android Internals at Linaro Connect Asia 2013Android Internals at Linaro Connect Asia 2013
Android Internals at Linaro Connect Asia 2013Opersys inc.
 
Dori waldman android _course_2
Dori waldman android _course_2Dori waldman android _course_2
Dori waldman android _course_2Dori Waldman
 
Dori waldman android _course
Dori waldman android _courseDori waldman android _course
Dori waldman android _courseDori Waldman
 
Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015
Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015
Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015Codemotion
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsTakahiro Haruyama
 
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...FFRI, Inc.
 

Similar to Yet Another Android Rootkit (20)

How security broken? - Android internals and malware infection possibilities
How security broken? - Android internals and malware infection possibilitiesHow security broken? - Android internals and malware infection possibilities
How security broken? - Android internals and malware infection possibilities
 
Mr201305 tizen security_eng
Mr201305 tizen security_engMr201305 tizen security_eng
Mr201305 tizen security_eng
 
Securing Android
Securing AndroidSecuring Android
Securing Android
 
ToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android Infections
 
MR201408 SE for Android Overview
MR201408 SE for Android OverviewMR201408 SE for Android Overview
MR201408 SE for Android Overview
 
Lab Meeting - 20140902 - Root Guard-Protecting Rooted Android Phones
Lab Meeting - 20140902 - Root Guard-Protecting Rooted Android PhonesLab Meeting - 20140902 - Root Guard-Protecting Rooted Android Phones
Lab Meeting - 20140902 - Root Guard-Protecting Rooted Android Phones
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013
 
CNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidCNIT 128 Ch 4: Android
CNIT 128 Ch 4: Android
 
Extending Android's Platform Toolsuite
Extending Android's Platform ToolsuiteExtending Android's Platform Toolsuite
Extending Android's Platform Toolsuite
 
Android Internals at Linaro Connect Asia 2013
Android Internals at Linaro Connect Asia 2013Android Internals at Linaro Connect Asia 2013
Android Internals at Linaro Connect Asia 2013
 
128-ch4.pptx
128-ch4.pptx128-ch4.pptx
128-ch4.pptx
 
Dori waldman android _course_2
Dori waldman android _course_2Dori waldman android _course_2
Dori waldman android _course_2
 
Dori waldman android _course
Dori waldman android _courseDori waldman android _course
Dori waldman android _course
 
Android overview
Android overviewAndroid overview
Android overview
 
Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015
Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015
Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensics
 
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
 
Init of Android
Init of AndroidInit of Android
Init of Android
 
O p
O pO p
O p
 
Brief Tour about Android Security
Brief Tour about Android SecurityBrief Tour about Android Security
Brief Tour about Android Security
 

More from FFRI, Inc.

Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMAppearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMFFRI, Inc.
 
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMAppearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMFFRI, Inc.
 
TrustZone use case and trend (FFRI Monthly Research Mar 2017)
TrustZone use case and trend (FFRI Monthly Research Mar 2017) TrustZone use case and trend (FFRI Monthly Research Mar 2017)
TrustZone use case and trend (FFRI Monthly Research Mar 2017) FFRI, Inc.
 
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017) An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017) FFRI, Inc.
 
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016) Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016) FFRI, Inc.
 
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)FFRI, Inc.
 
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...FFRI, Inc.
 
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)FFRI, Inc.
 
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)FFRI, Inc.
 
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7) About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7) FFRI, Inc.
 
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)FFRI, Inc.
 
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)FFRI, Inc.
 
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...FFRI, Inc.
 
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)FFRI, Inc.
 
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...FFRI, Inc.
 
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)FFRI, Inc.
 
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)FFRI, Inc.
 
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)FFRI, Inc.
 
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...FFRI, Inc.
 
Malwarem armed with PowerShell
Malwarem armed with PowerShellMalwarem armed with PowerShell
Malwarem armed with PowerShellFFRI, Inc.
 

More from FFRI, Inc. (20)

Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMAppearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
 
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMAppearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
 
TrustZone use case and trend (FFRI Monthly Research Mar 2017)
TrustZone use case and trend (FFRI Monthly Research Mar 2017) TrustZone use case and trend (FFRI Monthly Research Mar 2017)
TrustZone use case and trend (FFRI Monthly Research Mar 2017)
 
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017) An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
 
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016) Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
 
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
 
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
 
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
 
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
 
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7) About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
 
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
 
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
 
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
 
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)
 
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
 
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)
 
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
 
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
 
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
 
Malwarem armed with PowerShell
Malwarem armed with PowerShellMalwarem armed with PowerShell
Malwarem armed with PowerShell
 

Recently uploaded

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 

Recently uploaded (20)

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 

Yet Another Android Rootkit

  • 1. Fourteenforty Research Institute, Inc. 1 Fourteenforty Research Institute, Inc. Black Hat Abu Dhabi 2011 Yet Another Android Rootkit /protecting/system/is/not/enough/ Research Engineer – Tsukasa Oi Fourteenforty Research Institute, Inc. http://www.fourteenforty.jp
  • 2. Fourteenforty Research Institute, Inc. • Gaining Administrative Privileges in Android OS – Normally, root cannot be used by Apps – Gaining root Privilege using... • Local Exploits (dangerous) • Fake Firmware Updates (relatively safe) • What for? – Customization, Overclocking – Malicious Use (e.g. DroidDream) • root in Android platform works differently – Permission Checks – Software-based UID/PID checks 2 Introduction: rooting Android
  • 3. Fourteenforty Research Institute, Inc. • Vendors and Careers want to: – Protect Users – Protect Career-specific / Vendor-specific Services – Ensure Smartphones are not Altered and “Radio Legal” – Protect their Business Model  • Answer: “Protect Smartphones” – Prevent Firmware Modification – Patch Framework and Kernel in order to Secure the device 3 Introduction: Japanese smartphones
  • 4. Fourteenforty Research Institute, Inc. • rooting and Android Security – Android Internals and Security Model – Bypassing Security and Gaining Privileges • Vendor-Specific Protection – Kernel-based Mechanism • Yet Another Android Rootkit – User-Mode Rootkit Bypassing Vendor-Specific Protections – Hook User Applications • So what was wrong? – Open source, Closed platform 4 Agenda
  • 5. Fourteenforty Research Institute, Inc. ROOTING AND ANDROID SECURITY rooting Android is not the end of the story. 5
  • 6. Fourteenforty Research Institute, Inc. • Five known root exploits affecting unmodified version of Android – CVE-2009-1185 (exploid) – [no CVE number] (rage against the cage) – CVE-2011-1149 (psneuter) – CVE-2011-1823 (GingerBreak) – CVE-2011-3874 (zergRush) • More of that: Chip/Vendor-specific Vulnerabilities 6 rooting is Sometimes Easy
  • 7. Fourteenforty Research Institute, Inc. • Logic Errors in suid programs – Android Tablet [xxx]: OS command injection rooting : Vulnerabilities (1) 7 The attacker can invoke arbitrary command in root privileges. [REDACTED]
  • 8. Fourteenforty Research Institute, Inc. • Improper User-supplied buffer access – Android smartphone [xxx]: Sensor Device Driver rooting : Vulnerabilities (2) 8 The attacker write [REDACTED] to arbitrary user memory, bypassing copy-on-write. Modifying setuid function (which affects all processes) can generate root-privilege processes. [REDACTED]
  • 9. Fourteenforty Research Institute, Inc. • Gaining Privileges in Android system – root user in Android system is slightly different – The attacker want to take over the whole system • Vendor-Specific Protection – DroidDream won’t work properly on some Japanese Android phones – /system may be Read-Only • Is it possible to take over the system in protected smartphones? 9 rooting isn’t the end
  • 10. Fourteenforty Research Institute, Inc. Android Internals: App Model • Applications are contained in the Package • Register how “classes” are invoked by Manifest – System calls application “classes” if requested – Activity, Broadcast, ... 10 Package.apk Activity Broadcast Receiver Invoke Application Callback on Event AndroidManifest.xml Android System Install
  • 11. Fourteenforty Research Institute, Inc. Android Internals: Package • Package itself is only a ZIP archive • AndroidManifest.xml (Manifest) – Application information, permissions – How classes can be called (Activity, BroadcastReceiver...) 11 APK File (ZIP format) AndroidManifest.xml (Manifest) classes.dex (Program) lib/armeabi/* (Native code) ...
  • 12. Fourteenforty Research Institute, Inc. Android Internals: App Model in File System 12 root file system (/) init init.rc vendor/ data/ system partition (/system) system/ bin/ app_process linker app/lib/ libdvm.so framework/ etc/ vendor/ (symlinked to /vendor) app/ lib/ data partition (/data) app/ lib/ app-private/ data/ build.prop ... default.prop ... ... ... Data Contains Dalvik Code Contains Native Code ... Dalvik host process Dalvik VM Library Trusted by App System Dynamic linker
  • 13. Fourteenforty Research Institute, Inc. • Important Processes are: – init (The root of all processes) – Zygote Daemon (The root of Android Apps) – System Server (serves many System Services) 13 Android Internals: App Model in Lower Layer init Process Launches some Native Services Service 1 Service 2 ... init (PID=1) System Server App 1 App 2 App 3 ... System Server (serves Services) is directly forked from Zygote Daemon Zygote Daemon All normal Apps are forked from Zygote Daemon when requested
  • 14. Fourteenforty Research Institute, Inc. Android Internals: Zygote 14 Zygote (app_process) Zygote Daemon Preloaded Libraries (including Dalvik VM itself) System Server App2 App3 fork and specialize for new process Invocation Request (UNIX Domain Socket) Shared Memory /dev/socket/zygote (POSIX permission: 0666)
  • 15. Fourteenforty Research Institute, Inc. • Android Permission and Protection + Grant by Package Information (Permission Information) - Restrict by Package Location (System or User) - Restrict by Package Signature + Grant by UID/PID (Backdoor?) • Priorities of Activity (User-Interface Element) + Grant by Package Information (Intent Filters) - Restrict by Package Location (System Only) • Legacy Linux Security Model – Grant/Restrict: UID/GID/PID... 15 Android Security: Model
  • 16. Fourteenforty Research Institute, Inc. • Abstract “Capability” in Android System – More than 100 (Internet connection, retrieve phone number...) • Permissions Checking – Software Checks – GID Checks (some permissions are associated with GIDs) 16 Android Security: Permission App1 App2 Permission: INTERNET The Internet
  • 17. Fourteenforty Research Institute, Inc. • Permission for User App is Restricted – Some permissions are “protected” • Protection Level – Package Location (signatureOrSystem) – Package Signature (signature, signatureOrSystem) 17 Android Security: Permission Protection User App System App INSTALL_PACKAGES permission INSTALL_PACKAGES INSTALL_PACKAGES
  • 18. Fourteenforty Research Institute, Inc. • All Permissions are granted for root processes – Permission Checks are not really Performed • GingerMaster (malware) utilizes this behavior – GingerMaster calls pm command via root shell script – pm is actually a Dalvik program 18 Android Security: Permission Protection User App System App INSTALL_PACKAGES permission UID=0 (root) INSTALL_PACKAGES
  • 19. Fourteenforty Research Institute, Inc. Android Internals: Activity • Activity = Unit of “Action” with User Interface – Specifying object type (target) and action, Activity is called by the system automatically 19 “Memo” App (Choose Apps) “Mail” App “Twitter” App Post to Twitter Intent and multiple applications (Activities) startActivity
  • 20. Fourteenforty Research Institute, Inc. • Prevent Activity Hooking – High-priority Activity can hide lower Activities • Only System Packages can use Higher Priority – e.g. Android Market (Vending.apk) 20 Android Security: Activity Priorities P=0P=100P=999 User ActivitySystem ActivityUser Activity P=0P=999 0P=100 User ActivityUser ActivitySystem Activity High Priority Low
  • 21. Fourteenforty Research Institute, Inc. • Simply need to write System Locations – /system/app, /vendor/app... (Normally write-protected) • DEMO 21 Bypassing Security: Activity Priorities P=0P=0P=999 User ActivitySystem ActivitySYSTEM Activity Browser Hooks Real Web Browser High Priority Low
  • 22. Fourteenforty Research Institute, Inc. • Write System Partition – Overwrite Framework, Applications • Use chroot – Make fake root and make system partition virtually • Use ptrace – Inject Malicious Hooks • root can spoil Android security mechanism. – Or is it? 22 Breaking Security: root can simply...
  • 23. Fourteenforty Research Institute, Inc. VENDOR-SPECIFIC PROTECTION AOSP is not the everything. 23
  • 24. Fourteenforty Research Institute, Inc. • Some Android devices have Additional Security Feature – Restrict root privileges to prevent devices to be overwritten • Modification to the Kernel / Board – NAND Lock – Secure [Authenticated] Boot – Integrity Checking – Linux Security Modules (LSM) 24 Vendor-Specific Protection
  • 25. Fourteenforty Research Institute, Inc. • Reject all WRITE requests to important regions – Boot Loader – System Partition – Recovery Partition • Implemented as a NAND driver / LSM feature • pros. Strong – Prohibits ALL illegal writes in kernel mode • cons. Does not Protect Memory – Does not protect mount points as well – Still can use ptrace / chroot / pivot_root 25 Vendor-Specific: NAND Lock
  • 26. Fourteenforty Research Institute, Inc. • Prevent Unsigned Boot Loader / Kernel to be Executed – Hardware Implementation: • e.g. nVidia Tegra – Software (Boot Loader) Implementation: • e.g. HTC Vision (Qualcomm’s Implementation) • pros. Hard to Defeat – Haven’t defeated directly • cons. Only Protects Boot Loader / Kernel – Does not Protect On-Memory Boot Loader / Kernel – Most implementations does not Protect System Partition 26 Vendor-Specific: Secure Boot
  • 27. Fourteenforty Research Institute, Inc. • Verify loaded packages / programs are legitimate – Restrict some features if untrusted packages / programs are loaded • Sharp Corp. : Sphinx (Digest Manager) – Protected Storage in Kernel Mode – Digest Verifier in User-mode (dgstmgrd) • Exports Content Provider • pros. Ability to use Digital Signatures • cons. Easy to avoid if processes can be compromised – e.g. ptrace 27 Vendor-Specific: Integrity Verification
  • 28. Fourteenforty Research Institute, Inc. • Security Framework in Linux Kernel – Used by SELinux (for example) • LSM to Protect Android System • Sharp Corp. : Deckard LSM / Miyabi LSM – Protect Mount Point (/system) – Prohibit ptrace – Prohibit chroot, pivot_root... • Fujitsu Toshiba Mobile Communications : fjsec – Protect Mount Point (/system) and the FeliCa [subset of NFC] device – Prohibit pivot_root – Path-based / Policy-based Restrictions • Kyocera Corp. : KCLSM 28 Vendor-Specific: Linux Security Modules (1)
  • 29. Fourteenforty Research Institute, Inc. • LSM (and NAND lock) Stops DroidDream – DroidDream tries to remount /system read-write but it is prohibited by the LSM • pros. Mandatory and Strong – Difficult to Defeat – Capable to Hook System Calls • cons. Difficult to Protect “Everything” – ...unless you know all about Android Internals – That could lead to LSM bypassing • Some holes were fixed though... 29 Vendor-Specific: Linux Security Modules (2)
  • 30. Fourteenforty Research Institute, Inc. • Restrictions – No Kernel-Mode – No /proc/*/mem, /dev/*mem – No ptrace – No chroot, pivot_root – No writes to system partitions (/system) • But Assume if the attacker can gain root Privileges – Possibility to take over whole system • User-Mode Rootkit 30 Bypassing All Protections
  • 31. Fourteenforty Research Institute, Inc. YET ANOTHER ANDROID ROOTKIT /protecting/system/is/not/enough/ 31
  • 32. Fourteenforty Research Institute, Inc. Injecting Hooks: 0 out of 3 32 Having Fun! Replace ClassModify Dalvik StateTaint Zygote Gaining root
  • 33. Fourteenforty Research Institute, Inc. • Facts: – All normal Android Apps are forked from Zygote Daemon – Zygote Daemon forks child on request through UNIX-domain socket • Two plans: – Plan A: Hooking UNIX-domain Socket • Stealthy – Plan B: Generating two Zygote processes • Easy to implement • Flexible 33 Injecting Hooks: Taint Zygote (1)
  • 34. Fourteenforty Research Institute, Inc. • Exploit race-condition during Initialization of Zygote Daemon – Time until the first process is requested – Window of Vulnerability is very wide (almost 2∼3 seconds) 34 Injecting Hooks: Taint Zygote (Plan A - 1) Zygote Daemon System Server /dev/socket/zygote bind: T0 listen: T1 connect: T2
  • 35. Fourteenforty Research Institute, Inc. • Exploit race-condition during Initialization of Zygote Daemon – Time until the first process is requested – Window of Vulnerability is very wide (almost 2∼3 seconds) 35 Injecting Hooks: Taint Zygote (Plan A - 2) init (PID=1) Zygote Daemon System Server bind: T0 Pass file descriptor to new Zygote Daemon listen: T1 Start System Server (it does not use socket) connect: T2 Initialization (Preloading Classes, GC...) Window of Vulnerability
  • 36. Fourteenforty Research Institute, Inc. • Perform Man-in-the-Middle Attack – System Server refers Rootkit’s Socket • Rootkit Injector can restore original Socket to make it stealth – New Apps are requested from one connection between System Server 36 Injecting Hooks: Taint Zygote (Plan A - 3) Zygote Daemon System Server Rootkit Injector Modify Request to Inject Payload written in Java /dev/socket/zygote (moved) /dev/socket/zygote (new; infected)
  • 37. Fourteenforty Research Institute, Inc. • Pause original Zygote Daemon • Launch Tainted instance of Zygote – Many ways to launch tainted Zygote • Replace socket with rootkit’s one 37 Injecting Hooks: Taint Zygote (Plan B) Zygote Daemon System ServerInfected Zygote Performs like original Zygote (but can perform malicious) /dev/socket/zygote (new; infected) /dev/socket/zygote (moved or deleted)
  • 38. Fourteenforty Research Institute, Inc. Injecting Hooks: 1 out of 3 38 Having Fun! Replace ClassModify Dalvik StateTaint Zygote Gaining root Tainted Process Real Program ... Rootkit Payload Tainted Zygote Taint Zygote to make tainted processes
  • 39. Fourteenforty Research Institute, Inc. • Assume: The attacker can execute malicious Java class • Modify Dalvik VM state to inject hooks – Read/Write arbitrary memory required – sun.misc.Unsafe class • Dalvik VM (libdvm.so) exports many symbols – Including its Global State (gDvm) – Modifying gDvm enables hook injection 39 Injecting Hooks: Modify Dalvik State libdvm.so ... ... struct DvmGlobals gDvm loadedClasses ... ... struct HashTable info: Class A info: Class B ... Dalvik VM Global State All Classes Information Modify Class Metadata to Inject Hooks
  • 40. Fourteenforty Research Institute, Inc. Injecting Hooks: 2 out of 3 40 Having Fun! Replace ClassModify Dalvik StateTaint Zygote Gaining root libdvm.so ... ... gDvm DvmGlobals ... ... loadedClasses HashTable Real Class ... ... Tainted Process Real Program ... Rootkit Payload Tainted Zygote Taint Zygote to make tainted processes Access Dalvik VM State Directly
  • 41. Fourteenforty Research Institute, Inc. • Easy Implementation Plan: Swap two Classes – e.g. WebView ⇔ FakeWebView – Target = gDvm->loadedClasses – Replacing classes must have exactly same methods 41 Injecting Hooks: Class Replacement/Swapping struct HashTable K1: WebView K2: FakeWebView ... inherit Swap struct HashTable ... K1: FakeWebView K2: WebView before replacement after replacement WebView FakeWebView
  • 42. Fourteenforty Research Institute, Inc. HashTable Real Class ... Injecting Hooks: Complete! 42 Having Fun! Replace ClassModify Dalvik StateTaint Zygote Gaining root libdvm.so ... ... gDvm DvmGlobals ... ... loadedClasses Fake Class Real Class ... Tainted Process Real Program ... Rootkit Payload Tainted Zygote Taint Zygote to make tainted processes Access Dalvik VM State Directly Replace class with rootkit’s one
  • 43. Fourteenforty Research Institute, Inc. • By tainting Zygote, we can hook many of activities including method calls – Rootkit Payload can be implemented in Pure Java • Most of implementation are not so difficult – Be aware of these kind of attacks 43 Conclusion
  • 44. Fourteenforty Research Institute, Inc. DEMO On-memory modification gives attackers ultimate flexibility. 44
  • 45. Fourteenforty Research Institute, Inc. BOTTOM LINE Protecting system is not so easy. 45
  • 46. Fourteenforty Research Institute, Inc. • This Android “weakness” is not a vulnerability alone • This malware is not a really advanced rootkit – Easy to detect, Easy to defeat • But it’s not the point. 46 This is not...
  • 47. Fourteenforty Research Institute, Inc. • Protection: LSM... – Need to know Android Internals • Difference: Security Requirements – Some Japanese smartphones had higher security requirements – Different than Google expects 47 So, what was wrong?
  • 48. Fourteenforty Research Institute, Inc. • Low Open Governance Index(1) – Not everything is shared • Vendor have to implement its own LSM and/or protection – Compatibility Issues – e.g. Deckard / Miyabi LSM prohibits all native debugging • Can Google or associations provide additional information to implement proper LSM? – To Defeat Compatibility Issues – To Make implementing Additional Security Easier 48 Android: Open source, Closed platform (1) http://www.visionmobile.com/research.php#OGI
  • 49. Fourteenforty Research Institute, Inc. • Suggestion: Make policy guidelines to protect Android devices • Suggestion: Understand what’s happening inside the Android system • If the attacker can gain root privileges, the attacker can inject rootkit hooks and monitor App activities • This is easy to protect, but it implies many of other possibilities – Advanced Android malware? • Share the knowledge to protect Android devices! 49 Suggestions / Conclusions
  • 50. Fourteenforty Research Institute, Inc. 50 Thank You! Fourteenforty Research Institute, Inc. http://www.fourteenforty.jp Research Engineer – Tsukasa Oi <oi@fourteenforty.jp>