This document discusses Android application security and how a malicious attacker could intercept and manipulate application data and system services by exploiting the Android Binder inter-process communication (IPC) mechanism. It describes how even novice attackers could potentially perform keylogging or manipulate banking applications, while more advanced "ninja" attackers could intercept SMS messages by hooking into the Binder driver. The core issue is that because all application data and system service requests must pass through Binder, an attacker with root access could intercept this traffic covertly without needing to reverse engineer individual apps. Solutions proposed include app developers better securing their own processes and data, while security firms should explore more proactive monitoring techniques.

1. MAN IN THE BINDER: MONSTERS UNDER THE
HOOD
Michael Shalyt
Malware Research Team Leader @ Check Point
Idan Revivo
Mobile Malware Researcher @ Check Point

2. A
Hack
in
Three
Acts
Act
I
–
Know
Your
Droid
Act
II
–
A8ack
Your
Droid
Act
III
–
Prepare
Your
Droid

4. Nitay
Artenstein
Idan
Revivo
Michael
Shalyt

5. Name:
Ki9y
Bank
Occupa?on:
Bank
Applica?on
“U
want
KitCoins
–
we
haz
it”

6. Name:
Ki9y-­‐ninja
Occupa?on:
Script
kiddy
“Mommy,
can
I
rob
this
bank?”

7. Name:
Paw
of
Death
Occupa?on:
Black
belt
ninja
hacker
“To
rob
a
bank,
you
must
first
become
the
bank”

8. Name:
System
Service
Occupa?on:
SiQng
and
wai?ng
to
serve
your
needs
These
things
run
Android!

9. Name:
$
echo
`uname
–r`
Occupa?on:
Holding
the
world
on
its
shoulders
since
1.1.1970
Feeling
neglected
now
that
system
services
get
all
the
a9en?on
on
Android

10. Name:
The
Binder
Occupa?on:
All
Powerful
Mystery
Character
?

12. An
Applica<on’s
Life
On
Windows
Syscalls

13. An
Applica<on’s
Life
On
Android
Syscalls
Syscalls
Syscalls

14. Android
–
The
Real
Picture
Syscalls
Syscalls

15. /dev/binder
/dev/9y0
libbinder.so
kernel
/system/libbinder.so
/system/lib*.so
DalvikVM
DalvikVM
syscall
parcel
parcel
Bank
Applica?on
Process
System
Service
Process
applica?on
System
services
proxy
libandroid_run?me.so
libandroid_run?me.so
System
Service
• Binder
has
a
userland
component
and
a
kernel
one
• The
driver
receives
the
Parcel
via
an
ioctl
syscall
and
sends
it
to
the
target
processes

16. What’s
a
Parcel?

17. Playing
MP3

18. libbinder.so
DalvikVM
Ki9y
Player
App
Parcels
Syscalls
Parcels
Audio
Manager
/dev/binder
/system/
libbinder.so
kernel
A
short
recap

21. Round
I
Key
Logging

22. A
n00b
A8acker’s
View
of
The
System

23. What
Would
The
n00b
A8acker
Do?

24. What
Would
The
n00b
A8acker
Do?

25. What
Would
The
n00b
A8acker
Do?

26. A
Ninja
A8acker’s
View
of
The
System

27. What
Would
The
Ninja
A8acker
Do?

28. Key
Logger
Demo

29. What
Would
The
Ninja
A8acker
Do?

30. Round
II
Data
Manipula<on

31. A
n00b
A8acker’s
View
of
The
System
Ac?vity
Ac?vity
Ac?vity

32. In-­‐app
Ac<vity
Ini<aliza<on

33. What
Would
The
n00b
A8acker
Do?
Bye
Ki8y
Bank
,
Hello
Shi**y
Bank

34. What
Would
The
n00b
A8acker
Do?
Bye
Ki8y
Bank
,
Hello
Shi**y
Bank

35. A
Ninja
A8acker’s
View
of
The
System
Ac?vity
Manager

36. In-­‐app
data
goes
through
Binder???

37. A
Ninja
A8acker’s
View
of
The
System
Ac?vity
Manager

38. What
Would
The
Ninja
A8acker
Do?
Ac?vity
Manager

39. A
trillion
dollars,
anyone?

40. Data
Manipula<on
Demo

41. What
Would
The
Ninja
A8acker
Do?

42. Round
III
Intercep<ng
SMS

43. A
n00b
A8acker’s
View
of
The
System
Telephony
Manager

44. What
Would
The
n00b
A8acker
Do?

45. What
Would
The
n00b
A8acker
Do?

46. A
Ninja
A8acker’s
View
of
The
System

47. What
Would
The
Ninja
A8acker
Do?

48. SMS
internals
• The
Telephony
Manager
no?fies
the
SMS
app
whenever
an
SMS
is
received.
• The
app
queries
the
TM’s
database.
• Under
the
hood,
the
response
is
just
a
Unix
fd.

49. SMS
internals
• The
Telephony
Manager
no?fies
the
SMS
app
whenever
an
SMS
is
received
• The
app
queries
the
TM’s
database
via
Binder:

50. SMS
internals
• But
what’s
a
Cursor
object?
• It’s
a
messy
abstrac?on
of
a
response
to
a
query

51. SMS
internals
• Surprise:
Under
the
hood,
it’s
just
a
Unix
fd
• Now
we’re
in
business!

52. What
Would
The
Ninja
A8acker
Do?

53. Summary
What
Just
Happened?

54. A8acking
The
Binder
• Hook
libbinder.so
at
the
point
where
it
sends
an
ioctl
to
the
kernel
• Stealth:
dozens
of
places
to
hook
• But
don’t
you
need
root?

55. A8acking
The
Binder
Vulnerable
to
known
roo?ng
exploits

56. Consider
The
Possibili?es

57. Summary
Features:
• Versa?lity:
one
hook
–
mul?ple
func?onali?es.
• App
agnos?c:
no
need
to
RE
apps.
• Stealth:
the
Android
security
model
limits
3rd
party
security
apps
just
like
any
other
app.

58. Summary
• This
is
NOT
a
vulnerability.
It’s
like
man-­‐in-­‐the-­‐
browser,
but
for
literally
everything
on
Android.
• Root
is
assumed.
Roo?ng
won’t
go
away
any
?me
soon.

59. Rumors
(You
didn’t
hear
it
from
me…)

61. Solu<ons
–
for
developers
• Take
control
of
your
own
process
memory
space.
• Minimize
the
amount
of
data
going
to
IPC,
and
encrypt
what
has
to
go.

62. Solu<ons
–
for
security
industry
• Scan
files
like
it’s
the
90’s.
• Be
brave
–
get
root
yourself:
• Run?me
process
scanning
and
monitoring.
• Sofware
firewall
(like
Avast).
• Binder
firewall/anomaly
detec?on.
• Etc.

63. Further
Reading
[1]
White
paper:
“Man
in
the
Binder”,
Artenstein
and
Revivo
[2]
“On
the
Reconstruc?on
of
Android
Malware
Behaviors”,
Fatori,
Tam
et
al
[3]
“Binderwall:
Monitoring
and
Filtering
Android
Interprocess
Communica?on”,
Hausner

64. What
are
you
trying
to
tell
me?
That
I
can
get
all
permissions
on
a
device?
No.
I’m
trying
to
tell
you
that
when
you’re
ready,
you
won’t
have
to