Exploiting Media Projection Vulnerability in Android 7 and belowPrakhar AgarwalSupervisor - Prof. Sandeep Shukla

Indian Institute of Technology, Kanpur

Outline

▪ Introduction– What is Android?

– Android Architecture

– Android Applications

▪ Android Security– Why?

– Sandboxing

– Permission System

▪ Media Projection Vulnerability and Exploit

▪ Countermeasures and Other attacks

▪ Demonstration

Introduction

Android

▪ Operating system for mobile devices

▪ Linux kernel based

▪ Open-source, developed by Google

▪ Dalvik Virtual Machine (DVM) for android apps

▪ Latest Version – 8.0 (Oreo)

Android Versions

Source: https://templatebench.com/android-operating-system-history/

Android Architecture

Default appsCalls SMS

Java API Framework

Third party appsPaytm Spotify

Native libs(C / C++)

Linux Kernel (modified)

Android Runtime(Dalvik / ART)

Hardware Abstraction Layer

Android Application

▪ Application Manifest

▪ Intent

▪ Activity

▪ Broadcast Receiver

▪ Service

▪ Content Provider

Source: http://rosixtechnology.com/android-mobile-application-developers-in-ahmedabad

Android Architecture (cont.)

▪ Java API Framework– Provide packages/classes for common tasks (managing UI)

– Package Manager, Activity Manager, etc.

▪ Native libs– Libraries for hardware support

– Core services (init, ADB, etc)

▪ DVM– Optimized VMs for speed and memory

▪ Kernel– Derived from Linux kernel

– Uses flash memory instead of magnetic drives

Android Security

Why Android Security

Source: https://www.idc.com/promo/smartphone-market-share/os

▪ Significant market share

▪ Open Source

▪ Large ecosystem

▪ User activity and data

▪ Billions of users

Application Sandboxing

Kernel

Process boundary

Process boundary

Syscall Syscall Syscall

App 1 App 2 App 3UID A UID B UID C

▪ Isolated Apps

▪ Only access own/allowed resources

▪ Inherited from Linux

Android Permission System

▪ Mentioned in Android Manifest

▪ Assigned to Sandbox

▪ Can be defined by Developer

Application

System DataSystem

InterfacesSystem

Resources

Permissions

Permission Protection Level

▪ Normal– Access data/resource outside sandbox

– Little risk to user’s privacy

– Bluetooth, Vibrate, Set alarm, etc.

▪ Signature– Requesting and declaring app signed by same certificate

– Clear app cache, force stop packages, etc.

▪ Dangerous– Request to user’s private information

– Camera, send sms, call, etc.

▪ System– System alert, access usb, etc.

Dynamic Permissions

▪ Dangerous permissions are requested at runtime

▪ Permission are granted at runtime

▪ Can be revoked by the user once granted

▪ Present in Android 6.0 onwards

Source: https://inthecheesefactory.com/blog/things-you-need-to-know-about-android-m-permission-developer-edition/en

Media Projection

▪ Handles screen capture and system audio record

▪ Present in Android 5.0 Lollipop onwards

▪ Can capture media from third-party and system apps

▪ Does not require any permission or root

▪ CVE-2015-3878 on Common Vulnerabilities and Exposure

▪ Patched on Android 8.0

▪ Still exists on Android 5.0 – 7.1

Media Projection Vulnerability

Source: https://latesthackingnews.com/2017/11/20/android-issue-allows-attackers-to-capture-screen-and-record-audio-on-77-of-all-devices/

Countermeasures

▪ Users update Android version if supported

▪ Patch for lower Android versions

▪ Users keep updating the Security patches

▪ Take care before granting permissions

Other Attacks and Vulnerabilities

▪ Confused Deputy Attack– Over privileged apps

▪ Collusion Attacks– Share permissions between 2 or more apps

▪ Phishing Attacks– Instant Apps

Demonstration of Exploit

Acknowledgement

▪ “Android Hacker’s book” - Joshua J. Drake Pau Oliva Fora Zach Lanier Collin Mulliner Stephen A. Ridley Georg Wicherski

▪ “The State of Android Security” – SOTA presentation, Saurabh Kumar

▪ https://github.com/JakeWharton/Telecine

▪ https://www.cvedetails.com/

▪ https://developer.android.com/

Thanks