Upload
droidcontlv
View
162
Download
1
Tags:
Embed Size (px)
Citation preview
MAN IN THE BINDER: MONSTERS UNDER THE HOOD Michael Shalyt Malware Research Team Leader @ Check Point
Idan Revivo Mobile Malware Researcher @ Check Point
A Hack in Three Acts
Act I – Know Your Droid Act II – A8ack Your Droid Act III – Prepare Your Droid
Nitay Artenstein Idan Revivo Michael Shalyt
Name: Ki9y Bank Occupa?on: Bank Applica?on “U want KitCoins – we haz it”
Name: Ki9y-‐ninja Occupa?on: Script kiddy “Mommy, can I rob this bank?”
Name: Paw of Death Occupa?on: Black belt ninja hacker “To rob a bank, you must first become the bank”
Name: System Service Occupa?on: SiQng and wai?ng to serve your needs These things run Android!
Name: $ echo `uname –r` Occupa?on: Holding the world on its shoulders since 1.1.1970 Feeling neglected now that system services get all the a9en?on on Android
Name: The Binder Occupa?on: All Powerful Mystery Character ?
An Applica<on’s Life On Windows
Syscalls
An Applica<on’s Life On Android
Syscalls
Syscalls
Syscalls
Android – The Real Picture
Syscalls
Syscalls
/dev/binder /dev/9y0
libbinder.so
kernel /system/libbinder.so
/system/lib*.so
DalvikVM DalvikVM
syscall parcel parcel
Bank Applica?on Process System Service Process
applica?on
System services
proxy
libandroid_run?me.so
libandroid_run?me.so
System Service
• Binder has a userland component and a kernel one
• The driver receives the Parcel via an ioctl syscall and sends it to the target processes
What’s a Parcel?
Playing MP3
libbinder.so
DalvikVM
Ki9y Player App
Parcels
Syscalls
Parcels
Audio Manager
/dev/binder
/system/
libbinder.so
kernel
A short recap
Round I Key Logging
A n00b A8acker’s View of The System
What Would The n00b A8acker Do?
What Would The n00b A8acker Do?
What Would The n00b A8acker Do?
A Ninja A8acker’s View of The System
What Would The Ninja A8acker Do?
Key Logger Demo
What Would The Ninja A8acker Do?
Round II Data Manipula<on
A n00b A8acker’s View of The System
Ac?vity Ac?vity Ac?vity
In-‐app Ac<vity Ini<aliza<on
What Would The n00b A8acker Do? Bye Ki8y Bank , Hello Shi**y Bank
What Would The n00b A8acker Do? Bye Ki8y Bank , Hello Shi**y Bank
A Ninja A8acker’s View of The System Ac?vity Manager
In-‐app data goes through Binder???
A Ninja A8acker’s View of The System Ac?vity Manager
What Would The Ninja A8acker Do? Ac?vity Manager
A trillion dollars, anyone?
Data Manipula<on Demo
What Would The Ninja A8acker Do?
Round III Intercep<ng SMS
A n00b A8acker’s View of The System
Telephony Manager
What Would The n00b A8acker Do?
What Would The n00b A8acker Do?
A Ninja A8acker’s View of The System
What Would The Ninja A8acker Do?
SMS internals • The Telephony Manager no?fies the SMS app whenever an SMS is received.
• The app queries the TM’s database.
• Under the hood, the response is just a Unix fd.
SMS internals • The Telephony Manager no?fies the SMS app whenever an SMS is received
• The app queries the TM’s database via Binder:
SMS internals • But what’s a Cursor object?
• It’s a messy abstrac?on of a response to a query
SMS internals • Surprise: Under the hood, it’s just a Unix fd • Now we’re in business!
What Would The Ninja A8acker Do?
Summary What Just Happened?
A8acking The Binder
• Hook libbinder.so at the point where it sends an ioctl to the kernel
• Stealth: dozens of places to hook • But don’t you need root?
A8acking The Binder
Vulnerable to known roo?ng exploits
Consider The Possibili?es
Summary Features: • Versa?lity: one hook – mul?ple func?onali?es. • App agnos?c: no need to RE apps. • Stealth: the Android security model limits 3rd party security apps just like any other app.
Summary • This is NOT a vulnerability. It’s like man-‐in-‐the-‐
browser, but for literally everything on Android. • Root is assumed. Roo?ng won’t go away any
?me soon.
Rumors (You didn’t hear it from me…)
Solu<ons – for developers • Take control of your own process memory space.
• Minimize the amount of data going to IPC, and encrypt what has to go.
Solu<ons – for security industry • Scan files like it’s the 90’s. • Be brave – get root yourself:
• Run?me process scanning and monitoring. • Sofware firewall (like Avast). • Binder firewall/anomaly detec?on. • Etc.
Further Reading [1] White paper: “Man in the Binder”, Artenstein and Revivo [2] “On the Reconstruc?on of Android Malware Behaviors”, Fatori, Tam et al [3] “Binderwall: Monitoring and Filtering Android Interprocess Communica?on”, Hausner
What are you trying to tell me? That I can get all permissions on
a device? No.
I’m trying to tell you that when you’re ready, you won’t have to