LBE arbitrary number interception vulnerability and Solution

LBE arbitrary number interception vulnerability and Solution

LBE exports the blacklist, whitelist, and keyword interception databases to third-party programs in the form of ContentProvider without verifying the caller. As a result, the interception function is abused.

1. Use AndroidMainfest. xml to explicitly export "com. lbe. security. phone" without adding any permission restrictions.

 

<provider android:authorities="com.lbe.security.phone" android:enabled="true" android:exported="true" android:name="com.lbe.security.service.phone.provider.TelephonyProvider" android:process=":service" />

2. the exported ContentProvider provides some URI access.

Content: // com. lbe. security. phone/blacklist (blocking blacklist management)

Content: // com. lbe. security. phone/whitelist (whitelist Management)

Content: // com. lbe. security. phone/keyword (blocking keyword)

Content: // com. lbe. security. phone/marker (unknown number mark)

Content: // com. lbe. security. phone/baselist (basic data management, used to store Rules)

Content: // com. lbe. security. phone/blocklog (blocking logs)

Sms

Mms

Call

Content: // com. lbe. security. phone/ipwhitelist

Content: // com. lbe. security. phone/yellow_page_cache

Content: // com. lbe. security. phone/user_permit_number

3. When the LBE feature is enabled, third-party programs can manage and control the communication and text messages of mobile phones through the URI mentioned above.



Vulnerability threat

1. Black List Management allows third-party programs to intercept calls or text messages without any permissions, and the white list will run any calls or receive text messages, so that the original interception function does not play a substantive role.

2. Compared with existing malicious code, existing payment Trojans need to listen to text messages to obtain the Payment Verification Code. In this way, malicious code is required to have SMS-related permissions, it is easy to be intercepted by active defense software. However, the lbe function allows malicious code to obtain the payment verification code without any permissions.

3. SMS control Trojans can also filter command text messages without any permissions to achieve relatively hidden control functions.

 

1) modify the blacklist library. 1. apply_to is the interception type (SMS, phone number)

Figure 2 blacklist inserted successfully

2) obtain the interception record and read the intercepted information. "lbe blacklist test" in Figure 3 is the text message content sent to the interception number.

 

Figure 3 obtain interception records



3) Clear interception logs and erase traces

4) Ask him to verify the database content in the same way as the blacklist

5) because the database uses plaintext storage, if the system is already root, the interception function will be easily cracked.

Solution:

1. If the function does not need to be provided to a third-party program, do not export

2. Add verification to the caller for sensitive operations.

3. fine-grained permission Control for sensitive operations