front door access to pwning hundreds of millions of androids avi
TRANSCRIPT
![Page 1: Front Door Access to Pwning hundreds of Millions of Androids Avi](https://reader036.vdocuments.site/reader036/viewer/2022062906/586a0e251a28ab3d018bb010/html5/thumbnails/1.jpg)
1
Front Door Access to Pwning hundreds of Millions of Androids
Avi Bashan
Ohad Bobrov
CERTIFIGATE
![Page 2: Front Door Access to Pwning hundreds of Millions of Androids Avi](https://reader036.vdocuments.site/reader036/viewer/2022062906/586a0e251a28ab3d018bb010/html5/thumbnails/2.jpg)
2
AGENDA
• Mobile Threats and Research Motivation
• Mobile Remote Support Tool Overview
• Pwning Mobile Remote Support Tool
• Conclusions
• Q & A
![Page 3: Front Door Access to Pwning hundreds of Millions of Androids Avi](https://reader036.vdocuments.site/reader036/viewer/2022062906/586a0e251a28ab3d018bb010/html5/thumbnails/3.jpg)
3
ABOUT US OHAD BOBROV
Decade of experience researching and working in the mobile security space
Former Co Founder & CTO @Lacoon Mobile Security
Mobile Threat Prevention Area Manager @Check Point
Presented in BH SP, InfoSec, etc
AVI BASHAN
Security researcher for over a decade in the PC and mobile areas
Technical Leader @Check Point
Former CISO & Security Researcher @Lacoon
MAJOR CONTRIBUTORS
Pavel Berengoltz
Daniel Brodie
Andrey Polkovnichenko
Denis Voznyuk
![Page 4: Front Door Access to Pwning hundreds of Millions of Androids Avi](https://reader036.vdocuments.site/reader036/viewer/2022062906/586a0e251a28ab3d018bb010/html5/thumbnails/4.jpg)
4
• Used by malicious threat actors
• Provides unauthorized and stealth access to mobile devices
• Known mRATs
MOBILE REMOTE ACCESS TROJAN (mRAT)
![Page 5: Front Door Access to Pwning hundreds of Millions of Androids Avi](https://reader036.vdocuments.site/reader036/viewer/2022062906/586a0e251a28ab3d018bb010/html5/thumbnails/5.jpg)
5
mRAT CAPABILITY ANALYSIS
mRAT
![Page 6: Front Door Access to Pwning hundreds of Millions of Androids Avi](https://reader036.vdocuments.site/reader036/viewer/2022062906/586a0e251a28ab3d018bb010/html5/thumbnails/6.jpg)
6
mRAT
Exploit Usage
App Installation
Screen Access
User Input Control
…
…
mRAT CAPABILITY ANALYSIS
![Page 7: Front Door Access to Pwning hundreds of Millions of Androids Avi](https://reader036.vdocuments.site/reader036/viewer/2022062906/586a0e251a28ab3d018bb010/html5/thumbnails/7.jpg)
7
Exploit Usage
App Installation
Screen Access
User Input Control
…
… ?
mRAT
mRAT CAPABILITY ANALYSIS
![Page 8: Front Door Access to Pwning hundreds of Millions of Androids Avi](https://reader036.vdocuments.site/reader036/viewer/2022062906/586a0e251a28ab3d018bb010/html5/thumbnails/8.jpg)
8
Exploit Usage
App Installation
Screen Access
User Input Control
…
… mRST
mRAT
mRAT CAPABILITY ANALYSIS
![Page 9: Front Door Access to Pwning hundreds of Millions of Androids Avi](https://reader036.vdocuments.site/reader036/viewer/2022062906/586a0e251a28ab3d018bb010/html5/thumbnails/9.jpg)
9
MOBILE REMOTE SUPPORT TOOLS (mRST)
• IT Departments
• Used by Mobile Carriers
• Device Manufacturers
Main Players
![Page 10: Front Door Access to Pwning hundreds of Millions of Androids Avi](https://reader036.vdocuments.site/reader036/viewer/2022062906/586a0e251a28ab3d018bb010/html5/thumbnails/10.jpg)
10
MOBILE REMOTE SUPPORT Tools Overview
![Page 11: Front Door Access to Pwning hundreds of Millions of Androids Avi](https://reader036.vdocuments.site/reader036/viewer/2022062906/586a0e251a28ab3d018bb010/html5/thumbnails/11.jpg)
11
ANDROID PERMISSION MODEL 101
ANDROID IS A MODERN OS Sandboxing features
Permission based access
Must be obtained to access a resource
User can view upon app installation
‘Take it or leave it’ approach
![Page 12: Front Door Access to Pwning hundreds of Millions of Androids Avi](https://reader036.vdocuments.site/reader036/viewer/2022062906/586a0e251a28ab3d018bb010/html5/thumbnails/12.jpg)
12
SOME PERMISSIONS are considered “privileged”
Permissions Action
INSTALL_PACKAGES App installation
READ_FRAME_BUFFER ACCESS_SURFACE_FLINGER
Screen access
INJECT_EVENTS User Input Control
GRANTED ONLY TO PRIVILEGED SYSTEMS APPS ROM Pre-installed apps located under /system/priv-app
Apps signed with the OEM’s certificate
ANDROID PERMISSION MODEL 101
![Page 13: Front Door Access to Pwning hundreds of Millions of Androids Avi](https://reader036.vdocuments.site/reader036/viewer/2022062906/586a0e251a28ab3d018bb010/html5/thumbnails/13.jpg)
13
mRST PERMISSIONS
• Access Internet
• Get device network info
• Query installed app list
• Access to device storage
• Install apps
• Capture screen
• User input control
PRIVILEGED PERMISSIONS
![Page 14: Front Door Access to Pwning hundreds of Millions of Androids Avi](https://reader036.vdocuments.site/reader036/viewer/2022062906/586a0e251a28ab3d018bb010/html5/thumbnails/14.jpg)
14
AOSP OEMs Carriers
ANDROID CUSTOMIZATION CHAIN
![Page 15: Front Door Access to Pwning hundreds of Millions of Androids Avi](https://reader036.vdocuments.site/reader036/viewer/2022062906/586a0e251a28ab3d018bb010/html5/thumbnails/15.jpg)
15
mRST ARCHITECTURE
MAIN APP Signed by mRST
developer
Regular permissions
Network connection
User interface
PLUGIN Signed by OEM
privileged permissions
Exported service
No user interaction
Binder
Verification Mechanism?
![Page 16: Front Door Access to Pwning hundreds of Millions of Androids Avi](https://reader036.vdocuments.site/reader036/viewer/2022062906/586a0e251a28ab3d018bb010/html5/thumbnails/16.jpg)
16
WHAT’S THE PROBLEM
WITH A PLUGIN? • Signed by the OEM
• Obtained from Google Play ; Pre-Installed
• Designed to communicate with other apps
• VALIDATION CODE IS RE-INVENTED BY EACH VENDOR!
![Page 17: Front Door Access to Pwning hundreds of Millions of Androids Avi](https://reader036.vdocuments.site/reader036/viewer/2022062906/586a0e251a28ab3d018bb010/html5/thumbnails/17.jpg)
17
WHAT DID WE FIND?
![Page 18: Front Door Access to Pwning hundreds of Millions of Androids Avi](https://reader036.vdocuments.site/reader036/viewer/2022062906/586a0e251a28ab3d018bb010/html5/thumbnails/18.jpg)
18
TEAM VIEWER OVERVIEW
![Page 19: Front Door Access to Pwning hundreds of Millions of Androids Avi](https://reader036.vdocuments.site/reader036/viewer/2022062906/586a0e251a28ab3d018bb010/html5/thumbnails/19.jpg)
19
TEAM VIEWER’S PLUGIN
• App connects to plugin over Binder
• Plugin needs to verify connection to TeamViewer’s main app
• Plugin compares the connecting app’s certificate serial number to a hardcoded serial number
![Page 20: Front Door Access to Pwning hundreds of Millions of Androids Avi](https://reader036.vdocuments.site/reader036/viewer/2022062906/586a0e251a28ab3d018bb010/html5/thumbnails/20.jpg)
20
WHERE’S WALDO?
![Page 21: Front Door Access to Pwning hundreds of Millions of Androids Avi](https://reader036.vdocuments.site/reader036/viewer/2022062906/586a0e251a28ab3d018bb010/html5/thumbnails/21.jpg)
21
RFC 2459
Internet X.509 Public Key Infrastructure
4.1.2.2 Serial number
The serial number is an integer assigned
by the CA to each certificate. It MUST be
unique for each certificate issued by a
given CA (i.e., the issuer name and
serial number identify a unique
certificate)
![Page 22: Front Door Access to Pwning hundreds of Millions of Androids Avi](https://reader036.vdocuments.site/reader036/viewer/2022062906/586a0e251a28ab3d018bb010/html5/thumbnails/22.jpg)
22
ANDROID APPS SIGNATURE
• Who signs applications on Android?
• Where do they get the certificate?
• So..
![Page 23: Front Door Access to Pwning hundreds of Millions of Androids Avi](https://reader036.vdocuments.site/reader036/viewer/2022062906/586a0e251a28ab3d018bb010/html5/thumbnails/23.jpg)
23
Pwned!
![Page 24: Front Door Access to Pwning hundreds of Millions of Androids Avi](https://reader036.vdocuments.site/reader036/viewer/2022062906/586a0e251a28ab3d018bb010/html5/thumbnails/24.jpg)
24
![Page 25: Front Door Access to Pwning hundreds of Millions of Androids Avi](https://reader036.vdocuments.site/reader036/viewer/2022062906/586a0e251a28ab3d018bb010/html5/thumbnails/25.jpg)
25
DEMO TIME!
![Page 26: Front Door Access to Pwning hundreds of Millions of Androids Avi](https://reader036.vdocuments.site/reader036/viewer/2022062906/586a0e251a28ab3d018bb010/html5/thumbnails/26.jpg)
RSUPPORT OVERVIEW
Samsung & LG ship the plugin pre-installed • LG G4, G3, G2 and G Pro 2
• Samsung Galaxy S5 and S4 (Some ROMs)
• And more!
![Page 27: Front Door Access to Pwning hundreds of Millions of Androids Avi](https://reader036.vdocuments.site/reader036/viewer/2022062906/586a0e251a28ab3d018bb010/html5/thumbnails/27.jpg)
27
RSupport CODE OVERVIEW
The plugin compares the connecting app’s certificate hash code to a hardcoded hash code
Get the certificate hashCode
![Page 28: Front Door Access to Pwning hundreds of Millions of Androids Avi](https://reader036.vdocuments.site/reader036/viewer/2022062906/586a0e251a28ab3d018bb010/html5/thumbnails/28.jpg)
28
Try to compare it to a few hash codes, if it’s equal - continue
RSupport CODE OVERVIEW (Cont.)
![Page 29: Front Door Access to Pwning hundreds of Millions of Androids Avi](https://reader036.vdocuments.site/reader036/viewer/2022062906/586a0e251a28ab3d018bb010/html5/thumbnails/29.jpg)
29
HASHCODE?
• But wait, what is the Signature’s hashCode?
MD5? SHA1? SHA256? CRC32???
Android is open source, so we can just see it’s implementation
![Page 30: Front Door Access to Pwning hundreds of Millions of Androids Avi](https://reader036.vdocuments.site/reader036/viewer/2022062906/586a0e251a28ab3d018bb010/html5/thumbnails/30.jpg)
30
HASHCODE!
Executes the Arrays.hashCode function on the certificate
32-bit signed integer
Only 232
~= 4 Bilion
Possibilities!
![Page 31: Front Door Access to Pwning hundreds of Millions of Androids Avi](https://reader036.vdocuments.site/reader036/viewer/2022062906/586a0e251a28ab3d018bb010/html5/thumbnails/31.jpg)
32
![Page 32: Front Door Access to Pwning hundreds of Millions of Androids Avi](https://reader036.vdocuments.site/reader036/viewer/2022062906/586a0e251a28ab3d018bb010/html5/thumbnails/32.jpg)
33
WHAT ELSE?
• We found multiple vulnerable plugins
• We didn’t check them all Left as an exercise for the reader
• Verification flaw is not limited to mRSTs
![Page 33: Front Door Access to Pwning hundreds of Millions of Androids Avi](https://reader036.vdocuments.site/reader036/viewer/2022062906/586a0e251a28ab3d018bb010/html5/thumbnails/33.jpg)
34
mRST PLUGIN ANOTHER ANGLE
• Found a problem in one of the vendor's main app
• Allowed us to manipulate the main app logic, in order to take control of the OEM signed plugin
![Page 34: Front Door Access to Pwning hundreds of Millions of Androids Avi](https://reader036.vdocuments.site/reader036/viewer/2022062906/586a0e251a28ab3d018bb010/html5/thumbnails/34.jpg)
35
COMMUNITAKE VULNERABILITY
One of the commands can modify the subdomain of the CnC server <xxx>.communitake.com
The subdomain can be altered without requiring authentication
The app does not sanitize the subdomain properly Enables the addition of the '/' character to the subdomain
Main app allows changing settings by SMS
![Page 35: Front Door Access to Pwning hundreds of Millions of Androids Avi](https://reader036.vdocuments.site/reader036/viewer/2022062906/586a0e251a28ab3d018bb010/html5/thumbnails/35.jpg)
• An attacker can send a command which changes the CnC server to a malicious CNC server
• Enabling them to take full control of the device with a single SMS message without user intervention!
COMMUNITAKE VULNERABILITY (CONT.)
![Page 36: Front Door Access to Pwning hundreds of Millions of Androids Avi](https://reader036.vdocuments.site/reader036/viewer/2022062906/586a0e251a28ab3d018bb010/html5/thumbnails/36.jpg)
37
DEMO TIME!
![Page 37: Front Door Access to Pwning hundreds of Millions of Androids Avi](https://reader036.vdocuments.site/reader036/viewer/2022062906/586a0e251a28ab3d018bb010/html5/thumbnails/37.jpg)
38
VULNERABILITIES DISCLOSURE TIMELINE
MID APRIL
Reported to Vendors, OEMs, Google
AUGUST
Still waiting for some vendors responses..
MID APRIL – MAY
Got responses from most of the vendors, which started to work on resolving the issues
MAY – JUNE
New version of the plugins were uploaded to the Play Store
![Page 38: Front Door Access to Pwning hundreds of Millions of Androids Avi](https://reader036.vdocuments.site/reader036/viewer/2022062906/586a0e251a28ab3d018bb010/html5/thumbnails/38.jpg)
39
CONCLUSION
Android’s eco-system is flawed
•Google moved the responsibility to the OEMs
•No way to patch it
Hundred of millions of Android
devices are vulnerable
![Page 39: Front Door Access to Pwning hundreds of Millions of Androids Avi](https://reader036.vdocuments.site/reader036/viewer/2022062906/586a0e251a28ab3d018bb010/html5/thumbnails/39.jpg)
40
SO WHAT SHOULD I DO?
• Check if you device is on the list of vulnerable OEMs Can be found in our blog post
• Check if you have one of the plugins installed Remove it (If you can)
![Page 40: Front Door Access to Pwning hundreds of Millions of Androids Avi](https://reader036.vdocuments.site/reader036/viewer/2022062906/586a0e251a28ab3d018bb010/html5/thumbnails/40.jpg)
41
A LAYERED MOBILE SECURITY APPROACH
VULNERABILITY ASSESSMENT
• System, OEM and 3rd party apps, and plugins
• Continues monitoring
THREAT DETECTION
• Horizontal escalation from 3rd party apps
RISK
MITIGATION
• Alert user to remove vulnerable plugins
• Track patching progress
![Page 41: Front Door Access to Pwning hundreds of Millions of Androids Avi](https://reader036.vdocuments.site/reader036/viewer/2022062906/586a0e251a28ab3d018bb010/html5/thumbnails/41.jpg)
42
CERTIFI-GATE SCANNER
Google Play
![Page 42: Front Door Access to Pwning hundreds of Millions of Androids Avi](https://reader036.vdocuments.site/reader036/viewer/2022062906/586a0e251a28ab3d018bb010/html5/thumbnails/42.jpg)
43
QUESTIONS?