Here is the first part of a two-part blog based on my paper submitted for AVAR 2013 that discusses the known vulnerabilities for Android OS with examples of Android malware exploiting them and few of the ways of mitigating the risk including the patch management.
Google’s Android, as any other mobile operating system, also contains a number of vulnerabilities. Android malware writers are now increasing the use of these exploits to evade detection. Early Android malware used simple ways to either spread or compromise the user’s device however with the increase in the Android malware count year-on-year and the advancement in detection techniques used by security software, malware writers have been forced to evolve new approaches to evade detection by mobile security products. A reminder of Darwin’s “Survival of the fittest”.
In the recent past, there have been a few Android malware instances that focus on exploiting vulnerabilities in the Android OS to attain root access or administrative privileges. For example, Android TrojanSpy Droiddream involved Exploid and RageAgainsttheCage exploits to obtain root access of the victim’s device. To complicate the scenario further, the obfuscated Backdoor.AndroidOS.Obad utilises multiple system vulnerabilities in the Android OS to have its stealthy malicious behaviour. In addition there has been some publicity about the critical vulnerability in Android’s application signature check that could allow a hacker to inject malicious code into the legitimate application without even breaking the signature.
Known vulnerabilities in Android include those related to privilege escalation, common intent and so on. The exploitation of vulnerabilities provides a powerful mechanism for malware writers to compromise a system and deploy malicious code so it is imperative that we understand the scope of these attacks.
This paper provides an account of the known vulnerabilities used in the Android threat landscape with examples of Android malware exploiting them. The paper will also focus on the ways and means of mitigating the risk, including a discussion of patch management for Android.
Severity Evolution of Android Threat
Malware authors started investing time in identifying new ways to install their applications and to trick the user into installing their packages, with the focus on improving the propagation methods. Along with the early SMS Trojans, the severity of the Android threats notably increased with the emergence of other malware like fake applications, Zitmo/Spitmo, Image modifiers and so on, that really improved the complexity of the Android threats. In addition to these categories, targeted attacks, SMS worms were also predicted.
Unfortunately, in the past, there were few occurrences of malicious applications in the Android official market itself which had the outcome of Google’s Bouncer, a behavioural scanner. Even though malware writers can upload their malware package in the third party markets for Android, with the advancement in the security measures, such as Google’s Bouncer, the detection techniques involved by the mobile security products and last but not the least because of the smartphone user’s awareness on malware propagation methods, malware writers are forced to discover a new route that serves them to evade detection techniques and successfully execute their malicious code.
In the past, many Android malware required root access (administrative power) to execute the desired malefide functions on the victim’s device. For instance, Android.Droiddream involves the exploits Exploid or RageAgainsttheCage to exploit the vulnerability in the Android OS to attain root access. Notably, in the recent past, malware authors engage exploitation of the OS vulnerability increasingly to run their piece of malware and they are seen to target other functionalities in the OS apart from the root access.
Known Vulnerabilities
The saying that popularity brings in the danger of threats holds good for Google’s Android as well. Exploiting vulnerability in any OS stands as one of the best possible ways for malware authors to achieve privilege escalation or DoS.
Figure 1 below represents the count of major Android Vulnerability year on year since 20091.
Figure 1: Android Vulnerabilities by year till November 2013
The Vulnerabilities listed above were exploited to cause any adverse effects from remote code execution to denial of service attack.
Figure 2 shows the effects of exploitation of Android vulnerabilities
Figure 2: Exploitation Effects
Data from the above chart depicts that many of the exploitations are aimed at either remote code execution or performing denial of service. Malware authors may exploit one or a combination of these known vulnerabilities to reach their goal. The same example Android.Droiddream can be quoted here again for the exploitation of privilege escalation vulnerability.
The table below describes a few of the major security vulnerabilities and their security impact on the mobile device.
| CVE ID | TYPE | COMMENT |
| CVE-2013-4787 | Code Execution | Master Key Vulnerability – flaw in cryptographic check for application’s signatures |
| CVE-2012-6301 | DoS | Browser application in android 4.0.3 allows remote attackers to cause DoS (application crash) |
| CVE-2012-4222 | DoS | KGSL kernel mode driver for Android allows remote attacker to cause Denial Of Service through Null pointer dereference |
| CVE-2012-4221 | DoS, Code Execution |
Integer overflow in DIAG kernel mode driver allows remote attacker to cause either DoS attack or remote code execution |
| CVE-2012-4220 | DoS, Code Execution |
DIAG kernel mode driver allows remote attacker to cause DoS/remote code execution by incorrect pointer dereference |
| CVE-2012-3979 | Code execution | Flaw in Mozilla before 15.0 allows remote attacker to execute arbitrary code via crafted webpage that loads a javascript dump function |
| CVE-2011-3918 | Dos | Zygote process in android accepts fork requests from arbitrary UID, that causes remote attackers to cause DoS by reboot loop |
| CVE-2011-3874 | Code Execution | Stack-based buffer overflow allows user-assisted remote attacker to execute arbitrary code. |
| CVE-2011-2357 | Bypass | Cross application script vulnerability in the browser URL loading functionality allows local applications to bypass sandbox and execute javascript |
| CVE-2011-1823 | Code Execution Memory Corruption Bypass |
The vold volume manager daemon on Android 3.0 and 2.x before 2.3.4 trusts messages that are received from a PF_NETLINK socket, which allows local users to execute arbitrary code and gain root privileges |
| CVE-2011-0680 | Flaw in draft cache management by data/WorkingMessage.java in the Mms application in Android before 2.2.2 and 2.3.x before 2.3.2 allows remote attackers to read SMS messages intended for other recipients in opportunistic circumstances via a standard text messaging service. | |
| CVE-2011-0419 | DoS | Stack consumption vulnerability |
| CVE-2010-1807 | DoS Code Execution |
Flaw with floating point data validation allows remote attacker to cause DoS attack or remote code execution |
| CVE-2010-2656 | DoS | Unspecified issue in the com.android.phone process allows remote attacker to cause Dos via crafted SMS message, which is possibly related to CVE-2010-3698 and CVE-2010-2999 |
| CVE-2009-2348 | Bypass | Android 1,5 CRBxx allows local users to bypass the android.permission.CAMERA and android.permission.RECORD_AUDIO configuration settings by executing an application that does not request permission before using camera or microphone |
Table 1: Android Security Vulnerabilities list till November 2013
Given below is a list of the vulnerabilities and the handset/installed app that they target:
| CVE ID | TYPE | COMMENT |
| CVE-2013-4777 | Privilege Escalation | A certain configuration of Android 2.3.7 on the Motorola Defy XT phone for Republic Wireless uses init to create a /dev/socket/init_runit socket that listens for shell commands, which allows local users to gain privileges by interacting with a LocalSocket object. |
| CVE-2011-2344 | Privilege Escalation | Android Picasa in Android 3.0 and 2.x through 2.3.4 uses a cleartext HTTP session when transmitting the authToken obtained from ClientLogin, which allows remote attackers to gain privileges and access private pictures and web albums by sniffing the token from connections with picasaweb.google.com. |
| CVE-2011-1352 | Privilege Escalation Memory Corruption | The PowerVR SGX driver in Android before 2.3.6 allows attackers to gain root privileges via an application that triggers kernel memory corruption using crafted user data to the pvrsrvkm device. |
Table 2: Specific Android Security Vulnerabilities list till November 2013
The list in Table 1 and Table 2 above are extensive and does not include the vulnerabilities seen after the mentioned time period. Exploiting one of these vulnerabilities may help the attacker in planting the malicious application on the user’s device. Once on the device, they can behave in the way that any malicious app would, like sending SMS messages without user’s knowledge, stealing personal/user information, Zitmo/Spitmo, etc.,
References:
1.http://www.cvedetails.com/vulnerability-list.php
Images courtesy of:
news.everest.edu
V.Dhanalakshmi
Senior Threat Researcher, K7TCL
If you wish to subscribe to our blog, please add the URL provided below to your blog reader:
https://labs.k7computing.com/feed/
