CNIT 128 8. Android Implementation Issues (Part 3)
0 likes162 views
This document discusses various techniques for exploiting Android devices, including injecting JavaScript code to install malware, tricking users into downloading malicious updates, abusing permissions to gain access to private data like contacts and location, and extracting user data like passwords through physical access to the device. It provides examples of exploiting vulnerabilities in apps to escalate privileges and infiltrate user accounts.
CNIT 128 8. Android Implementation Issues (Part 3)
- 1. CNIT 128 Hacking Mobile Devices 8. Identifying and Exploiting Android Implementation Issues Part 3 Updated 4-7-2021
- 2. Topics • Part 1 • Reviewing Pre-installed Applications • Exploiting Devices • Start through "Explanation of Privilege Levels" (up to p. 402)
- 3. Topics • Part 2 • Exploiting Devices • "Practical Physical Attacks" (p. 375) through • "Polaris Viewer Memory Corruption" (up to p. 401)
- 4. Topics • Part 3 • Exploiting Devices • "Injecting Exploits for JavaScript Interfaces" (p. 401) and following • Infiltrating User Data
- 6. Injecting Exploits for JavaScript Interfaces • If an app loads content over HTTP • And is running on Android SDK 16 or lower • A MitM attacker can inject JavaScript code • Which will exploit a code injection vulnerability • And use the app as an agent to mount further attacks
- 7. Injecting Exploits for JavaScript Interfaces • Attacking Sony Xperia • An app loads ads over HTTP • Drozer and Burp used to inject code
- 8. Injecting a Drozer Agent • Adds this code to the page
- 9. Custom Application Updates • Some apps manage their own update • Rather than relying on Google Play • Apps can install their own updates if they have the INSTALL_PACKAGES permission • Often downloaded via HTTP • Allowing MITM update modifications
- 11. pwn:// • To invoke the installed Drozer agent • Inject HTML code that loads a page with a URI starting with pwn://
- 12. BROWSABLE URI Injection • Samsung's UniversalMDMClient app has this intent filter • Any package can be installed by invoking this URI:
- 14. Malware • Two scenarios • Improving the drive-by download attack with social engineering • Using a zero permission app to install additional package
- 15. Drive-By Downloads • Android apps that automatically download when you visit a site • A message like this tricks the user: • Missing Plug-in • App Update Required
- 16. Unknown Sources • In Android 7 and earlier, • Must enable "Unknown Sources" in settings • To install from an APK file, not Google Play
- 17. Android 8 or Higher • Permissions configured on a per-app basis • https://www.theandroidsoul.com/how-to-allow-apps-installation- from-unknown-sources-on-android-9-pie/
- 18. Automatic Launching • RECEIVE_BOOT_COMPLETED permission in an app's manifest • Allows app to start when phone boots up • Reliable on Android versions before 3.1 • But must wait for a reboot • Loading an iframe with src="pwn://lol" is faster
- 19. Automatic Launching • Since Android 3.1 • Newly installed apps won't receive the BOOT_COMPLETED intent • Unless a component has been invoked by the user • So this method is less common
- 20. Android 4.4 • Chrome won't download an APK automatically • Attacker must trick user into downloading it • It won't launch from an iframe either • Must trick the user into clicking something to launch it (see next slide)
- 22. Requesting Zero Permissions • An app may request no permissions • Then abuse vulnerabilities to install additional packages, etc. • This is called "breaking out of the sandbox" • One way: use kernel exploits
- 23. Samsung Galaxy S3 Command Injection • App constructed a command-line including user input, and ran it as system • PoC exploit to write to SD card
- 24. ObjectInputStream • Can be used to escalate privileges in Android before 5 • Link Ch 8i
- 25. Jeff Forristal • aka Rain Forest Puppy • Discovered SQL injection in 1998 • Link Ch 8j • Presented "Fake ID" vuln at Black Hat In 2014
- 26. Fake ID Vulnerability • Android's functions to verify that a certificate was actually signed by its issuer were missing • Any App's certificate could claim to be from any issuer • Setting issuer field to Adobe Systems Incorporated allowed privilege escalation in Android 4.3 and earlier • After that the WebView plug-in code was changed
- 28. Existing Drozer Modules • Record Microphone • Read and Send SMS Messages • Read Contacts • Capture Location, from GPS or Wi-Fi hotspots • Screenshot or video record screen
- 30. Recorded Video • Can capture unlock pattern
- 31. Stealing Files from the SD Card • On Android 4.3 and earlier, every user had access to the SD card • Since Android 4.4, it requires READ_EXTERNAL_STORAGE permission
- 32. Extracting Wi-Fi Keys • Requires root or system access
- 33. User Accounts • Gmail account tokens stored in sqlite database • Not passwords for Google (link Ch 8k)
- 34. User Accounts • Third-party apps may store plaintext passwords in accounts.db files • Or files with similar names • Especially email clients using old POP3 or SMTP protocols
- 35. Cracking Patterns, PINs, and Passwords • /data/system/gesture.key • Cracker at link Ch 8l • /data/system/password.key • Crack with Python (old Proj 12x)
- 36. Reading Extended Clipboards • Any app with Context can read the clipboards • Password managers put passwords in it • Extended clipboard • Stores the last 20 items • Very useful for an attacker • Samsung saves them in /data/clipboard/ • But it's not present in Genymotion
- 37. Simulating User Interaction • input command can send keyboard presses, etc.
- 38. Forcing a Tap • adb shell dumpsys window | grep creen • shows screen dimensions
- 39. Forcing a Tap • adb shell input tap 800 975 • Launches Drozer :)
- 40. Extracting Application Data with Physical Access • adb backup -all -shared • Gets all user and app data • From apps that do not have allowBackup set to false in their manifest • And all data from the SD card