Mobile Vulnerability Analysis
Kryptowire
2019 Background
Devices are shipped with pre-installed software ▪ Not present on Official App Stores ▪ Most functionality cannot be disabled ▪ Privileged & System Access by default
Pre-installed apps can be vulnerable and/or malicious ▪ Potential for Remote and Local exploitation ▪ “Backdoor” functionality & data exfiltration
Why is this happening? ▪ Vendors customize official code ▪ Hardware suppliers provide software ▪ (Un)intentionally expose sensitive capabilities
2 Discovery and Exploit Workflow
1 Mobile Apps & Firmware Collection Mobile Apps and Firmware images are collected and processed by the App analysis system using a cloud or on-premise appliance.
2 Vulnerabilities Discovered The automated system reports vulnerabilities with the type (e.g. command execution) and all necessary data to generate a proof of concept.
3 Exploits Generated An analyst leverages the output of the automated system to validate and generate Proof of Concept exploits. The POCs can be tested and validated in live environments.
3 Discovery and Exploit Workflow
1 Mobile Apps & Firmware Collection Mobile Apps and Firmware images are collected and processed by the App analysis system using a cloud or on-premise appliance.
2 Vulnerabilities Discovered The automated system reports vulnerabilities with the type (e.g. command execution) and all necessary data to generate a proof of concept.
3 Exploits Generated An analyst leverages the output of the automated system to validate and generate Proof of Concept exploits. The POCs can be tested and validated in live environments.
4 Discovery and Exploit Workflow
1 Mobile Apps & Firmware Collection Mobile Apps and Firmware images are collected and processed by the App analysis system using a cloud or on-premise appliance.
2 Vulnerabilities Discovered The automated system reports vulnerabilities with the type (e.g. command execution) and all necessary data to generate a proof of concept.
3 Exploits Generated An analyst leverages the output of the automated system to validate and generate Proof of Concept exploits. The POCs can be tested and validated in live environments.
5 Automated Vulnerability Discovery Engine
6 Modeling Vulnerability Categories
○ PII leakage ○ App installation ○ Command execution ○ Sending AT commands ○ Record audio ○ Logcat leakage ○ Record screen ○ Factory reset ○ Capture screenshot ○ Dynamic code loading and execution ○ SMS sending ○ Modification of wireless settings ○ Modification of system properties ○ Others
7 Sample Results
Popular Android Devices
ZTE ZMAX Pro T-Mobile LG G6 AT&T, Verizon, T-Mobile, Sprint Send, read, and modify text messages Lock user out of their device and get logcat/kernel logs
ZTE Blade Spark AT&T Coolpad Defiant T-Mobile Write modem and logcat logs to external Send, read, and modify text messages and storage programmatic factory reset
Coolpad Revvl Plus T-Mobile Asus ZenFone V Live Verizon Send, read, and modify text messages Command execution as system user
LG Phoenix 2 AT&T Essential Phone Sprint Lock user out of their device Programmatic factory reset
8 Example Finding
com.********.defcontainer and com.******.defcontainer (multiple versions) App
Inject commands to execute as system user, giving full control of device and data. Vulnerability
5 Tecno Oreo (8.X), 2 Coolpad Oreo (8.1), Firmware & 1 Haier Oreo (8.1) Affected Additional Violations ○ 1 Dynamic Code Loading ○ 1 additional Command Execution Exploitable - CVE Assigned Status
9 DISTRIBUTION R – Company Confidential - No Distribution beyond intended customer without explicit permission Sample Results - 2019
Ă Command Execution Ă Log Leakage ~1,000 New Ă Network Settings Modification Ă SMS Sending/Spoofing Vulnerabilities Ă Screenshot Capturing Ă System Properties Modifications Discovered in 2019 Ă Factory Reset Ă App Installation Ă App Uninstallation Ă AT-Command Execution 30+ OEMs Ă Audio Recording Ă Video Recording Ă Dynamic Code Loading Ă And More...
10