Towards Discovering and Understanding Task Hijacking in Android Chuangang Ren, The Pennsylvania State University; Yulong Zhang, Hui Xue, and Tao Wei, FireEye, Inc.; Peng Liu, The Pennsylvania State University https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/ren-chuangang This paper is included in the Proceedings of the 24th USENIX Security Symposium August 12–14, 2015 • Washington, D.C. ISBN 978-1-939133-11-3 Open access to the Proceedings of the 24th USENIX Security Symposium is sponsored by USENIX Towards Discovering and Understanding Task Hijacking in Android Chuangang Ren1, Yulong Zhang2, Hui Xue2, Tao Wei2 and Peng Liu1 1Pennsylvania State University, State College 2Fireeye, Inc. Abstract ence of the system and promoted personalized features for app design. Android multitasking provides rich features to enhance Despite the merits, we find that the Android task man- user experience and offers great flexibility for app de- agement mechanism is plagued by severe security risks. velopers to promote app personalization. However, the When abused, these convenient multitasking features can security implication of Android multitasking remains backfire and trigger a wide spectrum of task hijacking at- under-investigated. With a systematic study of the com- tacks. For instance, whenever the user launches an app, plex tasks dynamics, we find design flaws of Android the attacker can condition the system to display to the multitasking which make all recent versions of An- user a spoofed UI under attacker’s control instead of the droid vulnerable to task hijacking attacks. We demon- real UI from the original app, without user’s awareness. strate proof-of-concept examples utilizing the task hi- All apps on the user’s device are vulnerable, including jacking attack surface to implement UI spoofing, denial- the privileged system apps. In another attack, the mal- of-service and user monitoring attacks. Attackers may ware can be crafted as one type of ransomware, which steal login credentials, implement ransomware and spy can effectively “lock” the tasks that any apps belong to on user’s activities. We have collected and analyzed over on the device (including system apps or packages like 6.8 million apps from various Android markets. Our “Settings” or “Package Installer”), i.e. restricting user analysis shows that the task hijacking risk is prevalent. access to the app UIs and thus disabling the functionality Since many apps depend on the current multitasking de- of the target apps; and there is no easy way for a normal sign, defeating task hijacking is not easy. We have noti- user to remove the ransomware from the system. More- fied the Android team about these issues and we discuss over, Android multitasking features can also be abused possible mitigation techniques in this paper. to create a number of other attacks, such as phishing and spyware. These attacks can lead to real harms, such as 1 Introduction sensitive information stolen, denial-of-service of the de- vice, and user privacy infringement, etc. In the PC world, computer multitasking means multiple The Android multitasking mechanism and the under- processes are running at the same period of time. In lying feature provider, the Activity Manager Service Android systems, however, multitasking is a unique and (AMS), haven’t been thoroughly studied before. In this very different concept, as defined in Android documenta- paper, we take the first step to systematically investi- tion: “A task is a collection of activities that users interact gate the security implications behind Android multitask- with when performing a certain job” [1]. In other words, ing design and the AMS. At the heart of the problem, a task contains activities [4] (UI components) that may although the Android security model renders different belong to multiple apps, and each app can run in one or apps sandboxed and isolated from one another, Android multiple processes. The unique design of Android multi- allows the UI components (i.e., activities) from differ- tasking helps users to organize the user sessions through ent apps to co-reside in the same task. Given the com- tasks and provides rich features such as the handy ap- plexity of task dynamics, as well as the vagaries of addi- plication switching, background app state maintenance, tional task controls available to developers, the attacker smooth task history navigation using the “back” button, can play tricky maneuvers to let malware reside side by etc. By further exposing task control to app developers, side with the victim apps in the same task and hijack the Android tasks have substantially enhanced user experi- user sessions of the victim apps. We call this task hijack- USENIX Association 24th USENIX Security Symposium 945 Attacks Vulnerable Consequences them from one another. The underlying Linux kernel en- Types system & apps Spoofing Sensitive info stolen all; all forces the Linux-user based protection and process iso- Restriction of use access lation, building a sandbox for each app. By default, the Denial-of-service all; all to apps on device components of one app run in the same Linux process Monitoring User privacy infringement Android 5.0.x; all with an unique UID. Components from different apps run in separate processes. One exception is that differ- Table 1: Types of task hijacking attacks presented in this paper ent apps can run in one process only if they are from the (system versions considered - Android 3.x, 4.x, 5.0.x). same developer (same public key certificate), and the de- ing. veloper explicitly specifies the same process in the man- Given the security threats, it becomes important to ifest file. The Linux sandbox provides the foundation for fully study Android multitasking behaviors in a system- app security in Android. In addition, Android provides a atic way. We approach this topic by projecting the task permission model [12, 19] to extend app privileges based behaviors into a state transition model and systematically on user agreement, and offers an inter-component com- study the security hazards originated from the discrep- munication scheme guarded by permissions for inter-app ancies between the design assumptions and implementa- communication. tions of Android tasks. We find that there is a plethora Activity: Activity is a type of app component. An ac- of opportunities of task hijacking exploitable to create a tivity instance provides a graphic UI on screen. An app wide spectrum of attacks. To showcase a subset of the typically has more than one activities for different user attack scenarios and their consequences, we implement interactions such as dialing phone numbers and reading and present a set of proof-of-concept attacks as shown in a contact list. All activities must be defined in an app’s Table 1. manifest file. We do vulnerability assessment to the task hijacking threats and discover that all recent Android versions, in- Intent: To cross the process boundaries and enable cluding Android 5, can be affected by these threats, and communication between app components, Android pro- all apps (including all privileged system apps) are vul- vides an inter-component communication (ICC) scheme nerable to most of our proof-of-concept attacks on a vul- supported by an efficient underlying IPC mechanism nerable system. By investigating the employment of task called binder. To perform ICC with other components, control features by app developers based on 6.8 million an component use intent, an abstract description of the apps in various Android markets, we find that despite the operations to be performed. An intent object is the mes- serious security risks, the “security-sensitive” task con- sage carrier object used to request an action from another trol features are popular with developers and users. We component, e.g., starting an activity instance by calling have reported our findings to the Android security team, startActivity() function. Intent comes in two fla- who responded to take a serious look into the issue. We vors. Explicit intent specifies the component to start ex- summarize our contributions below: plicitly by name. Implicit intent instead encapsulates a general type of action, category or data for a component • To the best of our knowledge, we are the first to sys- to take. The system will launch a component “capable” tematically study the security implications of An- of handling this intent. If more than one target activi- droid multitasking and the Activity Manager Ser- ties exist in the system, the user is prompted to choose a vice design in depth. preferred one. • We discover a wide open attack surface in Android multitasking design that poses severe threats to the Activity Manager Service (AMS): AMS is an Android security of Android system and applications. system service that supervises all the activity instances running in the system and controls their life cycles (cre- • Base on our vulnerability analysis over 6.8 million ation, pause, resume, and destroy). The interaction apps, we find that this problem is prevalent and can and communication protocols between activities and the lead to a variety of serious security consequences. AMS are implemented by the Android framework code, which is transparent to app developers, leaving devel- • We provide mitigation suggestions towards a more opers focusing on the app functionality. While Win- secure Android multitasking sub-system. dow Manager Service (WMS) manages all windows in the system and dispatches user inputs from the windows, 2 Background AMS organizes all the activities in the system into tasks, and is responsible for managing the tasks and support- Android Application Sandbox: The Android security ing the multitasking features as will be described in Sec- model treats third-party apps as untrusted and isolates tion 3. 2 946 24th USENIX Security Symposium USENIX Association start newtask start default In addition, AMS is in charge of supervising ser- T1: (,,sse01 , ) T2: (,sse12 , , ) vice components, intent routing, broadcasting, content providers accesses, app process management, etc., mak- S0 S1 S2 Foreground ing itself one of the most critical system services in the Foreground Foreground B Android system.