FIRMSCOPE: Automatic Uncovering of Privilege-Escalation Vulnerabilities in Pre-Installed Apps in Android Firmware Mohamed Elsabagh Ryan Johnson Angelos Stavrou Kryptowire Kryptowire Kryptowire [email protected] [email protected] [email protected] Chaoshun Zuo Qingchuan Zhao Zhiqiang Lin The Ohio State University The Ohio State University The Ohio State University [email protected] [email protected] [email protected] Abstract providers, social media companies, and mobile app develop- ers) can develop and introduce apps into an Android mobile Android devices ship with pre-installed privileged apps in device, with the difference that apps introduced by app devel- their firmware — some of which are essential system compo- opers are typically downloaded from app stores by the users nents, others deliver a unique user experience — that users whereas the rest are directly introduced in the supply-chain cannot disable. These pre-installed apps are assumed to be and pre-installed in device firmware by manufacturers. secure as they are handpicked or developed by the device ven- There are many reasons to introduce pre-installed apps dors themselves rather than third parties. Unfortunately, we in Android firmware. First, pre-installed apps often provide have identified an alarming number of Android firmware that unique features and special services that distinguish a vendor contain privilege-escalation vulnerabilities in pre-installed or device from its competitors. Second, pre-installed apps apps, allowing attackers to perform unauthorized actions such come with pre-approved sensitive permissions and capabili- as executing arbitrary commands, recording the device audio ties that are unavailable to user-level apps downloaded from and screen, and accessing personal data to name a few. To app stores and often do not require user approval or consent uncover these vulnerabilities, we built FIRMSCOPE, a novel to operate. In most cases, pre-installed apps typically run as static analysis system that analyzes Android firmware to ex- the highly-privileged system user and cannot be uninstalled pose unwanted functionality in pre-installed apps using an by the end user, even if a pre-installed app is found to be efficient and practical context-sensitive, flow-sensitive, field- vulnerable, malicious, or simply unwanted. When users face sensitive, and partially object-sensitive taint analysis. Our these threats, their options are limited: wait for an update that experimental results demonstrate that FIRMSCOPE signifi- hopefully fixes the vulnerable pre-installed app; or remove cantly outperforms the state-of-the-art Android taint analysis the app by rooting the device, potentially voiding its warranty solutions both in terms of detection power and runtime perfor- and compromising its security. mance. We used FIRMSCOPE to scan 331;342 pre-installed apps in 2;017 Android firmware images from v4.0 to v9.0 Although intuitive from a marketing and ease of distribu- from more than 100 Android vendors. Among them, FIRM- tion perspectives, software distributed via firmware can ex- SCOPE uncovered 850 unique privilege-escalation vulnerabil- pose end users to severe security risks unbeknownst to them ities, many of which are exploitable and 0-day. and in many cases even to device manufacturers. This was partly shown in the past where Android vendor customization introduced vulnerabilities [3–6]. Of course, vulnerabilities 1 Introduction can have different causes: software that is not tested, poorly tested, or purposefully designed to be easily exploitable or Ever since its acquisition by Google in 2005, we have wit- malicious. Even if the enterprise or an end user is diligent and nessed the rapid development and prodigious adoption of the follows a stringent security guidance, they may still be at risk Android platform. Today, it has become the dominant OS in of malicious or insecure apps that they did not install but were the mobile domain with a market share of 76% [1] as well as present on the device firmware when it was first delivered. the most widely used OS of any platform, surpassing even Therefore, there is a pressing need to address the supply- Windows [2]. Some key factors for the success of Android are chain threats that stem from vulnerable or malicious software its open ecosystem, assortment of available models, inclusion distributed through firmware images on mobile devices. To of Google’s suite of apps, and a multitude of app marketplaces this end, this paper presents FIRMSCOPE, a scalable, compre- hosting millions of Android apps. Currently, anyone (includ- hensive, and automated static taint analysis system to identify ing hardware vendors, device manufacturers, cellular service the firmware-borne vulnerabilities residing in pre-installed apps, both malicious and (un)intentionally insecure, present 2 Background and Threat Model in Android firmware. Not all vulnerabilities are of our inter- est, and instead we particularly focus on detecting privilege- Background. Android apps are composed of app compo- escalation vulnerabilities in pre-installed apps where the sensi- nents, which are functional code units that developers use to tive behavior is externally invokable (e.g., by a third-party app build an app. App components are implemented by extending or a remote party). For instance, an unprivileged third-party certain framework classes containing a platform-managed app executing a command as the system user by exploiting lifecycle. App components serve as app entry points and an insecure interface of a pre-installed app. can be started by the app itself, the system, and sometimes While static taint analysis of mobile apps has been well external apps, effectively permitting the sharing of code and studied (e.g., [7–11]) there are still enormous challenges (due possibly data. Components include Activities (GUI screens), to the complex OOP language constructs and also sophisti- Services, Broadcast Receivers, and Content Providers. Each cated control and data flows in Android APIs and callbacks) Android app contains an AndroidManifest.xml file listing to the precision and scalability of the analysis when applied all the app’s components and various configuration data. to real-world apps without source code access. For instance, Android apps are sandboxed by the kernel where each app how to precisely and efficiently track data flows through dif- runs in its own isolated process and gets an isolated private ferent objects, class fields, the Android framework APIs, and storage space on the filesystem. By default, apps are not runtime callbacks. We have thus developed several novel allowed to execute code in each other’s context or access each techniques in FIRMSCOPE to handle these challenges in an other’s data. There is no system-wide enclave for sensitive efficient and precise manner suitable for large scale real-world data. Instead, each app stores its own private information in app analysis. FIRMSCOPE achieves unprecedented detection its sandboxed storage space. power and performance. It incurs only 7 FPs and 11 FNs on A pre-installed app is any app that comes pre-loaded with the latest DroidBench 2.0 [12], and is 2X to 24X faster than a firmware image. These apps can be non-essential apps that FlowDroid [9], Amandroid [10], and DroidSafe [11]. the device vendor decided to ship with the firmware (e.g., We have evaluated FIRMSCOPE on 331;342 pre-installed bloatware) or internal firmware apps implementing critical apps from 2;017 Android firmware images from v4.0 to v9.0 system components necessary for the proper functionality covering more than 100 Android vendors, including the top of the device (e.g., managing device settings, apps installa- 20 Android vendors worldwide. FIRMSCOPE has uncovered a tion, and carrier negotiation). Pre-installed firmware apps are total of 850 unique privilege-escalation vulnerabilities (3;483 typically installed under /system/app and /system/priv- total) in 1;547 firmware (77% of the analyzed images). These app on a read-only device partition whereas apps downloaded vulnerabilities included code and command injection; obtain- from app stores are installed under /data. ing the modem logs and Logcat logs; wiping all user data Pre-installed apps are privileged by design; some can run from a device (i.e., factory reset); accessing, sending, and in the background as the privileged system user and cannot manipulating calls and text messages; (un)installing arbitrary be uninstalled by the end-user. Android has four permission apps; recording the device screen and microphone; among protection levels: Normal (lowest), Dangerous, Privileged, others. Coordinated disclosure of our findings is still ongoing. and Signature (highest).1 Pre-installed apps can access highly Thus far, we have disclosed 370 vulnerabilities in Android 7 sensitive device functionalities protected by Privileged- and to 9 to impacted vendors and received 147 CVEs. Signature-level permissions that are not accessible by third- In short, we make the following contributions: party apps downloaded from app stores. Due to the highly- privileged status of these apps, (un)intentional design or pro- • Novel System. We present FIRMSCOPE, a scalable, com- gramming mistakes can facilitate confused deputy attacks, prehensive, and automated system to identify privilege- allowing unprivileged third-party apps, and perhaps remote escalation vulnerabilities residing in pre-installed apps in entities, to abuse the capabilities of pre-installed apps and Android firmware at a large scale. cross security boundaries set by the Android OS. Threat Model. An Android firmware archive typically con- • Efficient Techniques. We significantly improve the scala- tains several modules, including a bootloader, the Android bility and accuracy of existing static taint analysis with an Linux kernel, the Android runtime framework, an embedded efficient on-demand custom flow-, context-, field-sensitive, radio firmware, and pre-installed apps. We exclusively focus and partially object-sensitive analysis. on discovering vulnerabilities in pre-installed firmware apps. Our objective is to use static analysis to uncover high-impact weaknesses (often posing as backdoors) in pre-installed apps • Large-Scale Evaluation.