Mobile Vulnerability Analysis Kryptowire 2019 Background Devices are shipped with pre-installed software ▪ Not present on Official App Stores ▪ Most functionality cannot be disabled ▪ Privileged & System Access by default Pre-installed apps can be vulnerable and/or malicious ▪ Potential for Remote and Local exploitation ▪ “Backdoor” functionality & data exfiltration Why is this happening? ▪ Vendors customize official code ▪ Hardware suppliers provide software ▪ (Un)intentionally expose sensitive capabilities 2 Discovery and Exploit Workflow 1 Mobile Apps & Firmware Collection Mobile Apps and Firmware images are collected and processed by the App analysis system using a cloud or on-premise appliance. 2 Vulnerabilities Discovered The automated system reports vulnerabilities with the type (e.g. command execution) and all necessary data to generate a proof of concept. 3 Exploits Generated An analyst leverages the output of the automated system to validate and generate Proof of Concept exploits. The POCs can be tested and validated in live environments. 3 Discovery and Exploit Workflow 1 Mobile Apps & Firmware Collection Mobile Apps and Firmware images are collected and processed by the App analysis system using a cloud or on-premise appliance. 2 Vulnerabilities Discovered The automated system reports vulnerabilities with the type (e.g. command execution) and all necessary data to generate a proof of concept. 3 Exploits Generated An analyst leverages the output of the automated system to validate and generate Proof of Concept exploits. The POCs can be tested and validated in live environments. 4 Discovery and Exploit Workflow 1 Mobile Apps & Firmware Collection Mobile Apps and Firmware images are collected and processed by the App analysis system using a cloud or on-premise appliance. 2 Vulnerabilities Discovered The automated system reports vulnerabilities with the type (e.g. command execution) and all necessary data to generate a proof of concept. 3 Exploits Generated An analyst leverages the output of the automated system to validate and generate Proof of Concept exploits. The POCs can be tested and validated in live environments. 5 Automated Vulnerability Discovery Engine 6 Modeling Vulnerability Categories ○ PII leakage ○ App installation ○ Command execution ○ Sending AT commands ○ Record audio ○ Logcat leakage ○ Record screen ○ Factory reset ○ Capture screenshot ○ Dynamic code loading and execution ○ SMS sending ○ Modification of wireless settings ○ Modification of system properties ○ Others 7 Sample Results Popular Android Devices ZTE ZMAX Pro T-Mobile LG G6 AT&T, Verizon, T-Mobile, Sprint Send, read, and modify text messages Lock user out of their device and get logcat/kernel logs ZTE Blade Spark AT&T Coolpad Defiant T-Mobile Write modem and logcat logs to external Send, read, and modify text messages and storage programmatic factory reset Coolpad Revvl Plus T-Mobile Asus ZenFone V Live Verizon Send, read, and modify text messages Command execution as system user LG Phoenix 2 AT&T Essential Phone Sprint Lock user out of their device Programmatic factory reset 8 Example Finding com.********.defcontainer and com.******.defcontainer (multiple versions) App Inject commands to execute as system user, giving full control of device and data. Vulnerability 5 Tecno Oreo (8.X), 2 Coolpad Oreo (8.1), Firmware & 1 Haier Oreo (8.1) Affected Additional Violations ○ 1 Dynamic Code Loading ○ 1 additional Command Execution Exploitable - CVE Assigned Status 9 DISTRIBUTION R – Company Confidential - No Distribution beyond intended customer without explicit permission Sample Results - 2019 Ă Command Execution Ă Log Leakage ~1,000 New Ă Network Settings Modification Ă SMS Sending/Spoofing Vulnerabilities Ă Screenshot Capturing Ă System Properties Modifications Discovered in 2019 Ă Factory Reset Ă App Installation Ă App Uninstallation Ă AT-Command Execution 30+ OEMs Ă Audio Recording Ă Video Recording Ă Dynamic Code Loading Ă And More... 10.