Owned over OTA [Part 1]
As far as I know the most common way of infiltrating Android is by repackaging an application (preferably a popular one) with an exploit of your choice. There are plenty of papers and tutorials on how to do it, for example this tutorial on how to do it manually. There are also plenty of ready made scripts out there to automate the whole process. A good one is backdoor-apk. Basically the only concern of an attacker is to find a popular application which hasn’t been repackaged already by a million times and finding the right distribution channel. (Un)Fortunately, there aren’t that many options to choose from. The attacker can, for example, upload the malicious application to a forum under the guise that it’s the cracked or something in that line, but this gives relatively small reach. Another option is to publish the application on an unofficial market (Chinese markets for the win!) or make it available for those apk downloader sites (which acts as a web interface for Google Play market, well maybe some of them do). The last two options certainly give the attacker the highest possible reach of potential victims. The biggest disadvantage seems to be the fact that the attacker has absolutely no control over who is the target (ok maybe a little bit by considering the type of application). Surely this is okay with the ransomware guys, but what about the rest of us? I’m sure we can do better.
OTA Update As a Door
I propose a way of getting root access and complete control over the Android OS using OTA Updates and exploiting a few issues in custom ROMs. I also present some modifications of the attack which is usable with official Google distributions.
The attack I’m going to describe here is not suitable for all cases. Most notably this attack can’t be used for infiltrating huge masses (well theoretically, with great effort it can be conducted). Instead, it works well for targeted attacks on individuals or smaller group of people, where the attacker wants to be sure that the attack is executed, i.e not relying on whether the user wants to play (use) a game (application) containing the evil payload or not.
Well, it’s real simple. Every security guideline for Android mobile phone users tells them to only use the official Play store for installing applications. Its also states that you should never install applications from unknown/untrusted sources (which is by the way disabled by default). On the other hand, a golden rule of every security guideline is to always keep your software and OS up to date so you should install available updates asap. So if people think that (OTA) updates are cool and that they are the “only” way of keeping your system secure, why not use these OTA updates against the user? I won’t go into much technical detail about how OTA updates work on Android. I assume the reader have a general understanding of how OTA updates work and about the inner workings of the Android OS, as well. For all OTA related information, I recommend OTA Updates. With OTA updates it is possible to update the boot (this also includes the ramdisk), system, and/or vendor partition. In other words, we gain write access and on top of that, we can execute code! yay ! Now how cool is that? You really don’t need more than this to own a system. Of course, there is SELinux and signature verification but fortunately, these aren’t showstoppers as I’ll show later on. Now all we have to do is to create an OTA update image which will contain an installation script of a rootkit and a backdoor/loader. Here are the steps required to own a custom ROM (for example CyanogenMod) in high-level overview:
- Create an OTA update image with all the nasty stuff(rootkit, backdoor etc)
- Install & run an OTA Update Server (to serve malicious OTA images)
- Use DNS Spoofing and/or other well-known technics to trick devices into checking OTA updates on the evil OTA Update Server
- The OTA updater application will download the malicious OTA image and either automatically or on user request, it will reboot the device into Recovery to install the update.
- The Recovery will eventually start the malicious installation script, which will place the rootkit in ramdisk
- Additional evilness can be hidden on the system partition as well
- After the reboot from recovery besides the usual stuff our evil payload is loaded as fell. The rootkit is hiding all the activities of the attacker.
All the steps will be described in detail where we will discuss why and how are those thing possible.