The Android operating system and the mobile devices it runs on dominate the market in comparison to other device manufactures. Along with the market share, the Android ecosystem is heavily fragmented; that is to say many individuals are still using older versions of the Android operating system. This makes it a prime target for hackers as older versions of Android have less hardened security measures in place.
We will briefly look at what the attack surface of an Android mobile device looks like. First, we will describe the local attack surface followed by the remote attack surface.
One of the main goals of an attacker when dealing with the local attack surface is to elevate his/her privileges in order to achieve code execution as the root or system users.
Sockets can be used by non-privileged applications to communicate with higher privileged applications. Android often uses sockets as a form of Inter-Process Communication (IPC). IPC allows applications and services to communicate with each other and to synchronize their data and actions. Many applications in the Android Operating System expose different forms of IPC to non-privileged applications making up part of its local attack surface.
In addition to sockets, Android also uses shared memory and its Binder driver to implement IPC mechanisms. Android implements its own form of shared memory via a mechanism called Anonymous Shared Memory (ashmem). The Binder driver facilitates communication to Android applications via Intents.
All of these IPC mechanisms can be leveraged to possibly attack higher privileged processes from an unprivileged context due to the fact that communication between contexts is possible.
The goals of the attacker remain pretty much the same when dealing with the remote attack surface, but here the attacker may just be content with getting code execution remotely, then pivoting to the local attack surface in order to exploit a privilege escalation vulnerability.
Android shares some of the same remote attack surface as PCs. Technologies such as web browsers can be targeted remotely and have a large attack surface on their own, as they often must deal with executing application logic, rendering of images, and other underlying protocols.
What makes the remote attack surface different on a mobile device are technologies such as Bluetooth, Near Field Communication (NFC), and Baseband. While these technologies do allow for remote communications, they are more limited in range as compared to a technology that communicates over the Internet.
The technology with the longest range is Baseband. Baseband is what facilitates cellular communications for the mobile device. Attackers can set up a Rouge Base Station to send malicious traffic to anything that connects to it. This works because the Baseband system-on-chip (SoC) will connect to the closest cell tower, or the tower with the strongest signal.
The technology with the next longest range is Bluetooth. The range depends on the version of Bluetooth being used. Bluetooth 2.1 has a range of up to 100 meters where as newer protocols such as Bluetooth 5.0 Low Energy can transmit and receive data at up to1000 meters away. VerSprite has previously published research that uses Bluetooth Low Energy to exploit an aftermarket remote start for an automobile. This exploit relied on reverse engineering the Android application to reveal the logic needed to perform the attack.
The last of the technologies that represent the remote attack surface is Near Field Communication (NFC). NFC is often used for contactless payment and its ranges is usually less that 1 foot. The NFC protocol often uses the NFC Data Exchange Format (NDEF) whose messages can any type of data including URLs and images. The parsing of this data can lead to other applications being launched often with no user interaction.
We just quickly discussed a few mechanisms that could be leveraged by attacks and is by no means a complete technical analysis of the attack surface. If you are interested in reading more technical write-ups on specific topics where the Android attack surface is examined, click here.
The foundation of VerSprite’s penetration testing methodology is based on emulating realistic attacks by a malicious actor through the use of PASTA (Process for Attack Simulation and Threat Analysis).
VerSprite's Research and Development division (a.k.a VS-Labs) is comprised of individuals who are passionate about diving into the internals of various technologies. Our clients rely on VerSprite's unique offerings of zero-day vulnerability research and exploit development to protect their assets from various threat actors. From advanced technical security training to our research for hire B.O.S.S offering, we help organizations solve their most complex technical challenges. Learn more →