SlideShare a Scribd company logo

Man in the Binder

N
nitayart

This document summarizes a presentation about exploiting Android's Binder inter-process communication (IPC) mechanism to conduct malware attacks. It describes how Binder works and how malware authors have increasingly targeted it. Three demonstration attacks are shown: a keylogger that intercepts keyboard inputs via Binder, grabbing sensitive form data that transits between app activities via Binder, and intercepting SMS messages by intercepting Binder calls made by the SMS app to retrieve messages from the telephony manager. The document advocates encrypting sensitive data moving between apps via Binder to help prevent these kinds of attacks.

Mobile
1 of 42
Downloaded 11 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
MAN IN THE BINDER: HE WHO CONTROLS IPC, CONTROLS THE DROID Nitay Artenstein - nitaya@checkpoint.com Idan Revivo - idanr@checkpoint.com
Who Are We? Nitay Artenstein Idan Revivo • Researcher at Check Point • Used to do pentesting in Africa (with a machete) • Now does more risky stuff, such as kernel exploits • Researcher at Check Point • When he’s not breaking Android,he breaks his trainees at the gym • Contributorto Cuckoo Project
Overview
ev·o·lu·tion n. A gradual process in which something changes into a different and usually more complex or better form
Malware on Windows
Malware on Android
Why the Big Difference? • The sandbox • Android is a complicatedenvironment • Do we work in Java? JNI? C? Native ARM?
How to Write Malware in this Mess?
Welcome to Binder
• Android Malware Today • Developer Point-of-View • What is Binder? • Man In The Binder Attacks • Possible Solutions Agenda
Android Malware Attacks
What Do Mobile Malware Authors Want? • Sending SMS to premium numbers • Location tracking • Secondary APK installation • Link clicking • Bank fraud • Stealing personal information • Etc..
Android Malware Evolution Android Was Born •9/2008 Fake Player •8/2010 •First SMS Trojan •Just asks for SEND_SMS permission DroidDream •3/2011 •Uses root exploits •Installs secondary APK •50 variants in app store Spitmo– Zeus goesmobile •3/2011 •Banking malware Obad – The most sophisticated Android trojan •6/2013 •3 exploits •1 backdoor •SMS Trojan Dendroid – Android RAT •5/2014
Keylogging – Swapping the Keyboard
Intercepting SMS – Just Ask Politely
Location Tracking – Again Just Ask Politely
Developer Point-of-View
• Android is built on top of the Linux kernel • An application doesn’t talk to hardware • Talking to the system – only via IPC Android Architecture Basics
• Each app runs with its own uid • Privileges are given upon app installation • Each privilege translates into a gid The Sandbox
Man in the Binder
What is Binder?
Return of the Microkernel • Minimalist kernel, less attack surface • Monolithic kernels won the war • How to get the benefits of a microkernel anyway? Andrew S. Tanenbaum Dianne Hackborn Darth Vader
IPC is the Key • Isolate the kernel from user apps • Implement system servers in userland • Control all communication via Binder
Man in the Binder
Man in the Binder
Why Target Binder? • Stealthy, difficult to detect • Portable data interception • Integration with the system architecture
Ready for Some Fun?
First Attack: Keylogger
Keyloggers, the Binder Way • A thread in an app sets up a listener • It is contacted by the InputContext interface when the user hits a key • All communicationis done via Binder
Man in the Binder
Keylogging Demo
Second Attack: Data Grabbing
The Secret About Activities • Most secure applicationsprotect their data • However, developers don’t bother to encrypt data moving between in-app Activities • Surprise: This data goes through Binder
Yes, in-app data goes through Binder
…and we got the hex dump to prove it
Form Grabbing Demo
Third Attack: Intercepting SMS
What Happens When You Get An SMS? • The Telephony Manager notifies the SMS app • The app queries the TM’s database • The response is sent back as a Cursor object • …but that’s just a file descriptor!
Let’s Grab It!
SMS Interception Demo
• Do as much as you can in-app • Audit your app to see what goes to IPC • If it goes through Binder, encrypt it How Do I Protect Myself?
Questions?

More Related Content

PDF
Behavior-Based Defense in ICS
Dragos, Inc.
 
PDF
IoT Attack Surfaces -- DEFCON 2015
Daniel Miessler
 
PDF
How to Respond to Industrial Intrusions
Dragos, Inc.
 
PDF
The IoT Attack Surface
Daniel Miessler
 
PDF
2012 12-04 --ncc_group_-_mobile_threat_war_room
NCC Group
 
PDF
What happened on October 21
San Diego Continuing Education
 
PDF
Jakub Bartoszek (Samsung Electronics) - Hardware Security in Connected World
Codiax
 
PDF
DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...
DevSecCon
 
Behavior-Based Defense in ICS
Dragos, Inc.
 
IoT Attack Surfaces -- DEFCON 2015
Daniel Miessler
 
How to Respond to Industrial Intrusions
Dragos, Inc.
 
The IoT Attack Surface
Daniel Miessler
 
2012 12-04 --ncc_group_-_mobile_threat_war_room
NCC Group
 
What happened on October 21
San Diego Continuing Education
 
Jakub Bartoszek (Samsung Electronics) - Hardware Security in Connected World
Codiax
 
DevSecCon Asia 2017 Ante Gulam: Integrating crowdsourced security into agile ...
DevSecCon
 

What's hot (20)

PPTX
The Four Types of Threat Detection and Use Cases in Industrial Security
Dragos, Inc.
 
PPT
Emerging Threats and Strategies of Defense
Alert Logic
 
PDF
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
APNIC
 
PPTX
Advanced Security Testing in the Age of Cyber War
Sailaja Tennati
 
PDF
RSA2015: Securing the Internet of Things
Daniel Miessler
 
PPTX
Secure application deployment in the age of continuous delivery
Tim Mackey
 
PPTX
Debunking the Hacker Hype: The Reality of Widespread Blackouts
Dragos, Inc.
 
PDF
The Changing Landscape of Information Security
DevSecOpsSg
 
PPTX
Security in the Age of Open Source
Black Duck by Synopsys
 
PPTX
Encryption in the Public Cloud: 16 Bits of Advice for Security Techniques
Trend Micro
 
PPTX
Internet Accessible ICS in Japan (English)
Digital Bond
 
PDF
To see things others can't - APTs, Incident Response, DDoS
Marco Gioanola
 
PPTX
Secure application deployment in Apache CloudStack
Tim Mackey
 
PPTX
Cyber security and its defence (updated)
Parshu Ram
 
PPTX
Slide Deck – Session 6 – FRSecure CISSP Mentor Program 2017
FRSecure
 
PDF
Reassessing the 2016 CRASHOVERRIDE Cyber Attack
Dragos, Inc.
 
PDF
DeepLocker - Concealing Targeted Attacks with AI Locksmithing
Priyanka Aash
 
PDF
Akila srinivasan microsoft-bug_bounty-(publish)
PacSecJP
 
PPTX
September 2012 Security Vulnerability Session
Kaseya
 
PPTX
The road goes ever on and on by Ciaran Conliffe
DevSecCon
 
The Four Types of Threat Detection and Use Cases in Industrial Security
Dragos, Inc.
 
Emerging Threats and Strategies of Defense
Alert Logic
 
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
APNIC
 
Advanced Security Testing in the Age of Cyber War
Sailaja Tennati
 
RSA2015: Securing the Internet of Things
Daniel Miessler
 
Secure application deployment in the age of continuous delivery
Tim Mackey
 
Debunking the Hacker Hype: The Reality of Widespread Blackouts
Dragos, Inc.
 
The Changing Landscape of Information Security
DevSecOpsSg
 
Security in the Age of Open Source
Black Duck by Synopsys
 
Encryption in the Public Cloud: 16 Bits of Advice for Security Techniques
Trend Micro
 
Internet Accessible ICS in Japan (English)
Digital Bond
 
To see things others can't - APTs, Incident Response, DDoS
Marco Gioanola
 
Secure application deployment in Apache CloudStack
Tim Mackey
 
Cyber security and its defence (updated)
Parshu Ram
 
Slide Deck – Session 6 – FRSecure CISSP Mentor Program 2017
FRSecure
 
Reassessing the 2016 CRASHOVERRIDE Cyber Attack
Dragos, Inc.
 
DeepLocker - Concealing Targeted Attacks with AI Locksmithing
Priyanka Aash
 
Akila srinivasan microsoft-bug_bounty-(publish)
PacSecJP
 
September 2012 Security Vulnerability Session
Kaseya
 
The road goes ever on and on by Ciaran Conliffe
DevSecCon
 
Ad

Viewers also liked (9)

PPTX
Next Gen Innovation
Kegan Quimby
 
PDF
7 factors determining deeper impact of ar based mobile application on user ex...
Ashish Agrawal
 
PPTX
Histórico da EJA
Camila Silva
 
PPTX
Lync integration with metro app
Ashish Agrawal
 
PPTX
Biografia - Paulo Freire
Camila Silva
 
PPT
Android overview
Ashish Agrawal
 
PDF
Binderのはじめの一歩とAndroid
l_b__
 
PDF
Man in the Binder - Michael Shalyt & Idan Revivo, CheckPoint
DroidConTLV
 
ODP
Android crash debugging
Ashish Agrawal
 
Next Gen Innovation
Kegan Quimby
 
7 factors determining deeper impact of ar based mobile application on user ex...
Ashish Agrawal
 
Histórico da EJA
Camila Silva
 
Lync integration with metro app
Ashish Agrawal
 
Biografia - Paulo Freire
Camila Silva
 
Android overview
Ashish Agrawal
 
Binderのはじめの一歩とAndroid
l_b__
 
Man in the Binder - Michael Shalyt & Idan Revivo, CheckPoint
DroidConTLV
 
Android crash debugging
Ashish Agrawal
 
Ad

Similar to Man in the Binder (10)

PPTX
Man in the Binder
Michael Shalyt
 
PDF
Binding android piece by piece
Bucharest Java User Group
 
PDF
Csw2016 chaykin having_funwithsecuremessengers_and_androidwear
CanSecWest
 
PDF
7. Attacking Android Applications (Part 2)
Sam Bowne
 
PDF
Android_Malware_IOAsis_2014_Analysis.pdf
jjb117343
 
PPT
Outsmarting SmartPhones
saurabhharit
 
PDF
Amir goldstein mobmodcon-nov2015-binder under the hood
Ron Munitz
 
PPTX
IPC: AIDL is not a curse
Yonatan Levin
 
ODP
Android security in depth
Sander Alberink
 
PPTX
Mobile security
priyanka pandey
 
Man in the Binder
Michael Shalyt
 
Binding android piece by piece
Bucharest Java User Group
 
Csw2016 chaykin having_funwithsecuremessengers_and_androidwear
CanSecWest
 
7. Attacking Android Applications (Part 2)
Sam Bowne
 
Android_Malware_IOAsis_2014_Analysis.pdf
jjb117343
 
Outsmarting SmartPhones
saurabhharit
 
Amir goldstein mobmodcon-nov2015-binder under the hood
Ron Munitz
 
IPC: AIDL is not a curse
Yonatan Levin
 
Android security in depth
Sander Alberink
 
Mobile security
priyanka pandey
 

Man in the Binder

  • 1. MAN IN THE BINDER: HE WHO CONTROLS IPC, CONTROLS THE DROID Nitay Artenstein - nitaya@checkpoint.com Idan Revivo - idanr@checkpoint.com
  • 2. Who Are We? Nitay Artenstein Idan Revivo • Researcher at Check Point • Used to do pentesting in Africa (with a machete) • Now does more risky stuff, such as kernel exploits • Researcher at Check Point • When he’s not breaking Android,he breaks his trainees at the gym • Contributorto Cuckoo Project
  • 4. ev·o·lu·tion n. A gradual process in which something changes into a different and usually more complex or better form
  • 7. Why the Big Difference? • The sandbox • Android is a complicatedenvironment • Do we work in Java? JNI? C? Native ARM?
  • 8. How to Write Malware in this Mess?
  • 10. • Android Malware Today • Developer Point-of-View • What is Binder? • Man In The Binder Attacks • Possible Solutions Agenda
  • 12. What Do Mobile Malware Authors Want? • Sending SMS to premium numbers • Location tracking • Secondary APK installation • Link clicking • Bank fraud • Stealing personal information • Etc..
  • 13. Android Malware Evolution Android Was Born •9/2008 Fake Player •8/2010 •First SMS Trojan •Just asks for SEND_SMS permission DroidDream •3/2011 •Uses root exploits •Installs secondary APK •50 variants in app store Spitmo– Zeus goesmobile •3/2011 •Banking malware Obad – The most sophisticated Android trojan •6/2013 •3 exploits •1 backdoor •SMS Trojan Dendroid – Android RAT •5/2014
  • 14. Keylogging – Swapping the Keyboard
  • 15. Intercepting SMS – Just Ask Politely
  • 16. Location Tracking – Again Just Ask Politely
  • 18. • Android is built on top of the Linux kernel • An application doesn’t talk to hardware • Talking to the system – only via IPC Android Architecture Basics
  • 19. • Each app runs with its own uid • Privileges are given upon app installation • Each privilege translates into a gid The Sandbox
  • 22. Return of the Microkernel • Minimalist kernel, less attack surface • Monolithic kernels won the war • How to get the benefits of a microkernel anyway? Andrew S. Tanenbaum Dianne Hackborn Darth Vader
  • 23. IPC is the Key • Isolate the kernel from user apps • Implement system servers in userland • Control all communication via Binder
  • 26. Why Target Binder? • Stealthy, difficult to detect • Portable data interception • Integration with the system architecture
  • 29. Keyloggers, the Binder Way • A thread in an app sets up a listener • It is contacted by the InputContext interface when the user hits a key • All communicationis done via Binder
  • 33. The Secret About Activities • Most secure applicationsprotect their data • However, developers don’t bother to encrypt data moving between in-app Activities • Surprise: This data goes through Binder
  • 34. Yes, in-app data goes through Binder
  • 35. …and we got the hex dump to prove it
  • 38. What Happens When You Get An SMS? • The Telephony Manager notifies the SMS app • The app queries the TM’s database • The response is sent back as a Cursor object • …but that’s just a file descriptor!
  • 41. • Do as much as you can in-app • Audit your app to see what goes to IPC • If it goes through Binder, encrypt it How Do I Protect Myself?