Man in the Binder - Michael Shalyt & Idan Revivo, CheckPoint
1. MAN IN THE BINDER: MONSTERS UNDER THE
HOOD
Michael Shalyt
Malware Research Team Leader @ Check Point
Idan Revivo
Mobile Malware Researcher @ Check Point
2. A
Hack
in
Three
Acts
Act
I
–
Know
Your
Droid
Act
II
–
A8ack
Your
Droid
Act
III
–
Prepare
Your
Droid
7. Name:
Paw
of
Death
Occupa?on:
Black
belt
ninja
hacker
“To
rob
a
bank,
you
must
first
become
the
bank”
8. Name:
System
Service
Occupa?on:
SiQng
and
wai?ng
to
serve
your
needs
These
things
run
Android!
9. Name:
$
echo
`uname
–r`
Occupa?on:
Holding
the
world
on
its
shoulders
since
1.1.1970
Feeling
neglected
now
that
system
services
get
all
the
a9en?on
on
Android
15. /dev/binder
/dev/9y0
libbinder.so
kernel
/system/libbinder.so
/system/lib*.so
DalvikVM
DalvikVM
syscall
parcel
parcel
Bank
Applica?on
Process
System
Service
Process
applica?on
System
services
proxy
libandroid_run?me.so
libandroid_run?me.so
System
Service
• Binder
has
a
userland
component
and
a
kernel
one
• The
driver
receives
the
Parcel
via
an
ioctl
syscall
and
sends
it
to
the
target
processes
48. SMS
internals
• The
Telephony
Manager
no?fies
the
SMS
app
whenever
an
SMS
is
received.
• The
app
queries
the
TM’s
database.
• Under
the
hood,
the
response
is
just
a
Unix
fd.
49. SMS
internals
• The
Telephony
Manager
no?fies
the
SMS
app
whenever
an
SMS
is
received
• The
app
queries
the
TM’s
database
via
Binder:
50. SMS
internals
• But
what’s
a
Cursor
object?
• It’s
a
messy
abstrac?on
of
a
response
to
a
query
51. SMS
internals
• Surprise:
Under
the
hood,
it’s
just
a
Unix
fd
• Now
we’re
in
business!
54. A8acking
The
Binder
• Hook
libbinder.so
at
the
point
where
it
sends
an
ioctl
to
the
kernel
• Stealth:
dozens
of
places
to
hook
• But
don’t
you
need
root?
57. Summary
Features:
• Versa?lity:
one
hook
–
mul?ple
func?onali?es.
• App
agnos?c:
no
need
to
RE
apps.
• Stealth:
the
Android
security
model
limits
3rd
party
security
apps
just
like
any
other
app.
58. Summary
• This
is
NOT
a
vulnerability.
It’s
like
man-‐in-‐the-‐
browser,
but
for
literally
everything
on
Android.
• Root
is
assumed.
Roo?ng
won’t
go
away
any
?me
soon.
61. Solu<ons
–
for
developers
• Take
control
of
your
own
process
memory
space.
• Minimize
the
amount
of
data
going
to
IPC,
and
encrypt
what
has
to
go.
62. Solu<ons
–
for
security
industry
• Scan
files
like
it’s
the
90’s.
• Be
brave
–
get
root
yourself:
• Run?me
process
scanning
and
monitoring.
• Sofware
firewall
(like
Avast).
• Binder
firewall/anomaly
detec?on.
• Etc.
63. Further
Reading
[1]
White
paper:
“Man
in
the
Binder”,
Artenstein
and
Revivo
[2]
“On
the
Reconstruc?on
of
Android
Malware
Behaviors”,
Fatori,
Tam
et
al
[3]
“Binderwall:
Monitoring
and
Filtering
Android
Interprocess
Communica?on”,
Hausner
64. What
are
you
trying
to
tell
me?
That
I
can
get
all
permissions
on
a
device?
No.
I’m
trying
to
tell
you
that
when
you’re
ready,
you
won’t
have
to