Attacking Android smartphone systems without permissions

Su Mon Kywe, Yingjiu Li, Kunal Petal, Michael Grace
2016 2016 14th Annual Conference on Privacy, Security and Trust (PST)  
Android requires third-party applications to request for permissions when they access critical mobile resources, such as users' personal information and system operations. In this paper, we present the attacks that can be launched without permissions. We first perform call graph analysis, component analysis and data-flow analysis on various parts of Android framework to retrieve unprotected APIs. Unprotected APIs provide a way of accessing resources without any permissions. We then exploit
more » ... ted unprotected APIs and launch a number of attacks on Android phones. We discover that without requesting for any permissions, an attacker can access to device ID, phone service state, SIM card state, Wi-Fi and network information, as well as user setting information, such as airplane, location, NFC, USB and power modes of mobile devices. An attacker can also disturb Bluetooth discovery services, and block the incoming emails, calendar events, and Google documents. Moreover, an attacker can set volumes of devices and trigger alarm tones and ringtones that users personally set for their devices. An attacker can also launch camera, mail, music and phone applications even when the devices are locked. We compare our research on two Android versions, and discover that as platform providers incorporate more APIs, the number of unprotected APIs increases and new attacks become possible. We thus suggest platform providers to inspect Android frameworks systematically before releasing new versions. //Invoke ServiceManager.getService("power") method and obtain IBinder object of PowerManagerService 2 Class serviceManagerClass = Class.forName("android.os.ServiceManager"); 3 Method getServiceMethod = serviceManagerClass.getDeclaredMethod("getService", String.class); 4 IBinder iBinder = (IBinder) getServiceMethod.invoke(null, "power"); 5 6 //Get Stub object of IPowerManager by passing IBinder object to asInterface() method 7 Class stubClass = Class.forName("android.os.IPowerManager$Stub"); 8 Method asInterfaceMethod = stubClass.getMethod("asInterface", new Class[]{IBinder.class});
doi:10.1109/pst.2016.7906949 dblp:conf/pst/KyweLPG16 fatcat:5o3wh3rwojhwlmhcbsdfgtt5te