Elsevier

Computers & Security

Volume 76, July 2018, Pages 71-91
Computers & Security

A survey of Android exploits in the wild

https://doi.org/10.1016/j.cose.2018.02.019Get rights and content

Abstract

The Android operating system has been dominating the mobile device market in recent years. Although Android has actively strengthened its security mechanisms and fixed a great number of vulnerabilities as its version evolves, new vulnerabilities still keep emerging. Vulnerability exploitation is a common way to achieve privilege escalation on Android systems. In order to provide a holistic and comprehensive understanding of the exploits, we conduct a survey of publicly available 63 exploits for Android devices in this paper. Based on the analysis of the collected real-world exploits, we construct a taxonomy on Android exploitation and present the similarities/differences and strength/weakness of different types of exploits. On the other hand, we conduct an evaluation on a group of selected exploits on our test devices. Based on both the theoretical analysis and the experimental results of the evaluation, we present our insight into the Android exploitation. The growth of exploit categories along the timeline reflects three trends: (1) the individual exploits are more device specific and operating system version specific; (2) exploits targeting vendors' customization grow steadily where the increase of other types of exploits slows down; and (3) memory corruption gradually becomes the primary approach to initiate exploitation.

Introduction

Smart mobile devices are indispensable in people's lives nowadays. Along with the development of mobile technology and the prevalence of Internet services, smart mobile devices become the principal digital assistant that people use for information acquiring, instant messaging, online socialization, Internet financing and other Internet services. The market share of devices with Android operating system keeps growing since its release in 2008 and has been dominating the mobile system market for a long time. According to the latest market statistics done by IDC, Android managed to capture 85.0% of the worldwide smartphone market share by the 1st quarter of 2017 (IDC, 2017). In the meantime, the global shipment of new Android devices is experiencing an average of 10% growth each year since 2015 (Linda, 2016). Due to people's heavy reliance on mobile devices and the popularity of Android mobile systems, the privacy concern and security issues on Android systems catch great attention from mobile users, industry players and academic researchers. At the same time, it also makes Android the prominent target of attackers. Unfortunately, Android vulnerabilities keep emerging and have successfully been turned into their exploitation even though Android has strengthened its security mechanisms and fixed a great number of vulnerabilities as its version evolves.

Vulnerability exploitation is a common way to achieve higher privilege on Android systems. Exploiting Android devices has been a popular topic since Android was firstly introduced in 2008. There are numerous exploits being implemented in the Android history. From the users' perspective, an exploit program can help them to bypass the security mechanism of their Android devices to achieve better control of their devices by obtaining a higher privilege, e.g., rooting their devices. On the other hand, the exploitation could also be misused to gain the control of victims' devices where the attacker can obtain financial profit from selling users' privacy (e.g., account information). We intend to provide a holistic and comprehensive understanding of the exploits that can be used to attain higher privileges in Android system. It would be helpful in terms of understanding how individual exploits work and how the trend of the exploits on Android would be.

In this paper, we are going to present a survey on all the publicly available Android exploits gathered on the Internet. We provide a taxonomy of the Android exploits and analyze the similarities/differences and strengths/weaknesses. We demonstrate the trend of Android exploits by analyzing the development of each exploit category. Furthermore, we evaluate a group of exploits on our test devices. In summary, our contribution could be summarized into three points:

  • 1)

    To the best of our knowledge, this is the first complete and exhaustive survey on publicly available Android exploits. By analyzing each exploit, we filter out those exploits with the same way of working but different nicknames and finally distill 63 different exploits. By referring to our survey, a reader can easily find out the affected device models and Android versions of a publicly released exploit as well as the vulnerabilities behind it.

  • 2)

    This paper conducts a comparative and in-depth analysis of existing real-world Android exploits for the first time. We propose a taxonomy and accordingly initiate a classification of these exploits. We also carry out a comparison among different types of the exploits. By analyzing similarities/differences and strengths/weaknesses of each type of exploits, we point out the evolution of exploitation throughout the history of Android and forecast the future trends of the exploitation on Android devices.

  • 3)

    With a large volume of information of these exploits being collected, we select a group of exploits by matching their targeting devices and Android versions to our test devices. Then we conduct an experiment to validate those selected exploits. By observing the experimental results, we present our evaluation result and discuss our findings correspondingly.

In the following section, we will first introduce the background of Android security mechanism and typical Android privilege escalation. We then propose a taxonomy on Android exploitation considering various perspectives in Section 3. In Section 4, we present the list of exploits gathered from multiple online sources, followed by analysis based on our classification results. As an important part of this survey, we also use a number of devices to evaluate applicable exploits. Section 5 shows the evaluation outcome and presents the discussion based on our findings. After that, the paper is concluded in Section 6.

Section snippets

The architecture of Android

Android is a mobile operating system built upon a Linux kernel. Fig. 1 shows the layered architecture of Android. The concise architecture of Android can be depicted into 4 layers, kernel layer, middleware layer, framework layer, and application layer. The Linux kernel is the bottom layer of the Android platform which provides the basic functionalities of operating systems such as kernel drivers, power management and file system. The layer above the kernel is called Android middleware layer,

Exploitation taxonomy

We propose a taxonomy for this survey to facilitate a holistic and comprehensive understanding of the Android exploits. With this taxonomy depicted in Fig. 3, we describe an exploit from 3 different perspectives – societal perspective, practical perspective, and technical perspective. From the societal aspect, we discuss who the potential attacker is, what is his or her motive in conducting the exploitation, and the possible consequence (risk) if such exploitation has been exercised. From the

Survey and classification

We conduct a survey of publicly released Android exploits from multiple sources and we find 63 exploits covering all Android versions up to 7.0. By reading their descriptions, searching for available source codes and studying corresponding vulnerabilities, we collect rich details of these 63 exploits. In this paper, we summarize all the key details that are useful for upcoming analysis, and we organize them into a table. Table 1 shows the complete collection of all 63 exploits including their

Evaluation and discussion

We perform an evaluation to observe the execution of exploits and validate their functionalities on Android devices. The testing has been conducted based on 18 different Android devices that we have. These 18 devices cover a wide range of manufacturers and system versions, including not only early and classical models in the Android history like HTC Hero, but also those later devices which are sold in smartphone market such as Samsung Galaxy S7. We filter out those exploits which are not

Conclusion

In this paper, we did a survey of publicly released Android exploits and proposed a taxonomy of Android exploits from multiple perspectives by analyzing the collected real-world exploits and conducting an evaluation of these exploits on a set of devices. We analyzed the characteristics of each category and presented the trend view of the Android exploits along the timeline from the technical perspective based on the exploit data. We also shared our discussion and outlook gained from the

Huasong Meng received his Master of Computing degree in Infocomm Security at National University of Singapore in 2016 and B.Eng. (Hon.) degree in Computer Science at Nanyang Technological University in 2014. He is currently serving as a research engineer at Institute for Infocomm Research, A*STAR, Singapore. His working experience covers mobile security implementation for government, banking and financial industry. His research areas include mobile system security, vulnerability analysis and

References (44)

  • XuM. et al.

    Toward engineering a secure android ecosystem: a survey of existing techniques

    ACM Comput Surv (CSUR)

    (2016)
  • Alephzain

    XDA Forums - [ROOT] Framaroot, a one-click apk to root some devices

  • BenW.

    Researchers expose Android WebKit browser exploit

  • M. Bishop

    UNIX security: threats and solutions

    (1996)
  • H. Chris

    The case against root: why Android devices don't come rooted

  • L. Davi et al.

    Privilege escalation attacks on Android

    (2010)
  • J.J. Drake et al.

    Rooting your device

  • G. Faden

    RBAC in UNIX administration

    (1999)
  • P. Faruki et al.

    Android security: a survey of issues, malware penetration, and defenses

    IEEE Commun Surv Tutorials

    (2015)
  • A.P. Felt et al.

    A survey of mobile malware in the wild

    (2011)
  • A.B. Georgiev et al.

    Open source mobile virtual machines: an energy assessment of Dalvik vs. ART

  • Google

    Google android security 2014 report

  • Google

    Architecture – Android Open Source Project

  • Google

    ART and Dalvik – Android Open Source Project

  • Google

    System and Kernel Security – Android Open Source Project

  • Google

    SELinux concepts – Android Open Source Project

  • Google

    Security Enhancements in Android 4.2 — Android Open Source Project

  • Google

    ABI Management – Android Developers

  • Google

    Android Developers

  • R. Hay et al.

    Android keystore stack buffer overflow

    (2014)
  • S. Höbarth et al.

    A framework for on-device privilege escalation exploit execution on Android

    (2011)
  • IDC

    IDC: Smartphone OS Market Share

    • Cited by (31)

    • A survey on the (in)security of trusted execution environments

      2023, Computers and Security

    • Taxonomy of security weaknesses in Java and Kotlin Android apps

      2022, Journal of Systems and Software
      Citation Excerpt :

      Android devices and the operating system have been also investigated. Meng et al. (2018) presented a taxonomy of 63 device exploits (i.e., vulnerabilities leading to privilege escalation) grouped in 3 main categories that are related to perspectives: societal, practical, and technical. It is shown that the diffusion of exploits is decreasing due to Android systems and Linux kernels strengthening their security mechanisms.

    • Malicious application detection in android - A systematic literature review

      2021, Computer Science Review

    • ANDRODET: An adaptive Android obfuscation detector

      2019, Future Generation Computer Systems
      Citation Excerpt :

      The Dalvik Virtual Machine (DVM) is a register-based machine which executes Dalvik bytecode instructions (through a shared library, called libdvm.so) and provides a Java-level abstraction for the Java components of applications [16], while Java Native Interface (JNI) supports the use of native components. DVM is based on Just-in-Time (JIT) compilation and is replaced by Android RunTime (ART) after Android version 4.4, which works based on Ahead-Of-Time (AOT) compilation and has led to significant improvements in performance and memory consumption [17]. Analyzing Dalvik bytecode is simpler than machine code, it has a better readability for human analysts, and it provides better semantic information.

    • Machine-Learning-Based Vulnerability Detection and Classification in Internet of Things Device Security

      2023, Electronics (Switzerland)

    • ROOTECTOR: Robust Android Rooting Detection Framework Using Machine Learning Algorithms

      2023, Arabian Journal for Science and Engineering
    View all citing articles on Scopus

    Huasong Meng received his Master of Computing degree in Infocomm Security at National University of Singapore in 2016 and B.Eng. (Hon.) degree in Computer Science at Nanyang Technological University in 2014. He is currently serving as a research engineer at Institute for Infocomm Research, A*STAR, Singapore. His working experience covers mobile security implementation for government, banking and financial industry. His research areas include mobile system security, vulnerability analysis and blockchain.

    Dr. Vrizlynn Thing is the Head of Cyber Security & Intelligence Department at the Institute for Infocomm Research, A*STAR. She is also an Adjunct Associate Professor at the National University of Singapore, and holds the appointment of Honorary Assistant Superintendent of Police (SpecialistV) at the Singapore Police Force, Ministry of Home Affairs. During her career, she has taken on various roles to lead and conduct cyber security R&D that benefits our economy and society. She participates actively as the Lead Scientist of collaborative projects with industry partners and government agencies, and takes on advisory roles at the national and international level.

    Yao Cheng received her Ph.D. degree in Computer Science and Technology from University of Chinese Academy of Sciences in 2015. She is currently a scientist at Institute for Infocomm Research, A*STAR, Singapore. Her research interests are in the information security area, focusing on vulnerability analysis, privacy leakage and protection, malicious application detection, and usable security solutions.

    Zhongmin Dai leads the System Security Group of Cyber Security and Intelligence Department at the Institute for Infocomm Research (I2R), A*STAR, Singapore. He received his Bachelor of Computing and Master of Computing from National University of Singapore, in 2014 and 2017 respectively. His research interests include digital forensics, vulnerability analysis, cyber-security issues for autonomous vehicles and IoT.

    Li Zhang received the B.Eng. (Hons.) and Ph.D. degrees from Nanyang Technological University (NTU), Singapore, in 2010 and 2015, respectively. He served as a security evaluator for smart cards in UL before joining the Cyber Security and Intelligence Department at the Institute for Infocomm Research (I2R), Agency for Science, Technology and Research (A*STAR) as a research scientist. His research interests include vulnerability detection, malware analysis and classification, and hardware security and trust.

    View full text
    © 2018 Elsevier Ltd. All rights reserved.