Resurrecting the READ_LOGS Permission on Samsung Devices

Presented at Black Hat Asia 2015, Unknown date/time (Unknown duration).

We have discovered an attack that allows a non-privileged application to continually force the generation and logging of sensitive process information in a readable log file using the /system/bin/dumpstate binary on Samsung devices. The log output of the dumpstate binary includes the Android logs, kernel log, and other process-dependent log data. However, starting with Android 4.1, reading the Android logs is no longer permitted to user applications because the READ_LOGS permission was removed, but we were able to circumvent this limitation. To achieve this, we crafted an exploit that requires an application with the seemingly innocuous android.permission.RECEIVE_BOOT_COMPLETED permission. Reading the Android logs empowers a non-privileged user application to obtain private data circumventing all permission checks. The approach to obtain the Android log data has worked on all Samsung devices we have examined ranging from the Samsung Galaxy S1 up to and including the Samsung Galaxy S5 and the Samsung Note 4. The Android log generally contains private data written by the Android Operating System (OS), Google applications, and user applications. Moreover, we have identified 12 Samsung builds for Android where the Android OS writes the text of notifications by default to the Android log. Using our attacks on these 12 builds, we are able to get access to Facebook Messenger messages, text messages (including password resets), Google Chat messages, WhatsApp messages, missed calls, turn-by-turn directions from Google Maps, the sender and subject of emails, and any other notification. Our proof-of-concept application can obtain the text from all notifications that the Android OS receives for these builds. This enables a user application to obtain immensely private data from the user of these vulnerable Samsung devices. These builds are for the previous generation of Samsung devices that are still currently being sold in retail stores (e.g., Samsung Galaxy S4, Samsung Note 3, Samsung Note Pro 12.2, etc.).


Presenters:

  • Ryan Johnson - Kryptowire / George Mason University
    Ryan Johnson is a PhD student at George Mason University in Fairfax, VA. His research interests are dynamic analysis, Android app analysis, and reverse engineering. He is a co-founder of Kryptowire LLC and currently works there as a research engineer.
  • Angelos Stavrou - Kryptowire LLC
    Dr. Angelos Stavrou has founded Kryptowire LLC and he is an Associate Professor at George Mason University and the Director of the Center for Assurance Research and Engineering (CARE) at GMU.

Links:

Similar Presentations: