Man in the Binder: He Who Controls IPC, Controls the Droid

Presented at Black Hat Europe 2014, Oct. 16, 2014, 11:45 a.m. (60 minutes)

Big Brother is watching your droid. His name is Binder.

As the only vehicle of IPC in Android, Binder is the system component that makes the operating system tick. A process running in a typical OS will hold dozens of handles to the system's hardware: hard disk, display adapter, network card, and many more. Android's unique architecture, on the contrary, means that a process will achieve the same tasks just by grabbing a file descriptor to the Binder device - greatly minimizing the attack surface against the kernel. As the god of IPC in Android, Binder controls an application's interaction with just about anything.

From that perspective, it becomes immediately apparent that this system component is a prime target for any Android malware. By controlling any single link in the long chain which leads down from the Java APIs to the native Binder code, an attacker could stealthily implement a keylogger, set up VNC-like functionality, modify sensitive data in transit, and do many other evil deeds.

In this presentation, we will showcase a POC rootkit which provides a basis for all of the above, and more. We will also give a comprehensive overview of Binder at the lowest level. We'll talk about how the data transport buffers are actually constructed, what gets sent down to the kernel, and what comes back up. We believe this is an important contribution to the security community: Binder has simply not been researched enough.

Presenters:

• Idan Revivo - Check Point
  Idan is a Mobile Malware Researcher in Check Point specializing in Android internals and sandboxing techniques, including automated static and dynamic malware analysis. His diverse background in a variety of security positions, including vulnerability analysis and electronic warfare, provides him with a broad and unique perspective on the cyber arena. Although he mainly works with Android, Idan is an Apple enthusiast. In his spare time, you'd find him lifting weights at the gym. Idan holds a bachelor degree in Software Engineering, specializing in Mobile Systems.
• Nitay Artenstein - Check Point
  Nitay Artenstein is a Security Researcher in the fields of reverse engineering, malware analysis, and vulnerability research. He was morphed into a hardcore security geek when he was six and learned how to use a hex editor to cheat his way around his favorite adventure games (his friends never could figure out how he managed to complete King's Quest in half an hour). After a sojourn into the world of media and journalism, he has turned his passion into a career, beginning in 2007 as a pentester in the wild savannas of Africa. These days he works for Check Point, and his idea of a good time generally involves messing with bleeding edge Android malware, reverse engineering Windows device drivers, and discovering bugs in Windows kernel-mode code.

Links:

• https://www.blackhat.com/eu-14/briefings.html#Artenstein
• https://infocon.org/cons/Black Hat/Black Hat Europe/Black Hat Europe 2014/Video/Man in the Binder - He Who Controls IPC, Controls the Droid.mp4
• https://www.youtube.com/watch?v=O-UHvFjxwZ8
• https://www.blackhat.com/docs/eu-14/materials/eu-14-Artenstein-Man-In-The-Binder-He-Who-Controls-IPC-Controls-The-Droid.pdf
• https://www.blackhat.com/docs/eu-14/materials/eu-14-Artenstein-Man-In-The-Binder-He-Who-Controls-IPC-Controls-The-Droid-wp.pdf

Similar Presentations:

• Summercon 2016 / The firewall Android deserves: A context-aware kernel message filter and modifier
• ShmooCon XIII (2017) / A Context-Aware Kernel IPC Firewall for Android
• Black Hat USA 2015 / Fuzzing Android System Services by Binder Call to Escalate Privilege