Android ION Attack

We demonstrates attacks on Android ION for our CCS'16 submission 
Android ION hazard: the Curse of Customizable Memory Management System.

Android ION attacks can affect almost every Android devices, including the latest Android N (preview) on Nexus 6P. We classify the attacks into two main categories: DoS and Information Leakage. 
  • For DoS, we provide three attack videos to crash system, disable audio functionality and disable fingerprint functionality. 
  • For Information Leakage, we provide two attack videos to steal user email content from Gmail and user bank account information from Chase. 

We have reported these vulnerabilities to Google Security Team. They officially confirmed them with AndroidID-28746299. Information leakage attack is rated as high severity and three DoS attacks are rated as low severity.


Paper Abstract:
In this paper, we systematically analyze the ION related vulnerabilities from the conceptual root cause to the detailed implementation decisions. Since ION is often customized heavily for different Android devices, the specific vulnerabilities often manifest themselves differently. By conducting a range of runtime testing as well as static analysis, we are able to uncover a large number of serious vulnerabilities on the latest Android devices (e.g., Nexus 6P running Android
6.0 and 7.0 preview) such as denial-of-service and dumping memory from the system and arbitrary applications (e.g.,email content, passwords). Finally, we offer suggestions on how to redesign the ION subsystem to eliminate these flaws. We believe that the lessons learned can help guide the future design of similar memory management subsystems.