Demos

(We obscured some screens for anonymity.)
  • Exploiting the Messaging Services
1. Bind the victim's registration ID to the attacker's device and use it to steal the victim's Facebook messages.
In this demo, we demonstrate how an attacker can bind the victim's registration ID to the attacker's device and steal the victim’s Facebook messages.

At first, a malicious app on the victim's device steals the android-id  and sends it to the attacker's server. The attacker then sends a fake registration request to the GCM server using the victim’s android-id and obtains the registration ID before the Facebook app is registered from the victim’s device (It doesn't matter whether the Facebook app has been installed or not). Since the registration ID is already tied to the attacker’s device, when the Facebook app on the victim's device registers, the Facebook app will receive the registration ID tied to the attacker's device. Therefore, the messages sent from the Facebook server to the victim through GCM will be delivered to the attacker’s device.
.

Facebook


2. Steal the victim's registration ID and use it to control the victim's Android Device Manager
In this demo, we demonstrate how an attacker can use the GCM cloud-device link vulnerability to steal the victim's registration ID and control the victim's Android Device Manager (a system package). 

At first, a malicious app on the victim's device steals the android-id and google account and sends them to the attacker's server. To obtain a registration ID that is identical to the Android Device Manager (“com.google.android.gms”) on the victim’s device, the attacker sends a fake registration request with the victim’s android-id. Here the attacker uses scripts to construct the HTTPS registration request. Once the attacker acquires the victim’s registration ID, the attacker can use the victim's google account to construct fake commands and use his own malicious 3rd party app server to ring, lock and wipe the victim's device.  

We noticed that the registration ID needs to be used by the app server with an authorized sender ID to push messages to an app. However, we found that for GCM, this policy was not in place until very recently. The response from google also supports our finding. By exploiting the vulnerability, we were able to successfully add this attack.

 

Android Device Manager



  • Vulnerable On-device Communications
1. Intercept the GCM upstream message and use it to install/uninstall apps silently
In this demo, we demonstrate how an attacker can intercept the gms's upstream messages, obtain the registration id and install or uninstall apps silently. 

When an Android device adds a google account for the first time, the com.google.android.gms sends an upstream message. The malicious app on the victim’s device can intercept the upstream messages and obtain the PendingIntent of gms. Then the malicious app impersonates the gms to send registration request and obtains its registration ID. Also, because the gms shares a same signature with GooglePlay. the malicious app can inject gcm messages to GooglePlay and make GooglePlay install and remove apps without user confirmation.

Install/remove apps silently


        2. Intercept the GCM upstream message and use it to control victim's Android Device Manager
In this demo, we demonstrate how an attacker can intercept the gms's upstream messages and control victim's Android Device Manager.

When an Android device adds a google account for the first time, the com.google.android.gms sends an upstream message. The malicious app on the victim’s device can intercept the upstream messages and obtain the PendingIntent of gms. Because Android Device Manager is running in the gms process, the attacker can use the PendingIntent to send fake gcm messages to Android Device Manager. Exploiting such vulnerability, the malicious app sends fake messages that locks and wipes the device.

upstream and Android Device Manager


3. Intercept GCM registration request from Facebook messenger and use it to steal victim's Facebook messages
In this demo, we demonstrate how an attacker can intercept the GCM registration request sent from Facebook messenger and inject a fake registration ID that is bonded to the attacker's device, so the attacker can steal the victim's Facebook messages. 

We assume that there is a malicious app without any permission installed on the victim's phone. When the user logins to the Facebook messenger,  the Facebook messenger sends a GCM registration request. The malicious app intercepts the request and obtains the PendingIntent. Then the malicious app injects a fake registration ID that is bonded to the attacker's device. As a result, the Facebook sever binds the user account with the fake registration ID, which was injected by the malicious app. When Facebook messages are sent to the user, the Facebook server will use the fake registration ID to send the messages. Thus, the messages will be delivered to the attacker's device. 

Note that both facebook messenger and attacker can get messages. It's because that facebook messenger can still get messages directly through web, even if gcm doesn't work.

Device misbinding




Comments