Overview

This site provides detailed analysis of vulnerabilities we've discovered using Kratos, the tool we built that enables automated detection of inconsistent security policy enforcement in the Android framework.

We applied Kratos to 6 different Android framework codebases, including 4 AOSP versions (4.4, 5.0, 5.1 and 6.0), as well as 2 customized frameworks (AT&T HTC One and T-Mobile Samsung Galaxy Note 3) based on Android 4.4.2.

Certain vulnerabilities exist in multiple framework versions, we only present code-level analysis in this site once. For vulnerabilities that have not been patched  by Google, we cannot reveal their details publicly at this point. Please contact us for full access.

Summary of vulnerabilities we've found using Kratos
ServiceAffected FrameworkDescription
Security
Implication
Bypassed
Security
Enforcement
AT&T
HTC
T-Mobile
Samsung
4.45.05.16.0
SMSYYYYYXClear all SMS notifications
showing in the status bar
Privilege escalationPackage Name (SMS)
WiFiYYYXXXSet up an HTTP proxy
that works in PAC mode
Privilege escalationCONNECTIVITY_INTERNAL*
NSDYYYYYYEnable/Disable mDNS daemon
with only INTERNET permission
Privilege escalation
DoS
CONNECTIVITY_INTERNAL*
RTTXXXYYYCrash the Android runtimeSoft rebootACCESS_WIFI_STATE
WiFi ScanningXXXYYXCrash the Android runtimeSoft rebootACCESS_WIFI_STATE
GPSYYYYYX(1) Send raw data to GPS's native interface 
(2) Crash the Android runtime
Privilege escalation
Soft reboot
ACCESS_FINE_LOCATION
GPSYYYYYYGet GPS providers that meet given criteriaPrivilege escalationACCESS_COARSE_LOCATION
ACCESS_FINE_LOCATION
Input MethodManagerYYYYYYDismiss input method selection dialogDoSUID (SYSTEM)
Telephony/
Telecom
XXXYYYEnd phone calls
without any permissions
Privilege escalationMODIFY_PHONE_STATE*
CALL_PHONE
TelecomXXXYYYGet phone state without any permissionsPrivilege escalationREAD_PHONE_STATE
Activity Manager/
Window Manager
YYYYYXClose system dialogsDoSUID (SYSTEM)
Power Manager/
Persona Manager
YYYYYX
Set maximum screen timeoutDraining batteryUID(ADMIN, SYSTEM)
Device Info-Y----Save MMS to audit databasePrivilege escalationUID (PHONE)
Phone Interface Manager Ext-Y----Send raw request to radio
interface layer (RIL)
Privilege escalationMODIFY_PHONE_STATE*


 Service Status Severity Level Track ID
 SMSReported LowANDROID-21669196
NSDReported High -> LowAndroidID-22541289 
RTT Reported  LowAndroidId-22806457
 GPSReported Low AndroidID-24776299
 Input Method ManagerReported  LowANDROID-13887522
 TelecomReported Moderate -> ?AndroidID-23782371
 Telephony/TelecommReported  ?AndroidID-23782371
 Activity Manager/Window ManagerReported  LowANDROID-13887522 
 Telephony Reported Low AndroidID-25113145