Bad news, fandroids: He who controls the IPC tool, controls the DROID

Researchers discover Binder blinder

android tongue

A security flaw in a core message-passing mechanism leaves every Android device potentially vulnerable to attack, security researchers warned on Thursday.

The newly discovered flaw enables hackers to override in-app security features, leaving critical apps such as mobile banking susceptible to tampering. The same vulnerability also creates a mechanism for hackers to override device security — leaving passwords vulnerable and personal data at risk in the process.

The flaw relates to Binder, Android’s inter-process communication (IPC) tool. The message passing mechanism for Android devices acts as a communications hub on smartphones and tablets running the Google-developed mobile OS, making it a prime target for Android malware developers.

Researchers at the data protection firm Check Point discovered that by controlling any single link in the long chain which leads down from the Java APIs to the native Binder code, an attacker could surreptitiously implement a key-logger, modify sensitive data in transit, or carry out many other types of attack.

Data potentially open to interception and theft through Binder attacks include device keyboard input, in-application activities such as banking transactions, and SMS messages.

Exploitation might include information sent and received through all applications on a vulnerable device, including those apps secured through two-factor authentication or other security measures.

Check Point advocates multi-layered security as a defence against Binder-based exploits. The same defence-in-depth approach can also safeguard against Android malware attacks more generally.

"Binder’s greatest value for attackers is the lack of widespread awareness on the data being sent across the IPC," explained Nitay Artenstein, a security researcher at Check Point. "Without the proper multi-layer security in place, cyber criminals can exploit communications over the Android 'Binder', voiding all security measures in place by individual applications on the device."

Binder is both a "weak link" in Android security and the "new frontier of mobile malware attacks", according to Artenstein.

Artenstein and Idan Revivo, a mobile malware researcher at Check Point, unveiled their research during a presentation at the Black Hat Europe conference in Amsterdam, the Netherlands, on Thursday. The presentation, Man in the Binder: He Who Controls IPC, Controls The Droid featured a proof of concept rootkit for the Binder component in Android apps.

Slides from the talk, which also looked at Check Point’s latest mobile research findings, can be found here (PDF). A 23 page white paper based on Check Point's research is here. ®

Sponsored: Becoming a Pragmatic Security Leader




Biting the hand that feeds IT © 1998–2019