Next-gen Android vulnerability unearthed

Read time 3min 00sec
It will not be easy to defend devices against the Binder attacks on Android OS, says Check Point Software Technologies.
It will not be easy to defend devices against the Binder attacks on Android OS, says Check Point Software Technologies.

Security solutions vendor, Check Point Software Technologies, has discovered a new vulnerability in the Android operating system (OS).

In Check Point research entitled "Man in the Binder: He Who Controls the IPC, Controls the Droid", the Android OS architecture showed the potential capture of data and information being stored and communicated on Android devices through the Binder - the message-passing mechanism in Inter-process Communication (IPC).

According to market research firm IDC, Android continues to dominate the global smartphone market, with over 255 million units shipped and nearly 85% of the market share in the second quarter of 2014.

Researchers in Check Point's Malware and Vulnerability Research Group uncovered, as the single point of communication, the Binder is a natural target for Android malware. In a typical OS, a process will hold dozens of handles for the system's hardware - hard disk, display adapter, network card etc, says Check Point.

It adds that, due to Android's OS architecture, a process can achieve the same tasks, controlling all of an application's interactions through the Binder. Data communicated over the Binder can be captured, and Check Point's research demonstrated the ability to intercept sensitive details such as keyboard, in-app and SMS data.

"Through our 'Man in the Binder research', we noted several architectural concepts in Android's unique OS architecture," says Nitay Artenstein, security researcher at Check Point Software Technologies.

"Specifically, we discuss the data communication capabilities the IPC provides in Android devices. The Binder can become the new frontier of mobile malware attacks; its greatest value for attackers is the lack of widespread awareness on its role in the Android OS."

Unfortunately, Artenstein says it will not be easy to defend devices against this attack, given the centrality of Binder within Android's architecture.

"Given the Binder attacks will often be directed at a specific application, it is up to that application to implement specific defensive techniques. For example, it should scan its own memory space and look for any possible code injections against Binder," he says.

Man in the Binder attacks can be used to implement virtually undetectable keyloggers, he notes, adding the only defence against this vector of attack is for an application to implement its own keyboard in-house - as part of the application - rather than relying on the normal Android keyboard.

"Any data sent or received from a system service in Android is vulnerable to a Man in the Binder attack. This includes all Intents, all calls to Activity Manager and all calls to the Network Manager. If you're using a system service and passing it some sensitive data, you need to encrypt that data first."

Nonetheless, he says these attacks have not been seen in the wild yet. He urges, though, it's important to understand there is no reliable way to estimate the prevalence of root-based malware on Android because once a malicious application takes root, it will completely evade the detection of Android anti-malware software, which normally runs as a normal user.

"Given the centrality of Binder in Android's architecture, and the ease of implementing these attacks, we believe we will be seeing these kinds of attack soon - if they're not happening right now."

See also