December 2019 Simple Spyware Androids Invisible Foreground Services and How to (Ab)use Them Who am I Thomas Sutter → ZHAW: Research Assistant in Information Security @ Zurich University of Applied Sciences → Student: Master of Science in Engineering → Contact: suth@zhaw.ch or via Twitter @Me7e0r232 http://zhaw.ch Let’s start with the latest privacy changes Android Pie 2017 2018 2019 2020 Android Oreo Android10 Background Limitations Background Sensor Access Background Location Access … LIVE DEMO LIVE DEMO But that’s nothing new! So what’s new? x - “) eee ee ntName cerviceCoamnoanent = new CamnanentNamel oka thie CuetamInh. clace)+ sheduleTest() [Verbose | |Q-ch.zhaw.init.orwell_a |Z) Regex No Filters Hon il il Fi YL |) Match Case | | Words [| Regex ? No matches How to run stuff in Background? First step Schedulers Alarm Manager Job Scheduler Started by an app, but lives outside the app lifecycle. Code – Job Scheduler public void scheduleJob(){ long interval = 1000 * 60L; ComponentName serviceComponent = new ComponentName(this, JobScheduler.class); JobInfo.Builder builder = new JobInfo.Builder( JOB_ID, serviceComponent); → builder.setPeriodic(interval) // Minimum is 15 minutes → builder.setOverrideDeadline(interval * 2); // Sets the maximum scheduling latency → builder.setMinimumLatency(interval); // Run after delay JobScheduler jobScheduler = this.getSystemService(JobScheduler.class); jobScheduler.schedule(builder.build()); // Schedule the job } JobInfo.builder → setPersisted(true); → setRequiredNetwork(NetworkRequest networkRequest) → setRequiredNetworkType(int networkType) → setRequiresBatteryNotLow(boolean batteryNotLow) → setRequiresCharging(boolean requiresCharging) How to access the data? Foreground Service Second step Forground Services → Needs to show a sticky notification → Notification design is set by the app → Can be started from background job → Do not have sensor limitations → Has to be started within a 5 seconds © (9 9 W748 9 M4 100% a @ + Friday, Nov 15 ee yy wes ee © Simple Spyware + now J oS sine me t * - ’ Simple Spyware Tracking your position! Location ah Alerting Silent notifications W Silent Helps you focus without sound or vibration. @®) Android System USB debugging connected Tap to turn off USB debugging Turn off notifications @ Android System + Charging this device via USB Silent notifications Manage @® Android System USB debugging connected Tap to turn off USB debugging ° How to get rid of the notification? We just don’t… Code – Foreground Service: @Override public int onStartCommand(Intent intent, int flags, int startId) { // ~4.9999.. seconds to call startForeground(...) Notification notification = createCustomNotification(); → this.startForeground(1, notification) // Sensor access not restricted anymore. accessCamera(); accessMicrophone(); // … some malicious code → stopForeground(true); //Stop the service before notification is loaded return START_STICKY; } Long Running Tasks → MediaPlayer API → Apps do not run recording in their own lifecycle context. Does this work on Android10 (Q)? New permission level: “Allow only while using the app” Let’s track from “background*” *sorry, I meant foreground 10:17 @ ean SPY IMAGES AUDIO Sai Select Data: Spy Camera co) Spy Microphone & Spy Location & Select Persistence: @) Use Job Scheduler O Use Alarm Manager Select interval (120 seconds recommended) 1p Job Scheduler Status: Stopped START SPY STOP SPY n — x ) 4) bDOoOADUC HBAS OD -*4 ‘nast.makeText(aetAnnlicatianConteyt( ) text: "Ioh seat"! Taast./ FNGTH 1 ONG). show! \+ onStartCommand() Verbose — mS | | Q:ch.zhaw.init.orwell_a Y. | Match Case |_| Words |_| Regex ? No matches |v) Regex No Filters It’s a bug… no, it’s a feature! Conclusion Limitations Access VisibilityTiming Permissions Mitigation → CVE-2019-2219 – Patch is coming soon → Probably hard to patch, since as you have seen it’s a kind of a design problem as well. → Security by visibility might not be a good idea? → Some vendors have permission minitors No Silver Bullet Monitoring Revocation Permission Transparency Secure Design & Traffic Analysis Anti-Virus Statistics & Heuristics Execution Graphs Fuzzers ML Honey Pots Takeaways Stop Apps Revoke Access Demo → Test: Test yourself! Don’t worry, it’s safe :-D → Code: https://github.com/7homasSutter/SimpleSpyware → APK: https://github.com/7homasSutter/SimpleSpyware/releases https://github.com/7homasSutter/SimpleSpyware https://github.com/7homasSutter/SimpleSpyware/releases I hope you enjoyed this short talk… Thank you! there is some more info in the appendix and the whitepaper ? ? Contact: suth@zhaw.ch or via Twitter @Me7e0r232 http://zhaw.ch