Hare Hunting in the Wild Android: A Study on the Threat of Hanging Attribute References

Android is characterized by the complicated relations among its components and apps, through which one party interacts with the other (e.g., starting its activity) by referring to its attributes like package, activity, service, action names, authorities and permissions. Such relations can be easily compromised during a customization: e.g., when an app is removed to fit an Android version to a new device model, while references to the app remain inside that OS. This conflict between the decentralized, unregulated Android customization process and the interdependency among different Android components and apps leads to the pervasiveness of hanging attribute references (Hares), a type of vulnerabilities never investigated before. In our research, we show that popular Android devices are riddled with such flaws, which often have serious security implications: when an attribute (e.g., a package/authority/action name) is used on a device but the party defining it has been removed, a malicious app can fill the gap to acquire critical system capabilities, by simply disguising as the owner of the attribute. More specifically, we discovered in our research that on various Android devices, the malware can exploit their Hares to steal the user's voice notes, control the screen unlock process, replace Google Email's account settings activity and collect or even modify the user's contact without proper permissions. We further designed and implemented Harehunter, a new tool for automatic detection of Hares by comparing attributes defined with those used, and analyzing the references to undefined attributes to determine whether they have been protected (e.g., by signature checking). On the factory images for 97 most popular Android devices, Harehunter discovered 21557 likely Hare flaws, demonstrating the significant impacts of the problem. To mitigate the hazards, we further developed an app for detecting the attempts to exploit Hares on different devices and provide the guidance for avoiding this pitfall when building future systems.