While Google Play has little malware, many vulnerabilities exist in the apps as well as the Android system itself, and aggressive ad libs leak a lot of user privacy information. When they are combined together, more powerful targeted attacks can be conducted.
We will present one practical case of such attacks called "Sidewinder Targeted Attack." It targets victims by intercepting location information reported from ad libs, which can be used to locate targeted areas such as a CEO's office or some specific conference rooms. When the target is identified, "Sidewinder Targeted Attack" exploits popular vulnerabilities in ad libs, such as Javascript-binding-over-HTTP or dynamic-loading-over-HTTP, etc.
During the exploit, it is a well-known challenge to call Android services from injected native code due to the lack of Android application context. So we will also demonstrate how attackers can invoke Android services such as taking photos, calling phone numbers, sending SMS, reading/writing the clipboard, etc.
Once intruding into the target, the attackers can exploit several Android vulnerabilities to get valuable privacy information or initiate more advanced attacks. We will reveal how to exploit new vulnerabilities we discovered in this phase.
In this talk, we will show demos using real-world apps downloaded from Google Play.
Although we notified Google, ad vendors and app developers about related issues half a year ago, there are still millions of users under the threat of "Sidewinder Targeted Attacks" due to the slow patching/upgrading/fragmentation of the Android ecosystem.