The Android security community has been predominantly focused on user-space applications for many years. However, there is a distribution mechanism for security issues that affects more unknowing users, generally allows more privileges, and is tougher to remediate once launched: problems in pre-installed applications. With thousands of OEMs and even more firmware images, the Android pre-installed ecosystem is a big space to both audit and secure.
This talk will detail the differences in reversing and analyzing pre-installed Android applications compared to the user-space applications that most security research has focused on. This will include things like identifying when a pre-installed application is unlikely to run in an emulator without modification, detecting signals that the pre-installed app may be colluding with other components and be only one piece of the puzzle, and how bad behaviors can change when they instead are run in the more privileged context of a pre-installed application.
We will then dive into case-studies of Android pre-installed security issues we discovered in 2018 & 2019: malware, security misconfigurations, and remote code execution backdoor. We will walk through the code and reverse engineering process. In addition, we'll cover detection and remediation for each and how it differs from a user-space application. This talk will be a detailed tour through the Android pre-installed ecosystem: the analysis challenges and how to get around them and the interesting security issues one might uncover.