See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/323635885

A survey of Android exploits in the wild

Article  in  Computers & Security · July 2018

DOI: 10.1016/j.cose.2018.02.019

CITATIONS READS
9 3,829

5 authors, including:

Huasong Meng Li Zhang

Institute for Infocomm Research Institute for Infocomm Research
7 PUBLICATIONS   15 CITATIONS    12 PUBLICATIONS   80 CITATIONS   

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Blockchain Exploratory View project

All content following this page was uploaded by Huasong Meng on 22 June 2018.

The user has requested enhancement of the downloaded file.

A SURVEY OF ANDROID EXPLOITS IN THE WILD
A Survey of Android Exploits in the Wild
Huasong Meng, Vrizlynn L. L. Thing, Yao Cheng,
Zhongmin Dai, and Li Zhang
Abstract—The Android operating system has been dominating
the mobile device market in recent years. Although Android
has actively strengthened its security mechanisms and fixed
a great number of vulnerabilities as its version evolves, new
vulnerabilities still keep emerging. Vulnerability exploitation is a
common way to achieve privilege escalation on Android systems.
In order to provide a holistic and comprehensive understanding
of the exploits, we conduct a survey of publicly available 63
exploits for Android devices in this paper. Based on the analysis
of the collected real-world exploits, we construct a taxonomy on
Android exploitation and present the similarities/differences and
strength/weakness of different types of exploits. On the other
hand, we conduct an evaluation on a group of selected exploits
on our test devices. Based on both the theoretical analysis and
the experimental results of the evaluation, we present our insight
into the Android exploitation. The growth of exploit categories
along the timeline reflects three trends: (1) the individual exploits
are more device specific and operating system version specific; (2)
exploits targeting vendors’ customization grow steadily where the
increase of other types of exploits slows down; and (3) memory
corruption gradually becomes the primary approach to initiate
exploitation.
Index Terms—Android, mobile security, privilege escalation,
exploit.
I. I NTRODUCTION
MART mobile devices are indispensable in people’s life
S nowadays. Along with the development of mobile tech-
nology and the prevalence of Internet services, smart mobile
devices become the principal digital assistant that people use
for information acquiring, instant messaging, online social-
ization, Internet financing and other Internet services. The
market share of devices with Android operating system keeps
growing since its release in 2008 and has been dominating
the mobile system market for a long time. According to the
latest market statistics done by IDC, Android managed to
capture 85.0% of the worldwide smartphone market share
by the 1st quarter of 2017 [1]. In the meantime, the global
shipment of new Android devices are experiencing average
10% growth each year since 2015 [2]. Due to people’s heavy
reliance on mobile devices and the popularity of Android
mobile systems, the privacy concern and security issues on
Android systems catch great attention from mobile users,
industry players and academic researchers. At the same time,
it also makes Android the prominent target of attackers.
Unfortunately, Android vulnerabilities keep emerging and have
successfully been turned into their exploitation even though
Android has strengthened its security mechanisms and fixed a
great number of vulnerabilities as its version evolves.
The authors are with the Institute for Infocomm Research, Agency for
Science, Technology and Research, Singapore 138632. (email: [email protected]
star.edu.sg; [email protected]; cheng [email protected]; [email protected]
star.edu.sg; zhang [email protected])
1
Vulnerability exploitation is a common way to achieve
higher privilege on Android systems. Exploiting Android
devices has been a popular topic since Android was firstly
introduced in 2008. There are numerous exploits being imple-
mented in the Android history. From the user’s perspective,
an exploit program can help them to bypass the security
mechanism of their Android devices to achieve better control
of their devices by obtaining a higher privilege, e.g., rooting
their devices. On the other hand, the exploitation could also be
misused to gain the control of victims’ devices where the at-
tacker can obtain financial profit from user’s Internet financing
or selling acquired user privacy (e.g., account information). We
intend to provide a holistic and comprehensive understanding
of the exploits that can be used to attain higher privileges in
Android system. It would be helpful in terms of understanding
how individual exploits work and how the trend of the exploits
on Android would be.
In this paper, we are going to present a survey on all
the publicly available Android exploits gathered on the In-
ternet. We provide a taxonomy of the Android exploits and
analyze the similarities/differences and strengths/weaknesses.
We demonstrate the trend of Android exploits by analyzing
the development of each exploit category. Furthermore, we
evaluate a group of exploits on our test devices. In summary,
our contribution could be summarized into three points:
1) To the best of our knowledge, this is the first complete
and exhaustive survey on publicly available Android exploits.
By analyzing each exploit, we filter out those exploits with
the same way of working but different nicknames and finally
distill 63 different exploits. By referring to our survey, an
reader can easily find out the affected device models and
Android versions of a publicly released exploit as well as the
vulnerabilities behind it.
2) This paper conducts a comparative and in-depth analysis
of existing real-world Android exploits for the first time. We
propose a taxonomy and accordingly initiate a classification of
these exploits. We also carry out a comparison among different
types of the exploits. By analyzing similarities/differences and
strengths/weaknesses of each type of exploits, we point out the
evolution of exploitation throughout the history of Android
and forecast the future trends of the exploitation on Android
devices.
3) With a large volume of information of these exploits
being collected, we select a group of exploits by matching their
targeting devices and Android versions to our test devices.
Then we conduct an experiment to validate those selected
exploits. By observing the experimental results, we present our
evaluation result and discuss our findings correspondingly.
In the following section, we will first introduce the back-
ground of Android security mechanism and typical Android
A SURVEY OF ANDROID EXPLOITS IN THE WILD 2

privilege escalation. We then propose a taxonomy on Android in Android application framework layer. The other one is
exploitation considering various perspectives in Section III. Linux user-based privilege mechanism which is enforced in the
In Section IV, we present the list of exploits gathered from kernel layer. An app must be granted with the corresponding
multiple online sources, followed by analysis based on our permissions by the operating system prior to its access to the
classification results. As an important part of this survey, we resources from the other parties [9].
also use a number of devices to evaluate applicable exploits. The permission-based security mechanism is implemented
Section V shows the evaluation outcome and presents the at the Inter-Component Communication (ICC) level. As An-
discussion based on our findings. After that, the paper is droid plays the role of reference monitor to mediate all ICC
concluded in Section VI. establishment, it regulates all ICC by assigning each applica-
tion or component a pre-defined permission label. In this way,
II. BACKGROUND Android operating system will deny any ICC operation which
A. The Architecture of Android asks for the permission beyond the pre-defined permission
scope. Android introduces four permission levels for its access
Android is a mobile operating system built upon a Linux
control mechanism. The lowest permission level is called
kernel. Figure 1 shows the layered architecture of Android.
normal. The permissions at this level can be granted as long
The concise architecture of Android can be depicted into 4
as the developer declared them in the manifest file of an app,
layers, kernel layer, middleware layer, framework layer, and
such as Internet access, vibration, and NFC usage. A higher
application layer. The Linux kernel is the bottom layer of the
permission level is named dangerous and the permissions at
Android platform which provides the basic functionalities of
this level can only be granted after obtaining user’s consent
operating systems such as kernel drivers, power management
during the execution, for example accessing user’s photos. The
and file system. The layer above the kernel is called Android
other two levels are signature and signature and system, which
middleware layer, which contains essential elements of An-
are designed for risky permissions. The former is only granted
droid as a mobile platform [3]. There are two parts in Android
to those apps signed by a trusted party and the latter is granted
middleware layer, i.e., the native components and the Android
by apps signed by Google and phone vendors [10].
runtime system. Within the native components, the Hardware
Regarding the user-based security mechanism, each appli-
Abstraction Layer (HAL) defines a standard interface to bridge
cation on Android runs with a unique user identity, so that
the gap between hardware and software. Compared with the
the underlying Linux system could provide the system-level
drivers located in the kernel layer, Android HAL holds most
isolation to refrain from damage caused by programming
of the hardware vendor specific implementation, for example,
flaws [11]. However, there are some exceptions to system-
the APIs of audio device and camera [4], [5]. The other
defined privileged users, for example root, system and radio
two key component in the native components part are the
[12]. A privileged user can initiate more than one process
native libraries and daemons which are written in C/C++.
on Android system without the need to switch identity, and
The native daemons handle all interaction with the system
all of those processes are granted exact same privilege as the
in native level. The native libraries, like SQLite, Webkit, SSL,
privileged user, which constitutes a potential security loophole
and OpenGL, could greatly enrich the functionality and com-
in the Android system. Starting from Android system version
patibility of Android platform for the development purpose.
4.3, a Security-Enhanced Linux (SELinux) model has been
The Android runtime system contains the core libraries and
enforced to upgrade the Discretionary Access Control (DAC)
runtime environment. A Java process virtual machine named
to the latest Mandatory Access Control (MAC). The access
Dalvik was used as the only runtime environment until the
capability on Android has ceased to be solely determined by
Android version 4.4. Thereafter, Android introduced a new
the file system ownership. Under the governance of SELinux,
runtime scheme called Android Runtime (ART) to replace
every process has to run at the minimum privilege level
the Dalvik virtual machine in later versions [6]. Compared
which is strictly regulated by a number of SELinux security
with the Just-In-Time (JIT) compilation used by Dalvik virtual
policies [12], [13].
machine, the Ahead-Of-Time (AOT) compilation provided by
ART has been proven to have significant improvement in
performance as well as energy consumption [7], [8]. On top C. Privilege Escalation
of the Android runtime system is the application framework
Privileged access gives users the freedom to maximize the
which is used most often by app developers as it handles
utilization of their Android devices. In Android, besides the
many elementary functionalities of Android applications. For
“system” user, there is another pre-defined user called “root”
instance, the view system provides a rich and extensible
which follows the “superuser” concept of Linux operating
collection of UI components; content providers enables an
systems. The root user is provided with a full control of the
app to access or share data with other apps. All previously
system and furthermore, could access to the user’s data without
mentioned components build the foundation for application
any restriction [11], [14]. In consideration of user privacy and
execution on Android platform.
system reliability, Google has neither produced any Android
versions enabled with root permission nor encouraged people
B. Security Mechanism of Android to root their device since Android has been publicly released
There are two main security mechanisms on Android. One is [15]. Users will have to find a way to escalate their privileges if
the Android permission-based mechanism which is performed they want to achieve any functionality or customization which
A SURVEY OF ANDROID EXPLOITS IN THE WILD
Application
Layer Core Applications
APPLICATION FRAMEWORK
Framework
Layer Content Providers
ANDROID RUNTIME SYSTEM
Core Libraries
Middleware
NATIVE COMPONENTS
Layer
Native Libraries
Kernel
Layer Drivers
Fig. 1: A Layered Architecture of Android Operating System
is not essentially granted by the Android system. Once users
obtain root user privilege, they are able to backup apps and
data in their preferred ways, recover files which are deleted by
mistake, disable the advertisement or uninstall apps preloaded
into the system image [16]. According to a survey in 2014,
over 27.44% of Android users rooted their device to uninstall
useless and redundant built-in apps [17]. From many users’
point of view, rooting is a good resolution to their pain points
during the use of the device. That may explain the reason why
rooting has extremely high demands and is a popular topic in
Android’s world.
The process of rooting an Android device varies with
versions of the operating system and hardware configuration.
Rooting could be classified into two types depending on
whether flashing the device is required or not [18]. The
traditional rooting, which is so-called “hard root”, attains
root privilege by directly flashing superuser binary into the
device. Hard root process comes with 3 steps: (1) unlocking
the bootloader; (2) flashing a customized recovery image
with superuser binary embedded; (3) installing a superuser
permission management tool such as SuperSU [19], [20]. The
hard root method is simple but may lead to erasing all the
data on the internal storage. The other type of rooting is
called “soft root” or “indirect root”. Soft root mostly refers
to the scenario that the root privilege is obtained by running
a software or process to exploit Android vulnerabilities. The
soft root usually comes with a temporary privilege escalation
on an active process. Nonetheless, it is also possible to make
the rooting status permanent by making use of the current
privileged process to copy the superuser binary to the system
directory. Compared with hard root, soft root has a wider
support on different Android devices as it doesn’t require a
flash image for a specific device model and Android version.
More importantly, soft root can root a device without any data
loss.
Android rooting is a double-edged sword, the superior
3
APPLICATIONS
Third Party Applications
View System Managers
Dalvik VM / ART
Native Daemons Hardware Abstraction Layer
(HAL)
LINUX KERNEL
File System Power Management
privilege obtained from rooting could not only provide users
with more permission to use their devices or assist the gov-
ernment in the forensic investigation but also possibly expose
all user’s privacy and confidential information to the attacker
[18]. Hence rooting could be a big threat to users’ privacy and
information security if it is conducted for the evil purpose.
D. Vulnerabilities Exploitation
The history of vulnerability exploitation on Android device
could be traced back to 2009, the second year when Android
system was released. In that year, Christopher Lais imple-
mented a utility called Volez to generate a crafted system
recovery package. By making use of the code defect in
over-the-air (OTA) recovery package verification on Android
system, the Volez can add anything into the official package in
the promise of validity. That exploit has been proved feasible
on Motorola Droid when the first OTA update was published
[21], [22].
In 2010, Lucas Davi et al. presented an in-depth explanation
of the exploitation with a component-based attack model [23].
Suppose there is a non-privileged application (A1 ) and a priv-
ileged application (A3 ) running on a device simultaneously.
The A1 does not have the permission to access component of
A3 . However, by making use of the conceptual weakness of
permission mechanism of Android system, a non-privileged
caller in A1 could still have chance to access to A3 if there
is an application in-the-middle (A2 ), who allows the access
from the unprivileged application A1 and meanwhile has been
granted the access to the privileged application A3 . Therefore
the unprivileged application A1 might always be possible to
attain higher permission from another privileged application
if the medium A2 failed to implement necessary permission
checks. In a real-world application, any privileged software
or service running on Android system can hold the role of
A2 in the model depicted by Lucas Davi et al. If there is a
vulnerability being found in this privileged software or service,
A SURVEY OF ANDROID EXPLOITS IN THE WILD 4

Sandbox Sandbox Sandbox practical perspective, and technical perspective. From the soci-
etal aspect, we discuss who the potential attacker is, what is his
Application A1 Application A2 Application A3
or her motive in conducting the exploitation, and the possible
(Protected)
Granted permission: -- Granted permission: P3 Granted permission: --
consequence (risk) if such exploitation has been exercised.
From the practical perspective, we discuss the pre-requisite
for the exploitation, the steps to conduct exploitation, and the
A2 can be accessed by A1 A3 grant permission (P3) expected outcome (output) with the execution of the exploit.
without permissions to A2 to allow its access
Finally, from the technical perspective, we discuss all the key
elements of an exploit in an attack analysis model, including
Without permissions granted, A1 is not allowed to access A3 directly
attack surfaces, attack vectors, and vulnerable targets.
Android Middleware

Fig. 2: Component-based Permission Attack Model A. Societal Perspectives

(S1) Attacker & (S2) Motive
We use the term attacker to present the role of the entity
an exploit software, which plays the role of A1 , can be utilized
who initiates the exploitation regardless he or she is the owner
by the adversary to corrupt the normal execution of A2 and
of the device or has malicious intention. In consideration of
thereby obtain the superior privilege.
moral and legal qualms, most of the exploits are introduced to
In 2011, Höbarth and Mayrhofer discussed more possi-
the public as a tool to enable devices’ owners to gain superior
bilities to achieve privilege escalation by executing exploit
privilege in their daily usage. However, it does not guarantee
program [24]. They focused on the Android exploits that
the exploit will never be used by people with malicious intent.
are evolved from system level vulnerabilities and initiated
Hacktivists and cyber-spies could profit from making use
through native executable programs, and they categorized
of exploit programs to gain control of the victim’s device
Android exploits into 4 typical attack methods, such as missing
stealthily without users’ consent or awareness. Thieves could
input sanitization, remapping shared memory, restriction of
continue using the stolen devices by obtaining superior priv-
Anonymous Shared Memory (ashmem) access and overflow
ilege even if those devices have been locked by their owner.
of process number.
Terrorists can use exploits to control and interrupt the normal
Vulnerabilities may not only come from the privileged soft-
operation of people’s smartphones. Moreover, exploit may also
ware made by Google but also possibly caused by defects from
be used by the law enforcement agencies or investigators to
Linux Kernel, System On Chip (SoC) design, manufacturer’s
obtain evidence for forensic purpose.
Read-Only Memory (ROM), carrier addition and privileged
third party applications. Once any vulnerability is found on (S3) Possible Consequence
the target device, it may give us an opportunity to exploit and
Many exploits gain privilege with some side effects such
thereby gain root permission [25]–[27].
as process crash or memory tampering, which may turn
The concern of exploitation based on the vulnerabilities
target device into an unstable status or even worse like being
has already been raised up in early years of Android history
bricked and results in loss of warranty. However, the risk of
[28]. Starting from 2011, researchers started actively looking
exploitation with malicious intention is much greater than the
for security vulnerabilities on Android platform [29]–[31].
personal usage by the device owner. Attackers may inject
Almost at the same time, various classification and survey of
virus or ransomware into the exploit program and install
Android Common Vulnerabilities and Exposures (CVEs) were
them in the target device once the exploit program acquired
also conducted by researchers [18], [22], [32]. However, not
the superior privilege. The virus and ransomware could then
all of the vulnerabilities can be exploited to escalate privilege
reproduce themselves to harm other target devices. By stealing
and not all Android vulnerabilities come with exploits that are
the sensitive information stored on the target device, the
ready-to-use. It costs plenty of time and effort to understand
victim may possibly suffer from financial loss and leakage
vulnerability and come up with an exploit algorithm. As
of commercial secret. The society may get into chaos and
Android has greatly strengthened the security mechanism in
panics if the exploit has been utilized by terrorist to spread
recent years, the number of newly found exploitable vulner-
horrors and sabotage the communication functions on users’
abilities significantly reduced. However, new vulnerabilities
mobile devices. On the other hands, using exploits legitimately
keep emerging and are evolved to exploits successfully, such
can bring greater possibility to the law enforcement agencies
as use-after-free issue in Linux Kernel, Android keystore stack
or investigators to find the key evidence from the devices of
buffer issue and security weakness in Android Trustzone [33]–
people involved.
[35].

III. E XPLOITATION TAXONOMY
We propose a taxonomy for this survey to facilitate a holistic
and comprehensive understanding of the Android exploits.
With this taxonomy depicted in Figure 3, we describe an
exploit from 3 different perspectives – societal perspective,
B. Practical Perspectives
(P1) Execution Channel & (P2) Condition
Execution channel describes the approach that an attacker
takes to the exploit program to conduct exploitation. Condition
defines the pre-requisite that must be satisfied before the
A SURVEY OF ANDROID EXPLOITS IN THE WILD 5

Physical Attack Surface USB Connection

Poor Stability

Browser
Owner Superior Privilege Bricking Device
Remote (Client-side) Attack
Web-Powered App
Law Enforcement Agencies Information / Surface
/ Forensic Investigators Lost of Warranty
Evidence Collection
Email
Information Loss /
Hacktivists Deception
Disclosure
File System
Thieves Extortion Virus Infection
Daemon
Chaos of Spam, Spyware
Criminals / Terrorists Intimidation
and Ransomware System Calls
Local Attack Surface
Cyber Spies Commercial Profit Financial Loss Standard Drivers

Android Specified Drivers

Possible Attack Surface
Attacker Motive Consequence
(S1) (S2) (T1) Vendor Drivers
(S3)

Daemon Abusing
(A) Societal Perspective
File Permission and
Symbolic Link Attack
EXPLOITATION (C) Technical Perspective
Shared Memory Remapping

(B) Practical Perspective

Attack Vector
(T2)
Memory Corruption

Privilege Remote Shell Control

Execution Channel Condition Obtained
(P1) (P2) (P3) Others

Trusted USB Connection Root

Physical Remote
Access Access File System
Under Same Domain of
Network System
System Component
App
Installation USB Debugging Enabled Shell Vulnerable
Linux Kernel
Target
Shell App Remote Unknown Source (T3)
Others Others
Execution Execution Execution Installation Allowed Vendor Drivers

Others Trusted Execution Environment

Fig. 3: Android Exploit Attack Taxonomy

attack is exercised. An exploit may request more than one zero chance to be published in Google Play market due to the
conditions to ensure a successful execution. The condition pre-publish security check, the attacker must make sure the
set of an exploit usually varies with the execution channel. target device has enabled the “unknown source installation”
With the knowledge of execution channel and all the necessary option to allow the APK installation, and followed by the
conditions of an exploit, we can construct a scenario to present execution on the target device. Moreover, if the attacker wants
the exploitation process on a real device. Here we define 4 to manually transfer the APK file to the target device through
different execution channels and we will discuss the conditions USB connection, the attacker also need to ensure that the
for each execution channel in following paragraphs. target device has enabled USB debugging and trusted the USB
connection with the computer where the attack originates.
App Execution: App execution describes the scenario that
an attacker embeds the exploit code together with super-user
Shell Execution: Running executable scripts or binaries on
binary files into an APK file and installs it on the target
the target device could be regarded as the most direct and
device to exercise the exploitation. The app containing exploit
effective way to conduct exploitation. To exploit, the attacker
payload could be installed through on-device download or
needs to connect the target device with the PC through
USB connection. Once the APK file has been installed on
USB connection, upload the script or executable binary along
the target device, the privilege escalation can be triggered
with all relevant files to a temporary directory on the target
by any user’s interaction within the app’s interface, or even
device by calling Android Debug Bridge (ADB for short)
automatically while the app is running in the background.
“push” command, and then execute the scripts or binaries
If the malicious code has been successfully executed, the
in an ADB shell. Compared with the app execution, shell
privilege of the running process will be temporarily escalated,
execution comes with a lower implementation cost and higher
and then a persistent root could be obtained if the process with
flexibility to apply to different operating system versions or
superior privilege copied the super-user binaries to the system
device models. In addition, a successful shell execution usually
executable directory within the Android system [36].
results in a shell window with superior privilege, which brings
As the crafted APK containing exploit payload has almost convenience and freedom to the attacker to manipulate the
A SURVEY OF ANDROID EXPLOITS IN THE WILD
target device.
Despite the strength that shell execution exploits have,
there are still some restrictions that we should not ignore
while conducting binary exploitation. Before the exploitation
taking place, what the attacker needs includes (1) a PC with
drivers for both the target device and ADB installed; (2) the
physical ownership of the target device to connect the device
to the PC through USB at the moment of exploitation; (3)
the password to unlock the screen of the target device, if any,
to grant authorization and enable USB debugging and trusted
connection.
Remote Execution: Remote execution is another optional
execution channel to conduct exploitation on Android devices.
It does not require the physical connection or APK installation.
Instead, remote execution usually targets some native compo-
nents of Android system, such as Webkit or media playback
library, to attain the privilege escalation in distance [37], [38].
In practice, the attack source may be a piece of malicious
code pre-loaded into a web page or a crafted media file. The
exploitation will be triggered at the moment when the target
device user starts viewing or previewing the crafted web page
or media file. During the execution, the attack source code
could achieve privilege escalation and then initiate a remote
connection between the target device and attacker’s machine,
and in the end, pass the full control of the target device to the
attacker.
Remote execution stands out from the other exploitation
channels that require a physical connection, and it is one
of the trends of future exploitation on Android devices owe
to many advantages it has [39]. Firstly, the remote execu-
tion has excellent camouflage and anonymity because it is
possible to attain high privilege on Android devices without
a physical connection and victim’s awareness. Moreover, as
the attack originates from the network rather than local files
or applications, it will be difficult for security mechanism
in Android system or third-party anti-virus applications to
detect the exploitation by local scanning or static analysis.
Nevertheless, remote exploits still have some restriction when
applying the exploitation in the wild rather than the laboratory.
Even though such exploitation is physical connection free, the
attacker still needs to ensure his or her attacking device is
connected to the same network with the target device and
the IP address of the attacking device must be filled in the
malicious payload code prior to the exploitation.
Others: Besides those 3 types of common execution chan-
nels, there is an exception in the history of Android exploita-
tion called Volez. Volez is the first ever publicly released exploit
that takes advantage of one or more vulnerabilities of the target
device to obtain root privilege. The Volez program can modify
the factory OTA recovery image and insert su binary into the
image. After that, the attacker copies the crafted image to the
device storage and triggers the device recovery. The device
operating system will be reset to factory status but has su
binary located in system executable directory, which means the
user of the device could easily gain root privilege by installing
a superuser management app or calling “su” command in the
ADB shell. As the Volez does not follow any attack channel
6
where we mentioned above, we classify it and any similar
future exploits as “others”.
(P3) Expected Privilege
Root privilege is the ultimate goal of privilege escalation on
Android platform, however, sometimes it does not need to be
mandatory as some functions like camera and screenshot do
not require root privilege to invoke. Gaining code execution
in Android System Server or Media Server could also be
considered as a successful exploitation under certain circum-
stance [23]. Many exploits can help attacker gain root privilege
directly. Nevertheless, there are some exploits targeting high
privileges other than root, for example, the system user priv-
ilege, the shell privilege, privileges within sub-systems of the
target device like baseband or trusted executable environment
(TEE), and etc.
C. Technical Perspectives
(T1) Attack Surface
Attack surface represents a set of interactions and compo-
nents where an exploit takes advantage and initiates the attack
routine. By observing various exploits, we summarize attack
surfaces used by these exploits, furthermore we categorize
those attack surfaces into 3 groups – they are remote attack
surfaces, local attack surfaces, and physical attack surfaces.
The remote attack surfaces and local attack surfaces represent
different approaches that the attacker uses to interact with the
target device. On the other hand, the local attack surfaces
contain the components within the Android operating system
where the exploit takes advantage to escalate privilege. It is
worth mentioning that an exploit may have multiple attack
surfaces from different categories to constitute a successful
attack.
(T1.1) Physical Attack Surface: Establishing USB connec-
tion between the attack machine and the target device is the
first step for many exploitations. USB is the primary wired
interface for Android devices to interact with other devices.
In an active Android operating system, there is a service
named ADB daemon (adbd) standing by all the time to fa-
cilitate the command operation and data transmission through
ADB channel. Once a trusted ADB connection has been set
up, the attacker can deploy an exploit by either executing
corresponding commands to install a crafted application, or
starting a shell session to run an executive file with attack
payload. For that reason, USB is treated as the most ubiquitous
physical attack surface exposing to diverse exploits on Android
platform. In addition to the USB, there are some other physical
connection methods applicable for some Android devices and
theoretically feasible to be the attack surface of exploitation,
for example, the SD Card and the HDMI connection. However,
until the date of this paper being drafted, there is no publicly
released exploit found to use any physical connection method
other than USB.
(T1.2) Remote (Client-side) Attack Surface: The remote at-
tack is always a very popular and attractive topic because
it gets rid of physical restriction. Rather than a physical
A SURVEY OF ANDROID EXPLOITS IN THE WILD
connection, the attacker could execute the exploit program
over a computer network.
The web browser application is one of the major attack
surfaces in remote attacks. One possible attack could be
exercised by Document Object Model (DOM) manipulation
through JavaScript. The malicious script injected by the at-
tacker could dynamically modify the structure and content of
current web page once loaded by the browser. In fact, due to
the rich functionality of the browser application, there is a lot
of opportunities for the attacker to explore the local attack
surfaces from it. Among the existing Android exploits we
surveyed, WebKit Use-After-Free is a typical browser attack
which inserts a script into the space just been freed, and hereby
achieves privilege escalation. Then it creates a remote shell
window to allow the attacker to remotely control the target
device.
Besides the browser, the great amount of web-powered
applications on Android platform also have very high possibil-
ities to be chosen as the attack surface during remote attacks.
Most of the applications that work based on Internet service
are implemented by making use of standardized web service
APIs and libraries, for example, the SSL/TLS authentication
and the embedded browser engine called WebViews. The
components using standard WebViews libraries and APIs will
very possibly reveal the potential attack surfaces. For example,
in 2015, an exploit called StageFright has been found to
take advantage of media previewing library on some Android
devices. It can gain control of the victim’s device through a
reverse shell by sending a crafted media file which contains
malicious payload and then being previewed within victim’s
device. A web-powered mobile application is selected to be
the attack surface during the demonstration of StageFright
exploitation.
Electronic mail (E-mail) client application is another po-
tential attack surface for the remote attack. As the most of
the mainstream E-mail service providers allow users to attach
any type of file in their messages, the attacker could insert
malicious script into a document or media file and send to
the victim through an E-mail message, then deliver an attack
to the browser or other vulnerable applications to the victim’s
device.
(T1.3) Local Attack Surface: Local attack surfaces represent
the attack point initiated by a program or script which is
already executing on the victim’s device. For most of the
exploits programs, the local attack surface is the first step
and a necessity of actual vulnerability exploitation. Here we
summarize 6 different common attack surfaces in this category.
(T1.3.1) File System: Due to the Unix lineage of the An-
droid system, the file system is one of the most frequently
mentioned attack surfaces to conduct the local attack. The
file system defines ownership and permission for each file
entry. Attackers will have a chance to exercise exploitation
if there is no sufficient restriction being enforced for the file
permission assignment. One typical file system attack is taking
advantage of inadequate security implementation in init.rc
file to exercise a symbolic link attack [22]. By changing
/data/local folder permission to make it writeable by the
7
user and shell group, the user can reboot the device and then
set the ro.kernel.qemu value to 1 in local.prop file.
As the result, the user of device obtains the root privilege. We
will discuss the real application of the exploitation targeting
Android file system in next technical perspective T3.
(T1.3.2) Daemons: ADB and Zygote are two daemons most
prevalently exploited by attackers. When we initiate an ADB
session on Android devices, the ADB daemon (adbd process)
starts running as the root user and then drops its privilege to
the shell user before it gets ready to be used. However, in
old versions of Android up to 2.2, the ADB daemon does
not implement an adequate check to the return value of the
setuid call at the moment of dropping privilege from root
to the shell user. Similarly, the Zygote daemon also gives
root user privilege to all the processes forked from it, and
then drops privilege once the user who forks process from it
has been confirmed. Since both daemons are originated from
root user, they become popular attack surfaces to exercise an
exploitation for root access. We will explain more about this
process later in daemon abusing attack vector.
(T1.3.3) System Calls: System calls constitute an important
type of attack surface in the Android system. An attack can
exercise by making use of the vulnerabilities in the Linux
kernel of the Android system, invoking system calls with
malicious data or arguments and then tampering the system
kernel to attain higher privilege. For example, TowelRoot
/ futex exploit is one of the best-known exploits in early
versions of the Android operating system. It takes advantage
of code defects in relock and requeue functions defined
in futex.c in the Linux kernel source code. When attackers
running the exploit program, those vulnerable functions will
be called with malicious arguments and in an inappropriate
manner. As a result, the addr_limit value of the current
thread has been modified and the user privilege of the current
thread has been escalated correspondingly. Another exploit
libperf_event targets on the perf_swevent_init
function in the Linux kernel. It passes a negative integer as
an argument of perf_swevent_init function to crash the
current thread and then achieves arbitrary code execution to
attain privilege for the attacker.
(T1.3.4) Drivers: In the Android platform, drivers usually
represent a bundle of libraries or modules that bridge the gap
between user applications and a hardware or native system
service. In fact, there are lots of drivers existing in the
operating system of an actual Android device. We group these
drivers into 3 types on the basis of their functionalities.
The first type of driver is called standard drivers (more of
Linux side), which are ported from the Linux kernel. This type
of drivers usually serves as enablers of the basic hardware,
such as Bluetooth and audio. The attacker can migrate a
driver vulnerability or issue residing in the Linux system to
the Android platform. For example, there is an exploit called
dirtyCow which is essentially found on Linux platform but
later proved that works on the Android operating system,
too. It makes use of race conditioning vulnerability in tty
(controlling terminal) driver, turns the read-only mapping of a
file to writable status and finally gains privilege.
A SURVEY OF ANDROID EXPLOITS IN THE WILD
Another type of driver is Android specified drivers, which
are implemented to support the exclusive functionalities of
the Android system on the basis of the Linux kernel. Many
features of the Android system such as the Anonymous Shared
Memory (ashmem), binder, logger, and power management,
are all enabled by Android specific drivers. Drivers belonging
to this category can be treated as attack surface to conduct
exploitation. For instance, a famous exploit during the early
stage of the Android history called KillingInTheNameOf and
its variant psneuter exploit are all using ashmem driver as the
local attack surface.
Last but not least, the vendor drivers also play a key role
in the local attack surface family. Due to the uneven quality
of the drivers’ implementation by diverse hardware vendors,
the APIs offered by vendor drivers often bring defects and
therefore are used by attackers to conduct exploitation. Based
on our findings, the first exploit that uses vendor driver as the
attack surface is named levitator and released in 2011 [22].
It takes advantage of the defect in APIs offered by PowerVR
SGX chipset driver to corrupt the kernel memory and gain
privilege. From then on, the exploits using vendor drivers as
the primary local attack surface emerged quickly and reserved
a significant proportion among all exploits since 2013.
(T2) Attack Vector
Attack vector represents the concrete attack method used by
an exploit program to gain privilege. The pair of attack vector
and attack surface depicts an attack model of exploitation.
For some complex exploits, there may be more than one
attack vectors existing during different phases of an attack. We
summarize the attack vectors for different exploits according
to the taxonomy of attack surface we made.
(T2.1) Daemon Abusing: As we mentioned previously, the
ADB daemon (adbd) in Android system is designed to drop
its privilege from the root to shell before itself being presented
for user interaction. But unfortunately, the ADB daemon does
not properly check the return value of setuid function in
Android versions prior to 2.3, which leaves a chance of gaining
root privilege by interrupting the privilege dropping process to
attackers. In 2010, Sebastian Kraphmer found there is a thresh-
old value specifying the maximum number of co-existing ADB
processes that the Android system could normally accomplish
the privilege dropping action. Once the threshold value being
reached, the newly initiated ADB processes are presented to
the user with root privilege. This kind of attack was later used
in Sebastian’s exploit named RageAgainstTheCage. Thereafter,
abusing ADB has been mentioned again in 2012 in Z2 exploit.
By making use of security issues in ADB backup function
on some Sony Xperia devices, the exploit program creates a
race condition and injects a privileged symbolic link into the
system – by doing so the read-only system properties could
be tampered and eventually the ADB will run as root user.
Abusing Zygote process is another example of daemon
abusing on Android device. Zygote serves as the father process
in the Android system, where all Android applications are
started by being forked from the Zygote process. However,
this forking procedure has similar privilege assigning routine
with ADB daemon. When a new process is forked by Zygote,
8
the Zygote by default gives the newly generated process
with root privilege and then drops its privilege if the new
process is initiated by the local user. Some exploits, such as
Zimperlich / zygote jailbreak and Zysploit, make use of the
similar defects in Zygote that the privilege lowering stage can
be bypassed once the number of processes under one specific
application user ID (UID) has reached its maximum value. As
the result, the upcoming processes forked by Zygote under
same application UID will run as root user.
(T2.2) File Permission and Symbolic Link Attack: File per-
mission and symbolic link (symlink) attacks have been used
in many exploits in Android version up to 4.1. During the
Android booting up, an init function will be called to execute
the commands listed in init.rc script. The initialization
commands contain a couple of folder creation (mkdir) ac-
tions, changing permission (chmod) actions and changing
owner (chown) actions. Attackers usually look for security
issues from this initialization procedure, and then create a
symlink within the space where they are going to set with
higher privilege. By doing this, attackers are able to make
protected directories user-writable and then they can overwrite
the local.prop file and set ADB user to root.
As most of these exploits make use of security issues in
the third-party customized system image rather than stock
Android, the file permission and symlink attack exploits are
overall brand specific or device model specific, for example,
the TacoRoot for HTC models, TwerkMyMoto for Motorola
models and NachoRoot for Asus models. This type of attack
vectors has been mitigated since Android version 4.2 as
Android added extra security semantics in the execution of
init script to prevent the permission and file system from
being exploited.
(T2.3) Shared Memory Remapping: As mentioned earlier,
Android has its own shared memory subsystem called
ashmem. Android offers a number of richer and simpler
APIs to programmers for performance improvement by en-
abling developers to utilize shared memory wisely. Android
system allows any user to create and map a region in shared
memory, and then execute read and write actions in a very
efficient manner. Unfortunately, the ashmem might also be
used by the attacker to map and tamper the protected contents.
Taking the exploit KillingInTheNameOf as example, due to
the system does not properly restrict local user to access to
the system properties space in early versions of the Android
operating system like 2.x, the attacker could re-map the
space where local.prop is located, and thereby change
the ro.secure property to make the ADB process bypass
the privilege dropping operation in future booting.
(T2.4) Memory Corruption: Memory corruption is the at-
tack vector that commonly adopted for exploiting kernel and
driver vulnerabilities. It occupies larger and larger proportion
among all available attack vectors for exploitation on the
Android platform, especially after Google carrying a large
scale of bug fixing and greatly strengthening Android security
mechanism since past few years ago. Memory corruption is a
broad concept that describes all the approaches to alter the nor-
mal execution of the target device by memory manipulation.
A SURVEY OF ANDROID EXPLOITS IN THE WILD
Many typical memory corruption methods like stack overflow,
integer overflow, dereference of the null pointer and format
error, could be found in available Android exploits.
To conduct an attack, the attacker usually chooses a priv-
ileged process as the target and then carries out memory
attack by all means to crash the target process. Once the
memory manipulation has been successfully achieved, the
attacker may have a chance to execute arbitrary code on behalf
of the privileged process and thereby gain soft root on the
target device. For example, the Use-After-Free Remote Code
Execution on Webkit uses null point dereference as attack
vector to exploit; GingerBreak crashes the vold daemon by
feeding a negative integer to it to cause an integer overflow;
and zergRush invokes a libsysutils.so function with the
wrong number of arguments passing in, leading to a Return
Oriented Programming (ROP) chain to obtain soft root.
As the memory corruption is possible to occur at the
moment of every function invocation during the execution of
Android native program, there is no lack of memory corruption
in our exploit survey results. It is hard to prevent memory
corruption completely when compared with other types of
attack vectors
(T2.5) Remote Shell Control: All the attack vectors we list
in previous paragraphs are corresponding to local attack. In
addition to local attack, the attacker also has to own an extra
pair of attack vector and surface to conduct a remote attack.
Setting up a remote shell control is the most commonly used
attack vector to conduct a remote attack. A remote shell
control is not initiated by the attacker but triggered by the
user of the target device – usually in an unaware manner. To
prepare a remote attack, the attacker needs to implement the
payload code which is able to start an ADB shell through the
reverse TCP or HTTP connection to the attacker’s machine,
and then embed the code into the exploit program. Thereafter
the attacker just needs to wait until the payload being triggered,
followed by a reverse shell launched by the target device.
Gaining remote shell control does not bring the attacker
with a root superior privilege. However, it links a remote
circumstance up with local attack methods and thereby makes
exploitation without physical connection possible. In our sur-
vey, we can find the presence of remote shell control in all
remote exploits, for example, the Use-After-Free Remote Code
Execution on Webkit and StageFright.
(T2.6) Others: Among the exploits we found during this sur-
vey, there are some outdated, unrepresentative or undisclosed
attack vectors. For example, an exploit named StumpRoot
doesn’t provide any disclosure of technical details or source
code to the public. The attack vector used by exploit Volez
is outdated and unrepresentative when compared with other
ones. In this paper, we classify those uncommon and unknown
attack vectors as “others”.
(T3) Vulnerable Target
Vulnerable target describes the source of vulnerability where
the attacker targets. An exploit could only be designed and
implemented once the vulnerable target is confirmed. The
mitigations of Android exploits are tailored to the vulnerable
9
target correspondingly. In this paper, we present 5 different
types of vulnerable targets to cover the existing cases of
Android exploitation.
(T3.1) File System: The file system as a type of vulnerable
target, is the most common focus of the file permission
and symbolic link attack (refer to Section III-C, technical
perspective T2-2). All Android exploits targeting file system
are achieved by conducting file permission and symbolic link
attack. The ultimate goal of an exploit targeting Android file
system is to change the ownership of file for either content
tampering or illegal execution. For example, changing the
value of ro.kernel.qemu to 1 in the local.prop file.
Most of the vulnerabilities relating to this type of Android
exploit are caused by the vendors’ customization in Android,
therefore the exploit attacking Android file system usually
varies with devices’ manufacturer and hardware configuration.
The file system exploits used to be a common type of exploits
on Android platform until the Android version 4.2 when the
O_NOFOLLOW semantics has been introduced to prevent the
symbolic link attack [40]. Since version 4.3, Android enforces
the SELinux model to regulate all permission involved activ-
ities within Android system.
(T3.2) System Component: We group all the Google-
implemented components located in middleware layer, frame-
work layer and application layer of Android architecture (refer
to Figure 1) as “system components”. We use the term “system
exploits” to represent exploits targeting vulnerabilities from
system components. The Android components which provide
either interface to native level development or user space ac-
cess are often exploited by attackers. For example, the system
services, native libraries, daemons, and Android shared mem-
ory (ashmem). The first ever publicly released exploit program
on Android platform is a system exploit called “Volez”, which
manipulates the system recovery service to place superuser
binary into the system executable directory on victim’s device.
There are some other milestone exploits are categorized as
system exploits, such as the KillingInTheNameOf that takes
advantage of ashmem access issue to gain root access, the
RageAgainstTheCage that targets vulnerabilities in Android
adbd daemon to achieve privilege escalation; and the Stage-
Fright that can exploit the library with the same name in
Android system to obtain high privilege in silence.
Compared with other 4 groups of vulnerable targets, the
system components’ vulnerabilities are relatively easier to be
fixed by Android. The mitigation of system exploits usually
comes with a timely Android security patch or an operating
system update.
(T3.3) Linux Kernel: We use Linux kernel to represent those
vulnerable targets located in kernel layer components other
than the file system, which includes Linux kernel drivers,
process manager, and network controller. Unlike the Android
system vulnerabilities, Linux kernel vulnerabilities are mostly
found from the source code of the Linux kernel rather
than Google’s implementation in Android. Therefore, many
vulnerable targets that exploit other operating systems in
Linux family can also be migrated to Android platform. The
exploitation targeting Linux kernel on Android platform has
 A SURVEY OF ANDROID EXPLOITS IN THE WILD
TABLE I: Survey Result of Android Exploits

Vulnerable
Execution
Channel 1

Versions
Affected

Verified
Vector 2

Target 3

Devices
Attack

Target
Year Exploit Author Vulnablitiy (CVE) Vulnablity Type (CWE)

2009 1 volez Christopher Lais (Zinx) O O SYS N.A. N.A. Motorola Droid 2.0 and 2.0.1 –
2010 2 exploid Sebastian Krahmer S M KRN CVE-2009-1185 Input Validation (CWE-20) All Up to 2.3.4
3 RageAgainstTheCage Sebastian Krahmer S D SYS N.A. N.A. All Up to 2.2
4 Use-After-Free Remote Code Itzhak Avraham R R,M SYS CVE-2010-1807 Input Validation (CWE-20) Unspecified 4 2.0 to 2.1 –
Execution on Webkit
5 Zimperlich / Sebastian Krahmer S D SYS N.A. N.A. All Up to 2.2
zygote jailbreak
2011 6 KillingInTheNameOf Sebastian Krahmer S A SYS CVE-2011-1149 Permissions, Privileges and All 2.1 to 2.2.2
Access Control (CWE-264)
7 psneuter ashmem exploit Scott Walker (scotty2) S A SYS CVE-2011-1149 Permissions, Privileges and All Unspecified
Access Control (CWE-264)
8 levitator Jon Larimer and Jon S M VND CVE-2011-1350 Information Leak / Devices with the 1.0 to 2.3.5 –
Oberheide CVE-2011-1352 Disclosure (CWE-200) PowerVR SGX chipset
Buffer Errors (CWE-119)
9 WebKit use-after-free MJ Keith R R,M SYS CVE-2010-1119 Resource Management Unspecified 2.0 to 2.1.1 –
Errors (CWE-399)
10 Zysploit Joshua Wise (jwise) S D SYS N.A. N.A. All Up to 2.2
11 GingerBreak Sebastian Krahmer A M SYS CVE-2011-1823 Numeric Errors (CWE-189) All 2.1 to 2.3.3, 3.0 –
12 sock sendpage local root / Christopher Lais (Zinx) S M KRN CVE-2009-2692 Buffer Errors (CWE-119) All Up to 3.2.6 –
asroot / Wunderbar
13 zergRush Revolutionary S M SYS CVE-2011-3874 Buffer Errors (CWE-119) All 2.2.x till 2.2.2, 2.3.x –
till 2.3.6
14 TacoRoot Justin Case (jcase) S P FLS N.A. N.A. EVO 4G and some 2.x –
other HTC models
2012 15 NachoRoot Justin Case (jcase) S P FLS N.A. Permissions, Privileges and ASUS Transformer 4.0 to 4.0.4 –
Access Control (CWE-264) Prime
16 TPSparkyRoot sparkym3 S P FLS N.A. Permissions, Privileges and ASUS Transformer 4.0 to 4.0.4 –
Access Control (CWE-264) Prime
17 mempodroid / mempodipper / Jay Freeman (saurik) S P KRN CVE-2012-0056 Permissions, Privileges and Acer A200 Tablet, 4.0.1 to 4.0.3 –
mem exploit Access Control (CWE-264) Galaxy Nexus,
Motorola RAZR,
Nexus S, Asus
Transformer Prime
18 Z2 Root Exploit Sacha (xsacha), S D SYS N.A. N.A. Many Sony Xperia Unspecified –
cubundcube and models, 3.x and 4.x
Andreas Makris before 4.1.1
(bin4ry)
Continued on next page

10
 A SURVEY OF ANDROID EXPLOITS IN THE WILD
TABLE I – continued from previous page

Versions
Channel

Affected

Verified
Devices
Attack
Vector

Target

Target
Exe.

Vul.
Year Exploit Author Vulnablitiy (CVE) Vulnablity Type (CWE)

19 LG lit giantpune A M VND CVE-2012-4220 N.A. LG (with LM3530 Unspecified –

backlight driver)
20 Exynos Abuse / Sam (exynos- alephzain S M VND CVE-2012-6422 Permissions, Privileges and Samsung (Exynos 4 Unspecified
mem) Exploit Access Control (CWE-264) based)
21 diaggetroot goroh kun A M VND CVE-2012-4220 HTC J Butterfly Unspecified –
2013 22 Qualcomm Gandalf camera alephzain S M VND CVE-2013-2595 Permissions, Privileges and Many models made by Unspecified
driver exploit Access Control (CWE-264) Asus, Huawei, LG etc.
23 Motochopper / Dan Rosenberg S M KRN CVE-2013-2596 Numeric Errors (CWE-189) Motorola (Atrix HD, Up to 4.2
fb mem exploit (djrbliss) Razr HD, Razr M) and
other devices with
Snapdragon S4 series
24 libperf event Hiroyuki Ikezoe S M KRN CVE-2013-2094 Numeric Errors (CWE-189) Nexus 4 and Some 4.0 to 4.3.1 (Linux
Japanese models made Kernel version before
by HTC, Fujitsu, 3.8.9)
Sharp, Sony and LG
25 LG Sprite software backup / Justin Case (jcase) A P FLS CVE-2013-3685 (R) 5 Race conditions 43 LG Optimus models Unspecified –
LGPwn exploit
26 libfj hdcp fi01 S M VND N.A. N.A. F05D, ISW11F and Unspecified –
some other Docomo
Fujitsu models
27 Defy republic init runit Justin Case (jcase) S M VND CVE-2013-4777 Configuration (CWE-16) Motorola Defy XT 2.3.7 –
CVE-2013-5933 Buffer Errors (CWE-119)
28 libdiag Exploit Hiroyuki Ikezoe S M VND N.A. Input Validation (CWE-20) Many models made by Unspecified –
Numeric Errors (CWE-189) NEC, Fujitsu, etc
29 Boromir (camera-isp) alephzain A M VND N.A. N.A. Many models (MTK Unspecified –
exploit* based)
30 Gemli (dev/DspBridge) alephzain A M VND N.A. N.A. Many models (TI Unspecified –
exploit* OMAP 36XX based)
31 Frodo (exynos-mem) exploit* alephzain A M VND N.A. N.A. Many models (Exynos Unspecified –
based)
32 Legolas (graphics/fb) exploit* alephzain A M VND N.A. N.A. Many models (Exynos Unspecified –
based)
33 Aragorn (video1) exploit* alephzain A M VND N.A. N.A. Many models (Exynos Unspecified
based)
34 Merry (s5p-smem) exploit* alephzain A M VND N.A. N.A. Many models (Exynos Unspecified –
based)
35 Android put user / get user fi01, cubeundcube and R R,M KRN CVE-2013-6282 Input Validation (CWE-20) Unspecified Linux kernel before
exploit (Metasploit module) timwr 3.5.5 on the v6k and
v7 ARM platforms,
fixed in Jul 2013
Continued on next page

11
 A SURVEY OF ANDROID EXPLOITS IN THE WILD
TABLE I – continued from previous page

Versions
Channel

Affected

Verified
Devices
Attack
Vector

Target

Target
Exe.

Vul.
Year Exploit Author Vulnablitiy (CVE) Vulnablity Type (CWE)

36 TwerkMyMoto Justin Case (jcase) S P FLS N.A. N.A. Motorola Razr I 4.1.2 –
37 Pippin (memalloc) exploit* alephzain A M VND N.A. N.A. Many K3V2 based Unspecified –
models made by
Huawei
38 Gollum (amjpegdec) exploit* alephzain A M VND N.A. N.A. Unspecified (AMLogic Unspecified –
based)
39 Faramir (camera-sysr) alephzain A M VND N.A. N.A. Many models (MTK Unspecified –
exploit* based)
2014 40 Barahir (Vcodec) exploit* alephzain A M VND N.A. N.A. Many models (MTK Unspecified –
based)
41 WeakSauce Justin Case (jcase) and A P FLS CVE-2014-3847 (R) N.A. HTC One m7, m7 on 4.1 to 4.4.4 –
Sean Beaupre (beaups) Verizon, m8 and Droid
DNA
42 Qualcomm buffer overflow in fi01 S M VND CVE-2013-2597 Buffer Errors (CWE-119) Unspecified Linux kernel 2.6.x - –
acdb audio driver 3.x before Jun 2013
(msm acdb exploit)
43 Pie / vold asec Justin Case (jcase) S P SYS N.A. N.A. Moto X on locked 2.2.1 to 4.4.2 –
carrier
44 TowelRoot / futex exploit George Hotz (geohot) A M KRN CVE-2014-3153 Permissions, Privileges and All Up to 4.4 ROMs
Access Control (CWE-264) built before Jun 2014
45 StumpRoot IOMonster, Justin Case A O VND N.A. N.A. Many models made by Unspecified –
(jcase), autoprime and LG
PlayfulGod
46 Android Browser exploit Hacking Team R R,M SYS CVE-2011-1202 Input Validation (CWE-20) Unspecified 4.0 to 4.3 –
(ht webkit Android4) CVE-2012-2825
CVE-2012-2871
2015 47 ObjectInputStream local root Di Shen (retme7) A M VND CVE-2014-4322 N.A. Nexus 5 4.4.4
CVE-2014-7911
48 libmsm memory corruption in Hiroyuki Ikezoe S M VND CVE-2014-4321 (R) Input Validation (CWE-20) Unspecified Unspecified –
camera driver CVE-2014-4324 (R)
(libmsm vfe read exploit) CVE-2014-0975 (R)
CVE-2014-0976 (R)
CVE-2014-9409 (R)
49 PingPongRoot Keen Team A M KRN CVE-2015-3636 Other (NVD-CWE-Other) Samsung Galaxy S6, 5.0 to 5.1.0 –
Uninitialized data structure Samsung Galaxy S6
Edge, HTC One (M9)
50 Mate7 TrustZone Exploit Di Shen (retme7) S M TEE CVE-2015-4421 (R) N.A. Huawei Mate7 Unspecified –
CVE-2015-4422 (R)
51 Mtkfb Exploit nforest@KeenTeam S M VND N.A. N.A. Unspecified (MTK Unspecified –
MT658X and MT6592
based)
Continued on next page

12
 A SURVEY OF ANDROID EXPLOITS IN THE WILD
TABLE I – continued from previous page

Versions
Channel

Affected

Verified
Devices
Attack
Vector

Target

Target
Exe.

Vul.
Year Exploit Author Vulnablitiy (CVE) Vulnablity Type (CWE)

52 Full TrustZone exploit for laginimaineb S M TEE N.A. N.A. Nexus 5 A crafted ROM built –
MSM8974 based on 4.4.4
53 QSEECOM driver memory laginimaineb S M TEE CVE-2014-4322 Buffer Errors (CWE-119) Unspecified Unspecified –
corruption
54 Stagefright Remote Code Joshua Drake (jduck) R R,M SYS CVE-2015-1538 Buffer Errors (CWE-119) Nexus 5, Nexus 6, 5.0 to 5.1.1
Execution and NorthBit CVE-2015-1539 Numeric Errors (CWE-189) Nexus 7 and Samsung
(Metasploit module) CVE-2015-3824 Galaxy S5
CVE-2015-3826 (SM-G900V)
CVE-2015-3827
CVE-2015-3828
CVE-2015-3829
2016 55 mediaserver code-exec laginimaineb S M SYS CVE-2014-7920 (R) Permissions, Privileges and Unspecified 4.3 to 5.1 –
CVE-2014-7921 (R) Access Control (CWE-264)
56 sensord local root s0m3b0dy S M VND N.A. N.A. LG L7 and other Unspecified –
devices have sensord
deamon
57 Metaphor Hanan Beer@NorthBit R R,M SYS CVE-2015-3864 Numeric Errors (CWE-189) Nexus 5 5.0 to 5.1.1 –
58 iovyroot / pipe inatomic idl3r S M KRN CVE-2015-1805 Code (CWE-17) LG G Flex 2, many 4.4.3 to 6.0
models made by Sony,
Huawei and other
brands
59 Use-After-Free camera betalphafai (Edward S M VND CVE-2015-0568 Use After Free (CWE-416) Unspecified Unspecified (Linux –
driver exploit Hung) (Qualcomm MSM kernel 3.0.x)
7x30)
60 QSEE TrustZone laginimaineb S M TEE CVE-2015-6639 Permissions, Privileges and Nexus 6 Unspecified –
Access Control (CWE-264)
61 prctl vma exploit betalphafai (Edward S M KRN CVE-2015-6640 Permissions, Privileges and Unspecified 5.1.1 and 6.0
Hung) Access Control (CWE-264)
62 Qualcomm TrustZone laginimaineb S M TEE CVE-2016-2431 Permissions, Privileges and Unspecified Unspecified –
Access Control (CWE-264)
63 Dirty Cow (dirtyc0w) timwr S M KRN CVE-2016-5195 Race Condition (CWE-362) Unspecified Up to 7.0 –

1
Legend for execution channels: (A) App Execution Channel; (S) Shell Execution Channel; (R) Remote Execution Channel and (O) notates Other Channels.
2
Legend for attack vectors: (A) Shared Memory (ashmem) Remapping; (D) Daemon Abusing; (P) File Permission & Symbolic Link Attack; (M) for Memory Corruption; (R) Remote
Shell Control and (O) Others.
3
Legend for vulnerable targets: (FLS) File System; (KRN) Linux Kernel; (SYS) System, (TEE) Trusted Execution Environment and (VND) Vendor Drivers.
4
The term “Unspecific” means the information has neither been disclosed by the author nor mentioned by any trusted source from Internet.
5
The annotation “(R)” after a CVE identifier represents as “RESERVED”, which has been reserved for use by a CVE Numbering Authority (CNA) or researcher without all details being
publicly disclosed.
*
Discrete exploits integrated in framaroot root application. Those exploits could be initiated by either running a shell command or app execution.
End of table

13
A SURVEY OF ANDROID EXPLOITS IN THE WILD
been firstly introduced in an exploit program named “exploid”
in 2010. The exploid selects init daemon in Linux kernel
as the target, exploits a vulnerability by initiating memory
corruption and gains root privilege from the daemon.
Because of the root user is designed as a part of privilege
architecture in the Linux kernel, it is difficult for the com-
ponents running on the Android platform to prevent privilege
escalation initiated from the kernel exploits. Furthermore, due
to the fact that the evolution of Linux kernel is usually slower
than the evolution of Android, it makes Android harder to
identify and fix kernel vulnerabilities within a short period.
As a consequence, the Linux Kernel exploit usually works on
multiple continuous version of Android systems.
(T3.4) Vendor Driver: The exploits in this category target
hardware abstraction layer (HAL) implementation. The his-
tory of vendor driver exploits could be dated back to 2010.
levitator is the first Android exploit that conducts an attack
on devices with specific hardware configuration containing
PowerVR SGX chipset. As the Android experienced a rapid
growth in next few years, the great flexibility and diversity
in hardware configuration on Android platform makes vendor
driver exploits one of the major type of the exploitation.
Vendor driver exploits exclusively have 2 advantages.
Firstly, compared with TEE exploits, vendor driver exploits
can escalate privilege to “system” or “root” level and return
to the user control directly; Meanwhile, unlike the kernel
exploits or system exploits, vendor driver exploits make use
of vulnerabilities caused by the add-ons from various vendors
rather than Android implementation, which means Android
cannot exhaustively and effectively fix all the issues via its
version update and hence may not be able to prevent from
any induced exploitation in short time. Therefore, for the
foreseeable future, we believe that the vendor driver exploits
will still be the majority of new exploits.
(T3.5) Trusted Execution Environment: Attacking trusted
execution environment (TEE) is a novel attempt at privilege
escalation. In 2015, a researcher called “laginimaineb” pub-
lished a series of blog articles and the proof-of-concept source
code to explain his idea to gain TEE level privilege from
Qualcomm TrustZone, which marks the first time that the TEE
being exploited [41].
Compared with exploits targeting other types of vulnerable
targets, the TEE exploits have a very strict requirement but
low practicability. Sometimes TEE exploits require a device
flashed with customized ROM or having Address Space Lay-
out Randomization (ASLR) disabled. However, the outcome
of a successful exploitation is just the privilege within TEEOS
module rather than the root user. The attacker may not be able
to attain full control of the victim device, instead, the attacker
could gain access to the credential data like fingerprint or iris
image, which is very sensitive as well. Currently TEE exploits
are still in the theoretical stage, however, it is an inspiration
to the future exploitation when security mechanism of the
Android system become too strong to obtain root directly.
14
IV. S URVEY & C LASSIFICATION
We conduct a survey of publicly released Android exploits
from multiple sources and we find 63 exploits covering all
Android versions up to 7.0. By reading their descriptions,
searching for available source codes and studying correspond-
ing vulnerabilities, we collect rich details of these 63 exploits.
In this paper, we summarize all the key details that are
useful for upcoming analysis, and we organize them into a
table. Table I shows the complete collection of all 63 exploits
including their names, authors, release years, attack details,
details of corresponding recorded vulnerabilities, affected de-
vices & Android versions and our evaluation outcome. In order
to distinguish an exploit from the others and facilitate our
analysis, we focus on practical and technical perspectives of
Android exploitation and we select 3 classification criteria
from the taxonomy we proposed in the previous section.
In the remaining contents of this section, we present our
classification based on these 3 selected criteria and then we
discuss our observation on each of them1 . The classification
is also included in Table I.
A. Execution Channel
We find all three kinds of execution channels from the 62
exploits except Volez. For convenience, we call those exploits
using app execution channel as “app exploits”, those exploits
triggered by shell scripts through the physical connection as
“shell exploits”, and those exploits executed by embedded
payload code via remote environment will be notated as
“remote exploits”. Figure 4 demonstrates the distribution of
exploits according to execution channels.
App Exploit. There are 19 exploits coming with a stan-
dalone APK file, reserving 30.6% among all exploits in
our collection. All those exploits, except GingerBreak and
TowelRoot, could only work on devices in a specific hardware
configuration or in some exact models. The GingerBreak takes
advantage of vulnerabilities in vold daemon and has been
fixed in updates of Android version 2.3.4 and 3.0 in 2011,
which are considered as a pretty early stage of Android history.
Another exploit named TowelRoot used to be popular due to
its long list of supporting device; however, its functionality to
successfully gain root privilege stops at Android version 4.4.4,
which is another outdated system from nowadays aspect [42].
Therefore, we can optimistically conclude that the most of the
Android devices in the market are safe against existing APK
exploits.
Shell Exploit. Shell exploits take the majority of our
collection according to Figure 4. We totally collect 37 shell
exploits in this survey, which comprise over 59% of the entire
collection. Among these 37 shell exploits, three exploits (Defy
republic init runit, TwerkMyMoto and Pie / vold asec) come
with Java source codes that the attacker has to compile and
compress them into an executable JAR file to conduct the
exploitation; three exploits targeting the file system (TacoRoot,
1 As we mentioned in our taxonomy, we define those exploits with outdated,
unrepresentative or undisclosed attack vectors as others. We do not consider
exploits from this category in upcoming discussion due to their uncommon-
ness.
A SURVEY OF ANDROID EXPLOITS IN THE WILD
App Exploits
30.6%
59.7%
Shell Exploits 9.7%
Remote Exploits
Fig. 4: Type Distribution of Exploits by Execution Channel
NachoRoot and TPSparklyRoot) are provided with an ADB
shell script rather than executable binaries; and the 31 exploits
left are all C codes which the attacker needs to configure
the project with specified hardware architecture (e.g. arm64
or x86) [43] and build with Android Native Development
Kit (NDK) to generate executable binaries. According to the
information listed in Table I, those 37 exploits cover all
Android system versions up to 6.0 and most of the mainstream
device models. Therefore in the case of all three pre-requisites
(refer to Section III-B, practical perspective P2) of shell
execution have been compromised to the attacker, an Android
device will has a great probability to be successfully exploited
if those shell exploits have been put into a proper combination
and executed.
Remote Exploit. Other than local USB connection, ADB
also provides developers with access to an unprivileged inter-
action through a remote shell. In our collection, 9.7% of ex-
ploits are classified as remote exploits. There are two exploits
targeting the Android Stagefright library vulnerabilities, three
exploits targeting the Android Webkit library vulnerabilities,
and one exploit attaining root privilege by taking advantage
of a Linux kernel vulnerability. Taking StageFright Remote
Code Execution (hereafter refer to StageFright for short) as
an example, it is a typical remote exploit that the attacker can
gain root privilege of the target device by hosting a crafted web
page containing media payload source code. The exploit will
be triggered automatically and executed once the user starts
browsing the crafted web page, and in the end, the exploit will
initiate a remote shell process to the attack machine to pass
the control of the target device to the attacker.
B. Attack Vector
Classification by attack vector provides an intuitive percep-
tion to the methodology of Android exploitation. Based on the
taxonomy proposed in the Section III, we summarize attack
vectors into 6 different categories. We demonstrate the growth
of exploits in different attack modes throughout the history of
Android system in Figure 5.
Daemon Abusing Exploit. In this survey, we find four
exploits that gain privilege by abusing daemons running on the
Android system. Among the four daemon abusing exploits, the
RageAgainstTheCage and Z2 Root exploit exhaust the ADB
daemon (adbd) to interrupt the privilege dropping procedure
15
of all future generated ADB sessions; the other two exploits
– Zimperlich / zygote jailbreak and Zysploit imposes similar
routine to the Zygote daemon as the Zygote daemon also has
privilege lowering mechanism while generating new process.
The issues of these two daemons have been progressively fixed
since the Android system version 2.3 being released at the end
of 2010. According to our observation, the growth of this kind
of attack has not appeared anymore in 2012 and afterward.
File Permission & Symbolic Link Exploit. File permission
and symbolic link attacks are also known as permission attack
or symlink attack elsewhere. There are 8 exploits gaining root
privilege by initiating a permission attack. Except for the mem-
podroid / mempodipper exploit that makes use of a loophole
from the Android file permission to directly modify process
memory file, all the remaining 6 exploits take advantage of
poor security mechanism in critical directories or files, create
a symbolic link to either local.prop or uevent_helper
and then tamper the privilege assignment of the ADB shell
service. As a result, a successful exploit will return user an
ADB session running as root user. The permission mechanism
on Android file system is mature, safe and well organized.
However, the attacker could still find a flaw to exercise attack
due to the negligence or defect within the implementation
of Android device manufacturer. Owing to the improvement
of Android security mechanism and enhancement in security
awareness from the device vendors, it is rare to see new file
permission and symbolic link attack in recent years.
Shared Memory Exploit. Similar to daemons’ abusing,
shared memory remapping is another common approach to
gain privilege in early versions of the Android system. We
find two exploits that gain privilege by attacking the An-
droid shared memory (ashmem) – KillingInTheNameOf and
psneuter ashmem exploit. Both of them achieve privilege
escalation by remapping the shared memory region and tam-
pering the value of user ID assigned to ADB console. The
ashmem vulnerability could be fixed by adding a number of
authentication checks at the moment that the shared memory
being accessed by any app or process from user space. In fact,
the relevant ashmem vulnerability has been fixed in very short
time. As Figure 5 depicts, the number of shared memory attack
cease to grow since 2011.
Memory Corruption Exploit. Memory corruption is the
major attack vector throughout the history of the Android
exploitation. Memory corruption exploits reserve over the half
of all available exploits since the very beginning phase of the
Android exploitation. Moreover, the memory corruption even
becomes the only feasible local attack vector to gain privilege
in 2015 and 2016. It is also worth noting that besides the
quantitative growth, the diversity of memory corruption meth-
ods has been greatly enriched as well. During the early years,
the memory corruption technique only covered format error
(e.g. exploid) and null pointer dereference (e.g. Use-After-Free
Webkit). But now, the memory corruption exploitation on the
Android platform almost covers all the memory manipulation
on conventional platforms, such as return-oriented program-
ming. As it is impossible to completely prevent memory
corruption in native level development for Android platform,
we believe that memory corruption exploits will continue to
A SURVEY OF ANDROID EXPLOITS IN THE WILD
(M) Memory Corruption; (P) File Permission & Symbolic Link Attack; (R) Remote Shell Control (A) Shared Memory (ashmem) Remapping;
Legend: (D) Daemon Abusing and (O) Others.
Fig. 5: Growth of Android Exploits with Different Categories of Attack Vectors from 2009 to 2016
play the primary role within Android exploit family in future.
Remote Shell Control Exploit. Compared with other attack
modes, remote shell control usually requires the user of the
target device, on purpose or unknowingly, to trigger the
attack process. Conducting remote shell control attack could
indirectly create an interface for the attacker and convert a
remote attack to a local attack for further privilege escalation.
For that reason, the remote shell control is usually executed
together with a certain local attack vector to complete the
privilege escalation operation for the attacker in distance.
Remote shell control attack has a great advantage in cam-
ouflage and anonymity, which are two important features
of a good exploitation. In this survey, we find 6 exploits
that make use of this attack vector to achieve remote attack
throughout the history of Android exploits. As mentioned
earlier in Section III-B (practical perspective P2), a successful
remote shell control exploits requires the attacker to be under
the same network with the victim’s device and moreover
know IP address of the victim’s device prior to generating
exploitation payload. Due to those reasons, even the growth of
remote shell control exploits has never ceased since its firstly
introduced in 2010, the complicated execution procedure and
strict conditions make the remote shell control still not yet
a mainstream attack vector when compared with memory
corruption.
C. Vulnerable Target
Classification by vulnerable target could tell us where the
exploitation originates. Moreover, we can gain an insight
of the Android exploits in defense perspective by grouping
the exploits by their vulnerable targets and analyzing the
quantitative trend throughout the history of the Android sys-
tem. According to the taxonomy in the previous section, we
differentiate the vulnerable targets of all exploits into five
groups of components within software part of the Android
16
R
A
D
O
device. The classification result is also in Table I and we depict
the quantitative trends of exploits with different vulnerable
targets in Figure 6.
File System Exploit. We find six cases of file system
exploitation among 63 Android exploits, and all six file system
exploits use file permission & symbolic link attack to gain
privilege. By analyzing each of those 6 exploits, we notice
that the device manufacturers’ implementation is the root
cause of the exploitation. We find all of them are applicable
to a small range of device models under the same brand,
and the places where exploitation takes place are either the
initialization scripts or the privileged factory software (e.g.
backup & restore app). The history of file system exploits
starts in 2011 when an exploit for some specific HTC models
named “TacoRoot” has been released. In early 2012, the author
of TacoRoot, Justin Case, released a variant called NachoRoot,
which uses similar attack but is designed for a different set
of device models. Shortly after that, another similar exploit
TPSparkyRoot also has been published within the same forum,
targeting same devices as NachoRoot. The other three exploits,
LG Sprite software backup / LGPwn exploit, TwerkMyMoto
and WeakSauce, has subsequently been released between 2013
and 2014 by Justin Case. At the same time, both Google
and device manufacturers have greatly improved the security
mechanism of Android devices. As the result, new file system
exploits have ceased to appear since 2015.
System Component Exploit. System implementation is
the second largest exploit target. There are a total of 16
system exploits released in the Android history, reserving
over 25% among all surveyed Android exploits. Except for
Volez which targets system recovery service and is counted
as a special case for the early Android versions, all the
remaining 15 system exploits are targeting native libraries,
daemons or ashmem. Two exploits, KillingInTheNameOf and
psneuert, take advantage of ashmem access issue and was
A SURVEY OF ANDROID EXPLOITS IN THE WILD
Legend: (SYS) System; (KRN) Linux Kernel; (VND) Vendor Drivers; (FLS) File System and (TEE) Trusted Execution Environment.
Fig. 6: Growth of Android Exploits with Different Categories of Vulnerable Targets from 2009 to 2016
published in 2011. Six exploits use daemons as their targets.
The daemons which have been abused for exploitation include
vold, zygote and adbd. Furthermore, there are seven
exploits conducting attacks by invoking system calls to specific
libraries. The targeted vulnerable libraries include Webkit,
libsysutils, StageFright and media server libraries.
It is noticeable to mention that the ashmem exploits only
appear in the new exploit list of 2011 due to the quick fix.
Considering the limited number of daemons that are accessible
by user space processes, the growth of exploits caused by
daemon abusing suspended by 2014. Starting from 2015,
all newly released system exploits are achieved by memory
corruption against native libraries. There are a large number
of libraries in the Android system implementation and each of
them provides unique functionality and interface. Compared
with ashmem exploits and daemon exploits which target only
one or a few number of vulnerabilities, protecting the libraries
from memory corruption attack is a more challenging work for
Android.
Linux Kernel Exploit. Starting from the first Linux kernel
exploit “exploid” which is released in 2010, the number of
Linux kernel exploits (hereafter refer to kernel exploits for
short) keeps growing every year. In this survey, we collect 11
kernel exploits with their release date spanning from 2010 to
2016. From the static analysis made on those 11 exploits, we
find there is only one kernel exploit called prctl vma exploit
(2016) that is exclusive to the Android platform. All the other
10 kernel exploits are created as variants and share same
vulnerabilities and attack routines with corresponding exploits
for Linux operating system. Moreover, our analysis shows
kernel libraries and driver interfaces are the most frequently
chosen vulnerable targets by Linux kernel exploits. Attackers
often make use of flaws in input validation to create memory
corruption while invoking kernel services. We also find that
many Android exploits with long life cycle and wide support
17
SYS
KRN
VND
FLS
TEE
to different devices are kernel exploits. For example, the
TowelRoot declares to be able to root all devices installed with
Android version up to 4.4; and PingPongRoot could easily
root over 100 models of latest device models at that time like
Samsung S6 / S6 Edge and HTC One.
Vendor Driver Exploit. There are 25 vendor driver exploits
being included in our survey. We find all vendor driver exploits
are achieved by memory corruption except for the StumpRoot
exploit (2013) which does not have enough details disclosed.
In addition, we also find vendor driver exploits usually come in
a group to achieve the maximum effort and compatibility. For
example, in 2012, an exploit making use of Samsung driver has
been published by “alephzain”. It is essentially named Exynos
Abuse but later changed to Sam exploit when it is merged with
some other vendor driver exploits written by the same author
in 2013. The new bundle of various vendor driver exploits
has been published as a one-click app on XDA forum with
the name “framaroot”. According to author’s statement, the
framaroot has integrated 12 different vendor driver exploits by
2014, covering over 450 device models from multiple brands
[44].
Trusted Execution Environment Exploit. We find five
TEE exploits during this survey. There are four of “lagini-
maineb” Qualcomm TrustZone exploits and 1 Huawei TEE
exploit named Mate7 TrustZone exploit in our survey collec-
tion. By reading the authors’ instructions of those exploits
and analyzing their source code, we find all of them can
only achieve limited code execution with specific TEE level
privilege, rather than flashing superuser binary or returning a
root shell to the attacker. Therefore, in the current stage, TEE
exploits still have obvious disadvantage in practicability and
convenience when compared with others.
V. E VALUATION & D ISCUSSION
We perform an evaluation to observe the execution of
exploits and validate their functionalities on Android devices.
A SURVEY OF ANDROID EXPLOITS IN THE WILD 18

The testing has been conducted based on 18 different Android TABLE II: List of Devices
devices we have. These 18 devices cover a wide range of Device Model & Code Name SoC Model OS
manufacturers and system versions, including not only early 1 HTC Magic (HMA) Qualcomm MSM7200A 1.6
and classical models in the Android history like HTC Hero, but 2 HTC Hero (HHE) Qualcomm MSM7200A 1.6
also those later devices which are sold in smartphone market 3 HTC One X Nvidia Tegra 3 (AP33) 4.0.3
such as Samsung Galaxy S7. We filter out those exploits which PJ46100 (H1X)
are not compatible with our testing devices. Furthermore, we 4 HTC One E9+ MediaTek Helio 5.0.2
also remove an old exploit called sock sendpage that we 0PJX100 (HE9) X10 M (MT6795M)
cannot manage to compile. As the result, there are 17 exploits 5 HTC 10 Qualcomm Snapdragon 6.0.1
being selected and formally tested in our evaluation. Those 17 2PS6200 (H10) 820 (MSM8996)
6a LG Nexus 4 Qualcomm Snapdragon 4.2.2
exploits can be found in Table I where the check-marks are LG-E960 (NX4-4) S4 Pro (APQ8064)
inserted within the column titled “verified”. 6b – – (NX4-5) – 5.1.1
7a LG Nexus 5 Qualcomm Snapdragon 4.4.4
A. Preparation LG-D821 (NX5-4) 800 (8974-AA)
Before conducting the evaluation, we make sure every test 7b – – (NX5-5) – 5.0.1
device has Internet access as well as both “USB debugging” 8 LG Nexus 7 (2013) Qualcomm Snapdragon 4.3
LG-K008 (ME571K) (NX7) S4 Pro (APQ8064)
and “unknown sources” options are enabled. Moreover, for
9 Samsung Nexus 10 Exynos 5 Dual 5250 4.2.2
the purpose of authenticity and accuracy, we also verify both GT-P8110 (NX10)
root status and bootloader status of the target device to be 10 Samsung Galaxy S2 Exynos 4 Dual 4210 4.0.3
negative before testing each exploit. We depict the 18 Android GT-I9100 (GS2)
devices including their device models, hardware architectures 11 Samsung Galaxy Note Exynos 4 Dual 4210 4.0.4
and system versions in Table II. GT-N7000 (GN1)
12 Samsung Galaxy S4 Qualcomm Snapdragon 4.2.2
GT-I9505 (GS4) 600 (APQ8064AB)
B. Methodology & Criteria
13 Samsung Galaxy Note 3 Qualcomm Snapdragon 4.4.2
There are two ways to gain root privilege among the 17 SM-N9005 (GN3) 800 (8974-AA)
exploits chosen; the exploitation through physical access, and 14 Samsung Galaxy S5 Qualcomm Snapdragon 5.0
the exploitation through remote access. In this subsection, SM-G900F (GS5) 801 (8974-AC)
we describe the procedure of the exploitation imposed to our 15 Samsung Galaxy S6 Exynos 7 Octa 7420 5.1.1
testing devices with respect to the two methods we mentioned. SM-G920I (GS6)
1) Exploitation through Physical Access: According to 16 Samsung Galaxy Note 5 Exynos 7 Octa 7420 5.1.1
SM-N920I (GN5)
the classification of exploits introduced in section IV, both
17 Samsung Galaxy A8 Duos Exynos 5 Octa 5430 6.0.1
APK exploits and shell exploits are executed through USB SM-A800F (GA8)
connection between the attacker PC and the target device. All 18 Samsung Galaxy S7 Exynos 8 Octa 8890 6.0.1
selected exploits except StageFright and put user / get user SM-G930FD (GS7)
are imposed to the target device through the ADB channel.
TowelRoot is a typical APK exploits. In our evaluation, we
install the APK by running “install” command through ADB corresponding to the target device’s hardware configuration,
and manually approve the installation on the target device. As such as ARMv7 and ARMv8; then we push the executable
TowelRoot is known as “one-click root solution”, it is supposed binary to a temporary location in the target device system di-
to root any compatible device by just clicking the “root” rectory (generally /data/local/tmp) through ADB, open
button shown by the exploit app on screen. Besides TowelRoot, an ADB shell service, change the user mode of recently
there is another APK called Framaroot, which is released by uploaded executable binary to make it executable by the shell
“alephzain”, integrating a number of his exploits into one app. user, and finally execute that exploit binary. In most cases, a
The installation of Framaroot is the same as TowelRoot. The successful shell exploitation will invoke the setuid call to
only difference between TowelRoot and Framaroot is the latter escalate the current user to the “root” and in the end return to
one offers a list of check-boxes to allow users to select which the same ADB terminal.
standalone exploit to execute. As the APK exploitation could
2) Exploitation through Remote Access: Compared with the
not directly pass the gained privilege to the attacker, it usually
prior solution, the remote exploitation could gain privilege of
copies a pre-loaded “su” binary to the system executable
the target device in more casual and easier manner. There are
directory while the app has successfully obtained the privilege.
two remote exploits being tested in our evaluation, StageFright
To validate the outcome of exploitation, we can install super
and put user / get user. The evaluation of both exploits
user management apps such as Root Checker2 or SuperSU 3 to
is conducted through Metasploit4 which is a well-known
check if the target device has been rooted or not.
penetration testing software. By making use of a designated
For those shell exploits, we build the source code and
Metasploit module, an app containing payload is generated,
export the executable binary in platform specified version that
then the attacker, by all means, installs the app on the target
2 Root Checker is identified as com.joeykrim.rootcheck.
3 SuperSU is identified as eu.chainfire.supersu. 4 Metasploit is available on https://www.metasploit.com/
A SURVEY OF ANDROID EXPLOITS IN THE WILD 19

TABLE III: Evaluation Outcome our devices with system version below 4.4. By observing the
Exploit ID & Name Result Explanatory Note runtime logs, we find that besides the “succeed” and “fail”, all
(2) exploid Devices: HHE devices which are not compatible with TowelRoot will print
(3) RageAginstTheCage Devices: HMA “try default” and followed by exit without any output regarding
(6) KillingInTheNameOf Devices: HHE the exploitation outcome.
(7) psneuter ashmem exploit Devices: HHE Finally, we note down the device models successfully ex-
(10) Zysploit 5 No observation ploited by the selected exploits as shown in Table III.
(20) Exynos Abuse / Sam Devices: GS2, GN1 After testing all 17 exploits on their designated devices, we
(22) Qualcomm Gandalf camera Devices: NX4-4 have reproduced 15 out of 17 exploits on the actual devices.
(23) Motochopper / fb mem Devices: NX4-4 For the evaluation of the other 2 exploits, namely Zysploit and
(24) libperf event Devices: NX4-4, NX7 prctl vma exploit – we have not observed any positive result
(33) Aragorn Devices: GS2, GN1 from executing them on all our devices that are supposed to
(35) Android put user / Devices: NX4-4, NX7, be compatible. According to the result of the evaluation, there
get user NX10 are 12 devices being successfully exploited for at least once
(44) TowelRoot / futex exploit Devices: NX4-4, NX7, GS4 in our experiment. The LG Nexus 4 (4.2.2) compromises to 5
(47) ObjectInputStream root Devices: NX5-4 exploits, which marks the highest number among 18 devices.
(54) Stagefright Devices: NX5-5 The runner-up in the ranking of successful exploitation is LG
(58) iovyroot / pipe inatomic Devices: NX5-5 Nexus 5 (5.0.1), which has been exploited for 3 times. In
(61) prctl vma exploit 5 No observation contrast, some latest device models including Samsung Galaxy
(63) DirtyCow Devices: HE9, H10, NX5-5 A8 Duos, S7 and Note 5, are found to be immune from all the
tested exploits.

device. After that, the attacker only needs to open the receiving
port on the attack PC and keep listening in the Metasploit
terminal. Once the app is launched on the target device, the
payload code will automatically execute and initiate a reverse
connection to the attacker. As a result, a shell process with
superior privilege could be observed through a reverse TCP
channel opened in the Metasploit interface on the attacker PC.
C. Measurement & Result
The target devices presented in Table I are the theoretical
prediction made based on the author’s instruction, exploits’
source code, and runtime behavior. And then we conduct the
evaluation in accordance with the target devices summarized
by us.
Taking RageAgainstTheCage as an example, we can find
from the author’s instruction that the exploit takes advantage
of the vulnerability of Android system with version up to
2.3.4 and it does not vary with manufacture or any third party
configuration. Therefore we assume all Android device loaded
with systems with versions below 2.3.4 will be vulnerable
to that exploit, and then we select devices that satisfy such
requirement for evaluation.
However, there is another scenario that the author does not
provide the detailed list of target devices of his/her exploit,
like libperf hdcp and TowelRoot. In that case, we do the
static analysis on source code first, followed by a runtime
analysis if the static analysis does not reveal any clue of target
devices. In the source code of libperf hdcp, we find a list
of 25 constant strings looking like device model names. By
searching each of them on the Internet, we finally confirm the
list of target devices which includes LG Nexus 4 and a number
of Japanese brand devices. Sometimes we encounter difficulty
to conduct static analysis, for example, the TowelRoot as its
source code is not provided. Based on the knowledge that the
vulnerability used in that exploit only exists in Android system
prior to version 4.4, we conduct an exhaustive testing on all
D. Discussion
By doing this evaluation, we find that most of the exploits
are able to gain privilege effectively on actual devices if all
the requirements have been satisfied. At the same time, we
also perceive that the real-world Android exploitation is not
as simple and easy as what media describes in their articles.
Firstly, it is almost impossible to implement a new exploit
that universally applies to all Android devices. The Android
system has greatly improved its security mechanism during the
past few years. Meanwhile, Google also actively upgrading the
Linux kernel along with the evolution of the Android system.
As a result, those universal exploits like RageAgainstTheRage
(up to Android version 2.2) and KillingInTheNameOf (up to
Android version 2.2.2) have become history and we could
seldom see new universal exploits being released nowadays.
Secondly, the high degree of hardware and software frag-
mentation in the Android ecosystem makes exploitation a
challenging task. As more and more exploits using memory
corruption technique to achieve privilege escalation, any slight
difference in either Android version or hardware configuration
may lead to variation of the address of a specific library in
memory space, and thereby restricts the effect of exploitation.
Not to mention the diversity in different manufacturers, the
diversity in one device model family (e.g. Samsung Galaxy S6)
already makes exploit difficult. Taking Ping Pong Root as an
example, it is known as a powerful root solution for Samsung
Galaxy S6 family that are claimed to support hundreds of
different ROMs. However, we do not manage to find any
ROM version compatible to the Galaxy S6 model in our lab.
In the evaluation, we find that any incompatibility caused
by inconsistence of Android versions and device models is
very likely to make an exploit not work as it claims – this
may explain the two negative results occurred during our
evaluation.
Lastly, periodic security update mechanism, which has been
adopted by more and more manufacturers, is transforming
A SURVEY OF ANDROID EXPLOITS IN THE WILD
the traditional mitigation of exploitation. Nowadays protecting
an Android device from being exploited could be done in a
more effective and agile way rather than waiting for major
version update of Android. Some manufactures like Google
and Samsung actively push their regular security update or
patch in a monthly manner to maximize the protection against
the latest security threat. Compared with the major version
update of Android, the security update may not easily be traced
and analyzed. Therefore, from the perspective of exploitation,
an attacker’s exploit is very possible to be no longer effective
if he/she exploits a vulnerability which is publicly disclosed.
From the user’s perspective, the risk of your Android device
to be exploited could be significantly reduced if you enable
periodic security patch update on your device.
Overall speaking, our survey and experimental result unveil
three trends of the Android exploits’ evolution: (1) Compared
with the Android exploits released in early stage of Android
history, the new Android exploits are more device specific
and Android version specific – one exploit may only be
compatible with one or a few device models with specific
range of Android versions; (2) As the security mechanism
of both the Android system and Linux kernel have been
significantly strengthened, exploits targeting Linux kernel and
Android system components experience decline; and vendors’
customization becomes the prominent attack target in newly
released exploits; (3) Due to the diversity of approaches
and difficulty of absolute prevention, the memory corruption
gradually becomes the primary attack vector to gain privilege
on Android platform.
VI. C ONCLUSION
In this paper, we did a survey of publicly released Android
exploits and proposed a taxonomy of Android exploits from
multiple perspectives by analyzing the collected real-world
exploits and conducting an evaluation of these exploits on a set
of devices. We analyzed the characteristics of each category
and presented the trend view of the Android exploits along the
timeline from the technical perspective based on the exploit
data. We also shared our discussion and outlook gained from
the observation of evaluation.
R EFERENCES
[1] IDC, “IDC: Smartphone OS Market Share,” 2017. [Online]. Available:
https://www.idc.com/promo/smartphone-market-share/os
[2] S. Linda, “Strategy Analytics: Android Captures Record 88 Percent
Share of Global Smartphone Shipments in Q3 2016,” 2016. [Online].
Available: https://www.strategyanalytics.com/strategy-analytics/news/
strategy-analytics-press-releases/strategy-analytics-press-release/2016/
11/02/strategy-analytics-android-captures-record-88-percent-share-of-
global-smartphone-shipments-in-q3-2016
[3] M. Rangwala, P. Zhang, X. Zou, and F. Li, “A taxonomy of privilege
escalation attacks in android applications,” International Journal of
Security and Networks, vol. 9, no. 1, pp. 40–55, 2014.
[4] Google, “Architecture – Android Open Source Project,” 2017. [Online].
Available: https://source.android.com/devices/architecture
[5] Muthumani, “Android HAL and Device driver architecture,” 2015.
[Online]. Available: https://www.e-consystems.com/blog/system-on-
module-SOM/android-hal-and-device-driver-architecture/
[6] Wikipedia, “Android (operating system) — Wikipedia, The Free
Encyclopedia,” 2017. [Online]. Available: https://en.wikipedia.org/w/
index.php?title=Android (operating system)&oldid=794843196
20
[7] Google, “ART and Dalvik – Android Open Source Project,” 2017.
[Online]. Available: https://source.android.com/devices/tech/dalvik/
[8] A. B. Georgiev, A. Sillitti, and G. Succi, “Open Source Mobile Virtual
Machines: An Energy Assessment of Dalvik vs. ART,” in OSS, 2014,
pp. 93–102.
[9] Google, “System and Kernel Security – Android Open
Source Project,” https://source.android.com/security/overview/kernel-
security.html, 2017. [Online]. Available: https://source.android.com/
security/overview/kernel-security.html
[10] ——, “<permission> – Android Developers,” 2017. [On-
line]. Available: https://developer.android.com/guide/topics/manifest/
permission-element.html
[11] M. Bishop, “Unix security: threats and solutions,” 1996.
[12] A. Shabtai, Y. Fledel, and Y. Elovici, “Securing Android-powered mobile
devices using SELinux,” IEEE Security & Privacy, vol. 8, no. 3, pp. 36–
44, 2010.
[13] Google, “SELinux concepts — Android Open Source Project,”
2017. [Online]. Available: https://source.android.com/security/selinux/
concepts
[14] G. Faden, “RBAC in UNIX administration,” in Proceedings of the fourth
ACM workshop on Role-based access control. ACM, 1999, Conference
Proceedings, pp. 95–101.
[15] H. Chris, “The case against root: Why android devices don’t
come rooted,” 2012. [Online]. Available: https://www.howtogeek.com/
132115/the-case-against-root-why-android-devices-dont-come-rooted/
[16] OneClickRoot, “Top 10 Root Apps for Android,” 2017. [Online].
Available: https://www.oneclickroot.com/top-root-apps/
[17] L. Kristijan, “Over 27.44% Users Root Their Phone(s) In
Order To Remove Built-In Apps, Are You One Of Them?”
2014. [Online]. Available: https://www.androidheadlines.com/2014/11/
50-users-root-phones-order-remove-built-apps-one.html
[18] H. Zhang, D. She, and Z. Qian, “Android root and its providers:
A double-edged sword,” in Proceedings of the 22nd ACM SIGSAC
Conference on Computer and Communications Security. ACM, 2015,
Conference Proceedings, pp. 1093–1104.
[19] K. F. Yu, “Rooting an android device,” DTIC Document, Report, 2015.
[20] C. Martyn, “How to root Android phone, tablet,
install custom ROM: beginner’s guide,” 2016. [On-
line]. Available: http://www.pcadvisor.co.uk/how-to/google-android/
how-root-android-phone-tablet-unroot-summary-3342120/
[21] C. Lais, “Volez – Zen Thought,” 2009. [Online]. Available:
http://www.zenthought.org/content/project/volez
[22] J. J. Drake, Z. Lanier, C. Mulliner, P. O. Fora, S. A. Ridley, and
G. Wicherski, Android hacker’s handbook. John Wiley & Sons, 2014,
book chapter 3 Rooting Your Device, pp. 73–81.
[23] L. Davi, A. Dmitrienko, A.-R. Sadeghi, and M. Winandy, “Privilege es-
calation attacks on android,” in International Conference on Information
Security. Springer, 2010, Conference Proceedings, pp. 346–360.
[24] S. Höbarth and R. Mayrhofer, “A framework for on-device privilege
escalation exploit execution on android,” Proceedings of IWSSI/SPMU,
2011.
[25] Y. Zhou, Z. Wang, W. Zhou, and X. Jiang, “Hey, you, get off of
my market: detecting malicious apps in official and alternative android
markets,” in NDSS, vol. 25, 2012, Conference Proceedings, pp. 50–52.
[26] S. Jon, “Practical android exploitation,” 2014. [Online]. Available:
http://theroot.ninja/PAE.pdf
[27] Google, “Google android security 2014 report,” p. 7, 2014. [Online].
Available: https://source.android.com/security/reports/Google Android
Security 2014 Report Final.pdf
[28] E. Sadun, “Android security vulnerability discovered — Ars Tech-
nica,” 2009. [Online]. Available: https://arstechnica.com/information-
technology/2009/02/android-security-vulnerability-discovered
[29] T. Vidas, D. Votipka, and N. Christin, “All Your Droid Are Belong to
Us: A Survey of Current Android Attacks,” in WOOT, 2011, Conference
Proceedings, pp. 81–90.
[30] A. P. Felt, M. Finifter, E. Chin, S. Hanna, and D. Wagner, “A survey of
mobile malware in the wild,” in Proceedings of the 1st ACM workshop
on Security and privacy in smartphones and mobile devices. ACM,
2011, Conference Proceedings, pp. 3–14.
[31] P. Faruki, A. Bharmal, V. Laxmi, V. Ganmoor, M. S. Gaur, M. Conti, and
M. Rajarajan, “Android security: a survey of issues, malware penetration,
and defenses,” IEEE communications surveys & tutorials, vol. 17, no. 2,
pp. 998–1022, 2015.
[32] M. Xu, C. Song, Y. Ji, M.-W. Shih, K. Lu, C. Zheng, R. Duan, Y. Jang,
B. Lee, and C. Qian, “Toward engineering a secure android ecosystem:
a survey of existing techniques,” ACM Computing Surveys (CSUR),
vol. 49, no. 2, p. 38, 2016.
A SURVEY OF ANDROID EXPLOITS IN THE WILD 21

[33] W. Xu and Y. Fu, “Own your android! yet another universal root,” in
WOOT, 2015, Conference Proceedings.
[34] R. Hay and A. Dayan, “Android keystore stack buffer overflow,” 2014.
[35] D. Shen, “Exploiting Trustzone on Android,” Black Hat US, 2015.
[36] S.-T. Sun, A. Cuadros, and K. Beznosov, “Android rooting: Methods,
detection, and evasion,” in Proceedings of the 5th Annual ACM CCS
Workshop on Security and Privacy in Smartphones and Mobile Devices.
ACM, 2015, Conference Proceedings, pp. 3–14.
[37] R. C. Seacord, “Mobile device security,” in Proceedings of the 3rd
International Workshop on Mobile Development Lifecycle. ACM, 2015,
Conference Proceedings, pp. 1–2.
[38] W. Ben, “Researchers expose Android WebKit browser exploit,” 2010.
[Online]. Available: http://www.zdnet.com/article/researchers-expose-
android-webkit-browser-exploit/
[39] F. Wei, Y. Li, S. Roy, X. Ou, and W. Zhou, “Deep ground truth analysis
of current android malware,” in International Conference on Detection
of Intrusions and Malware, and Vulnerability Assessment. Springer,
2017, pp. 252–276.
[40] Google, “Security Enhancements in Android 4.2 — Android Open
Source Project,” 2017. [Online]. Available: https://source.android.com/
security/enhancements/enhancements42
[41] laginimaineb, “Bits, Please! - Getting arbitrary code execution
in TrustZone’s kernel from any context,” 2015. [Online].
Available: http://bits-please.blogspot.sg/2015/03/getting-arbitrary-code-
execution-in.html
[42] Wikipedia, “Android version history — Wikipedia, The Free
Encyclopedia,” 2017. [Online]. Available: https://en.wikipedia.org/w/
index.php?title=Android version history&oldid=781928647
[43] Google, “ABI Management – Android Developers,” 2017. [Online].
Available: https://developer.android.com/ndk/guides/abis.html
[44] Alephzain, “XDA Forums - [ROOT] Framaroot, a one-
click apk to root some devices,” 2013. [Online]. Avail-
able: https://forum.xda-developers.com/apps/framaroot/root-framaroot-
one-click-apk-to-root-t2130276

View publication stats