SystemUI As EvilPiP

The Hijacking Attacks on Modern Mobile Device

WeiMin Cheng([email protected])

#BHASIA @BlackHatEvents
WhoAreWe

WeiMin Cheng Yue Liu

QI-ANXIN QI-ANXIN
Github: MG1937 Github: lieanu
Twitter: MGAldys4
Binary Researcher
Mobile&AOSP
# BHASIA @BlackHatEvents
Agenda
• What is Activity Hijack Attack (AHA)
• Restrictions and Policies released by Google
• Bypass Security Policies
• BAL Restriction
• Runtime State Leak
• Strictly LMKD
• Video Demo for Fullchain

# BHASIA @BlackHatEvents
What is AHA
• Activity Hijack Attack(AHA) almost zero cost and easy to exploit
• Hijack target app for stealing sensitive data or runtime privilege
• Adware, BankBot, Ransomware, Rat…

# BHASIA @BlackHatEvents
How AHA Work
• Take Android4.0 as an example
• Case of Simplocker, malware for Android4.0
• Essence is abuse NEW_TASK FLAG to seize FG Task

Code snippet of Simplocker

# BHASIA @BlackHatEvents
How AHA Work
• Malicouse Activity enter FG Task
• Previous Task pushed to BG Task
• Now Malware can forge the trusted App, StrandHogg-like Hijack scheme

Why have to seize FG Task for hijack?

# BHASIA @BlackHatEvents
Task And Back-Stack
• Task Stack is a collection of activities
• User can only interact with ONE Front Task (in most case)

# BHASIA @BlackHatEvents
Classic Attack Scheme

# BHASIA @BlackHatEvents
Classic Attack Scheme

Low cost, high return

Almost affects all App in Old Device

# BHASIA @BlackHatEvents
Key Factors OF AHA

• Background Activity Launch (BAL)

• Target Running State Detect

• Background Persistent Processaaass

# BHASIA @BlackHatEvents
Google will not allow this happen

# BHASIA @BlackHatEvents
Restriction 0x1 No Leak State
• getRunningTasks || getRunningAppProcesses requires no permission
• Leak runtime state of other app by special interface before API22
• Only Return Caller’s Data in API>=22

Get all running Task and Process

# BHASIA @BlackHatEvents
Restriction 0x1 No Leak State
• Still have side-channel way to bypass in API<26
• cat /proc/{target_pid}/oom_score_adj
• Work for non-privilege user!

# BHASIA @BlackHatEvents
Restriction 0x1 No Leak State
• Google update SELinux Policy in 2017
• Hidepid=2 like protections
• Restrict App access file in non-AppDomain

hidepid in man7 Doc

# BHASIA @BlackHatEvents
Compromise Scheme
• Case of MysteryBot
• Turn to UsageStatsManager for leak runtime state indirectly
• Dangerous Runtime Permission required
• Complex User Interaction
• Some ROM force warn when grant!

# BHASIA @BlackHatEvents
Restriction 0x2 No BAL
API29+ App without privilege can’t start Activity from Background
No BAL == can’t inject target from Background
Most Adware && Hijackware disppeared due to this

https://developer.android.com/guide/components/activities/background-starts

# BHASIA @BlackHatEvents
Compromise Scheme
• Turn to AccessibilityService||SystemServices||SAW permission
• Complex User Interaction&&Dangerous Runtime Permission
• Satisfy BAL Restriction Exemptions in document
• Requires System System Bind…
• Requires Visible App Bind…
• Requires Holds System Privilege…
• Almost impossible…

# BHASIA @BlackHatEvents
Restriction 0x3 BEL&&LMKD
• Background Service in API26+ get High OOM_ADJ&&Low Priority!
• BgProcess == IDLE Process, LMKD kill idle process first
• System Broadcast Trick BANNED in API24+!

https://developer.android.com/about/versions/oreo/background

# BHASIA @BlackHatEvents
Compromise Scheme
Compromise scheme provided by Google
Start Foreground Service For Low OOM_ADJ
• Have to notify User, no silent process
• 3rd ROM even not allow FgService long time running

# BHASIA @BlackHatEvents
But, Compromise Scheme Really Work?
• Grant dangerous permission → Complex User Interaction
• No Silent Running → Awared by user
• Case Of Xiaomi OS, even no persistently process
• High attack cost, highly user detectable → Attack failed

When #removeTask
AOSP will call #isProcStateBackground
MIUI directly call forceStop to all process.

framework.jar smali code of MIUI OS # BHASIA @BlackHatEvents

So, Any Way To Bypass?

• No Permission required
• Undetectable
• Hijack precisely
• Attack High Version Device

# BHASIA @BlackHatEvents
1st High Wall: BAL Restriction

# BHASIA @BlackHatEvents
Analyse BAL Restriction
Activity#startActivity
Handled By ActivityManagerService(AMS)

ActivityStarter#executeRequest
API33
# BHASIA @BlackHatEvents
Analyse BAL Restriction
System try to start target component

restrictedBgActivity
Decide whether to move Task to front

ActivityStarter#setInitialState
determines

moveToFront

Still needs to focus on check func

and Bypass it.
ActivityStarter#startActivityInner
# BHASIA @BlackHatEvents
Analyse BAL Restriction
Developer Doc give some exemption for check func

How to define ‘visible window’?

shouldAbortBackgroundActivityStart(shouldABAS)

# BHASIA @BlackHatEvents
Analyse BAL Restriction
Developer Doc give some exemption for check func

How to define ‘visible window’?

hasActiviteVisibleWindow

# BHASIA @BlackHatEvents
Analyse BAL Restriction

WindowState#onSurfaceShownChanged

mNumNonAppVisibleWindowMap

Inside hasNonAppVisibleWindow
# BHASIA @BlackHatEvents
Window Type&&Z-Axis

WindowToken#addWindow

WindowState#<init>
WindowComparator compare BaseLayer value
Window Type decides mBaseLayer
Which decides Z-axis indirectly
Higher BaseLayer, Higher Z-axis

getWindowLayerFromTypeLw
# BHASIA @BlackHatEvents
Visible Window
hasNonAppVisibleWindow
• Window Type > FIRST_SYSTEM_WINDOW && != TYPE_TOAST
Non-Privilege App usually gets BASE_APPLICATION window
Almost invisible in most time

TYPE_APPLICATION_OVERLAY =
FIRST_SYSTEM_WINDOW + 38;

Non-Privilege App can only get a “system” window

with TYPE_APPLICATION_OVERLAY

But requires SYSTEM_ALERT_WINDOW permission

Which needs complex user interact!

# BHASIA @BlackHatEvents
What is Picture-in-Picture
• Non-SAW Permission float-window compromise scheme for developer
• Pinned Activity in PiP window at the top of screen
• Handled by SystemUI Component
• Window Type > FIRST_SYSTEM_WINDOW and Permission-less

# BHASIA @BlackHatEvents
What is Picture-in-Picture
• Non-SAW Permission float-window compromise scheme for developer
• Pinned Activity in PiP window at the top of screen
• Handled by SystemUI Component
• Window Type > FIRST_SYSTEM_WINDOW and Permission-less

# BHASIA @BlackHatEvents
What is Picture-in-Picture
Unable to abuse PiP directly
• Pip window can’t hide from screen
• Pinned Activity can be detected by User(Even use transparent theme)
• User can remove PiP window at any time
• PiP is highly detectable feature!

# BHASIA @BlackHatEvents
CVE-2021-0485 By valsamaras
Invalid Input for a abnormal PiP Window
Visible for System, But Invisible for User
Abnormal 1 pixel PiP window
Almost invisible

Sets abnormal height and width

# BHASIA @BlackHatEvents
CVE-2021-0485 By valsamaras

PipBoundsAlgorithm Patch

aad7fdc4f82ad56e332d3c23c5d07719e069b099

# BHASIA @BlackHatEvents
New Attack Surface
Nice bug expanding Attack Surface

• No need to bypass Window Visible Check(Abuse PiP)

• Create a legal System Window but User undetectable

• Abuse PiP API by abnormal input

# BHASIA @BlackHatEvents
How PiP Work
ATMS#enterPictureInPictureMode

RootWindowContainer#moveActivityToPinnedRootTask

# BHASIA @BlackHatEvents
 How PiP Work

IPC
Task#sendTaskAppear ShellTaskOrganizer#onTaskAppeared

com.android.systemui PipTaskOrganizer#onTaskAppeared

Pip rendered here

# BHASIA @BlackHatEvents
How PiP Work

# BHASIA @BlackHatEvents
Analyse Attack Vector

Prevent IPC!
Scheme 0x1:
Attack PiP chain, make App task in ‘visible’ state
But no systemUI handle PiP window
# BHASIA @BlackHatEvents
Analyse Attack Vector

Unfortunately, no trick could be exploited

Scheme 0x1:
User Space have no way to affect the code execute in System_Server
Can’t prevent IPC
# BHASIA @BlackHatEvents
Analyse Attack Vector

Scheme 0x2:
Attack SystemUI side, create CVE-2021-0485-like vuln

# BHASIA @BlackHatEvents
Attack SourceRectHint

Auto scale and crop the Activity Window by passed-in Rect

Abnormal Rect → Abnormal PiP Window??

Developer Doc of setSourceRectHint API

# BHASIA @BlackHatEvents
Attack SourceRectHint

Enter PiP Mode with 1-pixel Rect, Run POC in Android13.0.0_r7 branch AVD
We get a 1-pixel Window indeed, but recover to normal size within 0.5s

Around 0.5s

Any Trick to expands duration?

# BHASIA @BlackHatEvents
Trace Rect

PipTaskOrganizer#onTaskAppeared

This transition will resize PiP window animateResizePip

into Rect defined size(1px)
But what happen after resize??? # BHASIA @BlackHatEvents
Trace Rect
PipTransitionAnimator set a call back hander

onPipAnimationEnd interface called

after Pip entered, within calls finishResize

# BHASIA @BlackHatEvents
Trace Rect
finishResize creates a WindowContainerTransaction(WCT) instance
Pass to prepareFinishResizeTransaction with normal size Rect defined by System
Set a SurfaceControl.Transaction and the Rect for WCT inside function

# BHASIA @BlackHatEvents
Trace Rect
applyFinishBoundsResize carry WCT to IPC with SystemServer

# BHASIA @BlackHatEvents
Trace Rect
* Before IPC
applyFinishBoundsResize Extra SurfaceControl.Transaction, IPC with System
Pass SCT into setMainWindowSizeChangeTransaction

Task#setMainWindowSizeChangeTransaction
SystemServer directly call merge to render SCT on screen
Cause Pip Window resize to normal after merge,
any way to prevent merge???
# BHASIA @BlackHatEvents
Trace Rect

Block IPC for prevent merge

# BHASIA @BlackHatEvents
Trace Rect

Almost no way to prevent merge

# BHASIA @BlackHatEvents
Diff Analyse
Compare different branch
API32 found code change

Functional Patch instead of

Security Patch from commit detail

Still valuable to analyse API32

API32 DO NOT CALL merge!

# BHASIA @BlackHatEvents
API32 For 12.1.0_r27
Sets the SCT

Gets the SCT

HOOK FUNC!

WindowStateAnimator#setSurfaceBoundariesLocked

# BHASIA @BlackHatEvents
Analyse CALL STACK
• ActivityRecord#prepareSurface in the call stack
• Related with Activity Launch/Rendering (Enter PiP Mode will relaunch Activity)
• User space can affect it indirectly!

# BHASIA @BlackHatEvents
 Attack API32
• API33&&API32 SystemUI all finally call to setMainWindowSizeChangeTransaction
• API33
1. setMWSCT call merge, no way prevent pip size back to normal
2. Whole chain handled by SystemUI
• API32
1. setMWSCT sets SCT to global member, wait for access
2. Activity reDraw will access SCT and call merge == frozen reDraw, merge will not be called

# BHASIA @BlackHatEvents
CVE-2023-40116

BAL Bypass API32

We want API33+ Bypass

# BHASIA @BlackHatEvents
ActivityOptions
Api_diff list -> makeLaunchIntoPip
Return ActivityOptions object

Activity#startActivity(Intent,Bundle)
Additional options for Activity launch
https://developer.android.com/sdk/api_diff/33/changes

# BHASIA @BlackHatEvents
ActivityOptions
Save received PipParam to AO packaged Bundle By LAUNCH_INTO_PIP_PARAMS Key
Bundle used to set options for Activity start

ActivityOptions#toBundle # BHASIA @BlackHatEvents

Trace Bundle

startActivityInner call moveToFront if App pass BAL check

What Bundle will do inside chain?

# BHASIA @BlackHatEvents
CVE-2023-21269
Check Bundle by isLaunchIntoPip()
• Where is BAL restriction check?????
Directly call moveActivityToPinnedRootTask without any check???
• Set app to pinned state from background at any time for API33+

# BHASIA @BlackHatEvents
2nd High Wall: State Leaking

# BHASIA @BlackHatEvents
Bug OR Trick?
Bug I met when I am developing an app…
• After merge code → throw Exception by startServiceCommon
• Before merge at bug position: bindService
• After merge at bug position: startService

# BHASIA @BlackHatEvents
Side Channel Detector
Background Execution Limitation
• Throw exception when start background service
• Background Process Detector!
• Bypass Limitation? Explote Limitation!

# BHASIA @BlackHatEvents
A-254674510
ActiveServices#startServiceLocked

System return Abnormal

ComponentName

Throw exception in User Space

POC For side channel detect

# BHASIA @BlackHatEvents
Other Tricks?

Due to time reason, more side-channel trick of

other Rom in WhitePaper.

# BHASIA @BlackHatEvents
3rd High Wall: Breaking LMKD

# BHASIA @BlackHatEvents
LMKD & OOM_ADJ Score
• Lower oom_adj → Higher priority • Fg Service usually gets score of 250
• Higher oom_adj → Lower priority • No silent process
• LMKD kills high oom score process first
• Bg process always gets high oom score

Low-memory Killer Daemon

# BHASIA @BlackHatEvents
OOM_ADJ Calc Trick
Service bound by 3rd Client with oom score < Bounder oom score
• Bounder may gets oom score VISIBLE_APP_ADJ

OomAdjuster#computeOomAdjLSP # BHASIA @BlackHatEvents

Attack Surface
Bound by System persistent process?
Non-privilege App operate Managers(AMS, WMS…)
by correspond IBinder object.

Managers run as system(UID=1000)

Can abuse Managers???

# BHASIA @BlackHatEvents
AccessibilityService
• Accessibility function handled by AccessibilityManagerService
• Non-privilege App needs to declare specific Intent-Filter
• Intent-Filter pointing a specific Service

# BHASIA @BlackHatEvents
AccessibilityManagerService
• AccessibilityManagerService will find all Service with specific Intent-Filter
• Create AccessibilityServiceConnection by specific Intent-Filter
• Call bindLocked

AccessibilityManagerService#updateServiceLocked

# BHASIA @BlackHatEvents
Bound by System!
AccessibilityManagerService run as system_server(UID=1000)
System_server gets oom score of -900
Non-privilege gets oom socre of 100!
But Accessibility requires dangerous runtime-permission!

# BHASIA @BlackHatEvents
AccountManager
AccountManager API added in API5(2009)
Handled by privilege AccountManagerService
For Developers:
• Declare Service with abstract Component “AccountAuthenticator”!
• Declare Intent-Filter with specific Action!
• No Need dangerous runtime permission!

# BHASIA @BlackHatEvents
AddAccount
Get AM by getSystemService
Call addAccount

new Session().bind()

Bind specific component

as system_server!
# BHASIA @BlackHatEvents
A-263918277
High Priority Process elevate to Persistent Process!
Make SystemServer keep binding target!

AccountManager$AmsTask$Response#onResult POC

# BHASIA @BlackHatEvents
DEMO OF PERSISTENT POC

# BHASIA @BlackHatEvents
# BHASIA @BlackHatEvents
Full Chain Of Hijack Exp

# BHASIA @BlackHatEvents
# BHASIA @BlackHatEvents
THANKS!

#BHASIA @BlackHatEvents