by Seven Shen, Ecular Xu and Wish Wu

Mobile threats are trending upward, with vulnerability exploits gaining traction. The silver lining? More of these vulnerabilities are also disclosed, analyzed and detected. This helps better mitigate Android devices from zero-days and malware, enabling OEMs/vendors to more proactively respond to these threats. This is echoed by our continuous initiatives on Android vulnerability research: from June to August 2016, for instance, we’ve discovered and disclosed 13 vulnerabilities to Google. Their real-world impact ranges from battery drainage and unauthorized capture of photos, videos, and audio recordings, to system data leakage and remote control. This is on top of 16 other security flaws we’ve uncovered that were cited in Android/Google’s security bulletins from January to September this year.

The 13 vulnerabilities were not rated as critical, but they provide more attack vectors for the bad guys. A root exploit can be developed by chaining some of them, for instance. A malicious app can target a vulnerability in the camera server to compromise its driver to ultimately gain root privilege to the device.

They also provide more reasons why your Android device needs an update, as they can:

Make fast work of the device’s battery life

Culprit: CVE-2016-3920

Affected Component: libstagefright, Android’s media playback service

Details: CVE-2016-3920, similar to CVE-2015-3823, is an easy-to-exploit denial of service vulnerability in Android’s mediaserver component that can ensnare the device in a continuous hang and reboot cycle. Attackers can lure victims to browse a malicious website, or download and install a specially-crafted media file or app. A tailored MP3 file, for instance, can lead to a denial-of-service attack to the device’s mediaserver process.

Mitigation: Remove the affected file from the device, and stop accessing the malicious site.

Capture/record photos and videos without permission (also: root the phone)

Culprits: CVE-2016-3915, CVE-2016-3916, CVE-2016-3903

Affected Components: Camera server process and driver

Details: CVE-2016-3915 and CVE-2016-3916 are vulnerabilities in the device’s camera server process; CVE-2016-3903 is specific to Qualcomm’s camera driver. These can allow attackers to execute arbitrary code via an elevated privilege. CVE-2016-3903 takes advantage of a memory corruption (Use After Free) bug in Qualcomm’s camera driver. A system-level process can leverage this to compromise the kernel and eventually get root privilege. CVE-2016-3915 and CVE-2016-3916 can be set off by malicious apps and attacks triggered from Android’s interprocess communication mechanism (Binder call). CVE-2016-3903 needs to be triggered in camera group via the input/output control (IOCTL) call as a system user.

Silver lining: These flaws can be easily triggered but hard to exploit, thanks to various system mitigations especially those on Android Marshmallow / 6.0.

Leak system information to bypass the device’s security features

Culprits: CVE-2016-6683, CVE-2016-6685, CVE-2016-6679, CVE-2016-6680, CVE-2016-3924

Affected Components: Sound, Wi-Fi, and kernel components/drivers

Details: CVE-2016-6683 is a vulnerability in the communication mechanism for Android processes (Binder), that exposes the kernel object address in Binder’s driver when exploited. CVE-2016-6685 is a flaw in a kernel component of Qualcomm’s Advanced Linux Sound Architecture (ALSA) System on a Chip (SoC) driver. Both can be used as part of a root exploit chain to bypass kptr_restrict, a configurable safety feature that protects virtual addresses (used by the kernel) from leaking. CVE-2016-6679 and CVE-2016-6680 are out-of-bounds read bugs in Qualcomm’s Wi-Fi driver that can result in the inadvertent disclosure of the device’s kernel information. These can be leveraged to bypass Kernel Address Space Layout Randomization (KASLR), a mechanism that mitigates buffer overflow and use-after-free vulnerabilities. CVE-2016-3924 is a flaw in libaudioflinger, a part of Android’s mediaserver that manages the device’s native sound system. Abusing this leads to an unauthorized disclosure of the audio server, which can be leveraged to get around the device’s address space layout randomization (ASLR), an anti-buffer overflow process.

Takeaway: Although not rated as critical, these vulnerabilities can be chained to conduct more potent attacks, and ultimately get root access to the device.

Covertly record your calls (or: take over the device)

Culprit: CVE-2016-3910

Affected Component: libsoundtriggerservice, which is part of mediaserver

Details: CVE-2016-3910 is a privilege escalation vulnerability in mediaserver’s libsoundtriggerservice, responsible for processing audio and voice functions. A malicious app can trigger a Binder call and leverage this flaw to give unauthorized privileges to attackers who can then execute arbitrary code within the audio server.

Caveat: Mitigation systems implemented in Android Marshmallow (6.0) and Nougat (7.0) make exploiting this vulnerability difficult. Devices running earlier versions are fair game, however.

Give bad guys more ways to attack the device

Culprits: CVE-2016-6693, CVE-2016-6694, CVE-2016-6695

Affected Component: A sound driver

Details: The vulnerabilities are found in different parts in Qualcomm’s sound SoC driver. CVE-2016-6693 is related to how input is not properly validated, while CVE-2016-6694 affects how the component can read data past the buffer’s boundary. Both can lead to unauthorized disclosure of and access to heap memory—the structure where dynamically allocated memory are held—in the device’s kernel space. CVE-2016-6995 is triggered when less memory is allocated than what was initially computed by the component, leading to a buffer overflow.

The bright side: The flaws need to be triggered via a privileged process through the system IOCTL call. The level of difficulty for successfully exploiting these depends on which other vulnerabilities are chained with them to root the device.

Mitigation

Android device patching is fragmented, so end users are advised to practice security-conscious habits, such as updating the OS as soon as one is available—and contacting the OEM for their availability. Installing apps only from the official Play Store or trusted source, as well as taking caution when opening files from unknown or suspicious senders are also recommended.

More than just scrutinizing mobile devices that go through the company network, a solid patch management process can help IT administrators better manage and secure them, especially if they are used to access sensitive corporate data.

End users and businesses can also benefit from mobile security solutions such as Trend Micro™ Mobile Security for Android™ (available on Google Play) and Trend Micro’s mobile security solutions for enterprises, which provide additional layers of security by protecting devices from attacks that leverage vulnerabilities, preventing unauthorized access to apps, as well as detecting and blocking malware and fraudulent websites.