In fact, it's just my little understanding about Android security. I actually do some research about Android in these year. A little project is announced in OpenFoundry - Spydroid. This project is also supported by NSC, Taiwan. I haven't finished it yet. I got a long way to go. (especially after TaintDroid is released)
Page 9:
I demonstrated a small spyware which just uses Broadcast Receiver. The spyware just sends the received SMS to internet.
Page 10:
Introduce two bugs in Android kernel. In fact, CVE-2009-1185 is a bug in Linux kernel. Udev doesn't verify where the NETLINK messages comes from. CVE-2010-EASY, also called "rageagainstthecage", is caused by a setuid bug. First, the exploit creates lots of processes to reach the limit and kills the adb daemon. And then, system would re-create the adb daemon by using root privilege and execute setuid system call to let adb daemon run in shell privilege. But setuid will fail when the number of process reaches to RLIMIT_NPROC. So adb would execute in root privilege.
Page 11:
The fakecall.apk is a free-version application, but the free version and paid version is the same apk, just a little difference in is_paid_version(). After using smali ...
Page 12:
DroidDream is a famous malware in Android.
It's really clear, isn't it.
[Highlight]
In adbRoot.smali and udevRoot.smali: runExploid() .....
If I'm wrong, please tell me! Thanks!
沒有留言:
張貼留言