Android SOS: The Urgent Need to Secure OS Settings

Anurag Shandilya & V.Dhanalakshmi, K7 Computing

It is perilous, irrespective of platform or OS, to allow a third-party application to modify a smart device’s security settings such as device PIN, especially without explicit user consent. Unfortunately third-party modification of device PIN is, in fact, possible on Android, and cybercriminals have spotted this ripe opportunity for exploitation.

Apart from the standard use of device PIN to prevent unauthorized device access, from Lollipop (Android 5.0) and above, device PIN also plays a major role in decrypting user data during the boot process. The Doublelocker ransomware locks out a victim from accessing the infected Android device by resetting the device PIN, and causes further damage by carrying out file-based encryption on the victim’s user data. The damage is irreparable since removing the ransomware ultimately requires a factory reset, resulting in data loss and, potentially, financial loss. If we were to consider a nightmare scenario in the age of the Internet of Things (IoT), where smartphones can be used to remotely control smart room temperature and smart door locks, an infection by such ransomware could even prove fatal.

Resetting a device’s PIN and then demanding a ransom is not actually a new phenomenon. In the past ransomware families like Android LockerPIN and Lockscreen/Jisut have performed device PIN reset by calling Android DevicePolicyManager APIs such as ‘resetPassword’ and ‘LockNow’ with DeviceAdmin privileges, which in turn invoke the method ‘com.android.settings/.ChooseLockPassword’. Doublelocker too employs the aforementioned set of APIs to reset device PIN, and all 3 ransomware families adapt this technique to achieve the desired effect on the latest versions of the Android OS.

From Oreo (Android 8.0) and above, it has been possible to employ Android Debug Bridge (ADB), a powerful tool to interact with the Android device at system level, to set or modify device PIN/pattern. This presents yet another opportunity for exploitation. For example, a malware APK running with root privileges could leverage the same system-level APIs used by ADB to change device PIN/pattern. Alternatively an attacker could potentially use ADB on an infected PC to modify device PIN/pattern on an USB-connected Android device.

This presentation will describe in detail strategies used by the Lockscreen/Jisut, LockerPIN and Doublelocker malware families to modify device security settings, the methods to identify these malicious techniques, and the security measures which would help platform developers, security vendors and device users to prevent such attacks. The presentation also explores new Android security holes and how they can be leveraged by an attacker, exemplified by a live demo of the exploitation of one such security issue that renders a device inaccessible by modifying its device security settings.

Anurag Shandilya

Anurag Shandilya is the Vulnerability Research Lead at K7Computing’s Threat Control Lab. He has 4+ years of experience in Vulnerability Assessment and Penetration Testing (VAPT). He started his career as a Project Engineer at Wipro Technologies (India) where he was working on VAPT projects. Thereafter he joined Deloitte (India) as Risk Advisory Consultant and progressed to Assistant Manager position managing cyber security projects. He has a Master’s degree in Cyber Law and Information Security from Indian Institute of Information Technology, Allahabad (India), and Bachelor’s degree in Information Technology from Thakral College of Technology, Bhopal (India). His areas of interest include malware research, bug bounty and playing table tennis.

V.Dhanalakshmi

V.Dhanalakshmi, Senior Threat Researcher, has been with K7Computing, Chennai, India for more than 9 years in K7’s Threat Control Lab. Dhana graduated from Bharathiyar University, India with a Bachelor’s degree in Electrical and Electronics Engineering. She started her career as Technical Support Executive – Virus Removal Team with Sutherland Global Services, Chennai. Later, she joined Technosoft Global Services, Chennai, and served as Threat Research Analyst. She has presented papers at AVAR 2011 and AVAR 2013 conferences, at the National Cyber Safety Summit 2013 conference organised by the Government of India. Her interests include listening to music and gardening.

The Dynamic Security Ecosystem
Other Topics