We study MITER ATT & CK. Mobile Matrices: Device Access. Part 2

Persistence and Privilege Escalation

Links to all parts:
Part 1. Initial access to a mobile device (Initial Access)
Part 2. Persistence and Privilege Escalation
Part 3. Obtaining Credential Access

Securing techniques describe ways of obtaining access rights, changing the configuration of a mobile device and other actions, as a result of which an attacker ensures that his presence in the system is constant. Often, the enemy is forced to maintain access to the mobile device despite the suspension of the operating system as a result of a reboot or reset of the system to factory settings.

Having fixed itself in the system, the adversary is able to “log in” to the mobile device, but probably with very limited rights. However, taking advantage of the weaknesses of the defense, the enemy may receive the higher privileges necessary to achieve the goal of the attack.

The author is not responsible for the possible consequences of the application of the information contained in the article, and also apologizes for any inaccuracies in some formulations and terms. The published information is a free retelling of the content of the ATT @ CK Mobile Matrices: Device Access .
')

Persistence

Abuse of administrator rights to prevent their removal (Abuse Device Administrator Access to Prevent Removal)

Platform: Android
Description: A malicious application may request the user to administer the device and, if it is granted privileges, perform manipulations that make it difficult to remove it.

Protection recommendations:
Preliminary Application Verification
As a rule, applications rarely use administrative access. In the corporate environment, pre-testing of applications should identify such programs for further thorough study. Maggi and Zanero described the approach of conducting a static analysis of applications in order to identify ransomware applications that abuse access by the device administrator. In a nutshell, identifying ransomware applications consists in detecting the following indicators in the apk-file: threatening text, code associated with blocking the device's use (non-cancellable dialogues, prohibiting navigation buttons, filling the screen with a window, etc.), data encryption or Admin API abuse.

Caution when using device administrator access
Mobile device users should be warned not to accept requests for granting administrator privileges to applications. In addition, the application should be checked for administrative rights prior to its installation, and the necessary applications requesting device administrator access should be carefully studied and allowed to be used only if there is a good reason. Android users can view a list of applications with administrative rights in the device settings.

Using fresh OS versions
The latest versions of the OS, as a rule, contain not only fixes, but also have an improved security architecture that provides resistance to previously undetected vulnerabilities. For example, Android 7 introduces changes that prevent the possibility of abuse of administrator rights.

Autostart application when the device boots (App Auto-Start at Device Boot)

Platform: Android
Description: The Android application can listen to the broadcast of BOOT_COMPLITED broadcast messages, which guarantees its activation every time the device is started without waiting for the user to launch it manually. BOOT_COMPLITED is a broadcast event in Android that notifies applications about the end of the OS boot process. Any application equipped with a special receiver BroadcastRecevier can receive broadcast messages and take any actions based on them. An analysis of 1260 malicious Android apps published in 2012 showed that 83.3% of the malware had been listening on BOOT_COMPLITED.

Protection recommendations: In a corporate environment, it is possible to organize application testing in order to identify programs that announce a BroadcastReceiver, which contains an intent filter for BOOT_COMPLITED. However, given the huge increase in the number of applications with such behavior, this method is extremely not practical.

Modifying the OS kernel or boot partition (Modify OS Kernel or Boot Partition)

Platform: Android, iOS
Description: The name of the opportunity to increase the privilege of the enemy may try to place malicious code in the OS kernel or components of the boot partition, where the code can not be detected, will be saved after the device is rebooted and can not be deleted by the user. In some cases (for example, when using Samsung Knox ), an attack may be detected, but will result in the device being put into reduced functionality mode.

Many Android devices provide the ability to unlock the OS bootloader for development purposes, but this functionality provides the ability to maliciously update the kernel or modify the boot partition code. If the bootloader is not unlocked, then there remains the potential to use vulnerabilities to update the kernel code.

Security Tips : Install security updates, implement remote appraisal systems (Android SafetyNet, Samsung KNOX TIMA) and deny devices that have not passed appraisal access to corporate resources. Organize a check of the loader lock status on devices that provide the ability to unlock the bootloader (hence allowing any OS code to be written to the device).

Android SafetyNet Attestation API can be used to remotely identify and respond to compromised devices. Samsung KNOX provides remote qualification of Samsung Android devices. Samsung KNOX devices include an “irreversible bit fuse (non-reversible Knox warranty bit fuse)”, which will work if a non-KNOX core is loaded on the device. When triggered, enterprise KNOX container services will not be available on the device. As described in the iOS Security Guide, iOS devices will not be able to boot or allow device activation if unauthorized changes were detected. Many enterprise applications perform their own checks to detect and respond to compromised devices. Such checks are not a reliable means, but can detect the primary signs of compromise.

Modify System Partition

Platform: Android, iOS
Description: If an adversary can elevate privileges, he can use them to place malicious code in the system partition of the device, where it will remain after the OS reboots and will not be readily available for removal by the user. Many Android devices allow you to unlock the bootloader for development purposes. This feature can also be used by the adversary to modify the system partition.

Security Tips: Android devices with Verified Boot support perform a cryptographic check of the integrity of the system partition. The Android SafetyNet API can be used to identify compromised devices. Samsung KNOX also provides the ability to remotely monitor supported devices. Devices with iOS will not boot or will not allow to activate the device in which unauthorized changes were detected.

Modifying TEE (Modify Trusted Execution Environment)

Platform: Android
Description: With appropriate privileges, an attacker can attempt to place malicious code in a trusted execution environment (TEE) of the device or other similar isolated execution environment where the code is not detectable, will persist after the device is rebooted, and cannot be deleted by the user. Execution of the code in TEE will provide the adversary with the ability to control or falsify the operation of the device.

Security Tips: Devices should verify the integrity of the code that runs on the TEE at boot time. iOS will not load if code running in Secure Enclave does not pass digital signature verification.

Modification of cached executable code (Modify cached executable code)

Platform: Android
Description: In order to improve the performance, Android Runtime (ART) compiles a bytecode (classes.dex) into machine code during application installation. If the attacker elevates the privileges, he can modify this cached code. Since the code was originally compiled on the device, integrity control is not applied to it, unlike the code from the system partition.

Security Tips: Using the latest mobile OS versions and mandatory installation of security patches.

Privilege Escalation

Exploiting OS vulnerabilities (Exploit OS Vulnerability)

Platform: Android, iOS
Description: Malicious applications can use unpatched mobile OS vulnerabilities to gain advanced privileges.

Protection recommendations: Check the application for known vulnerabilities. Install security updates. Using the latest OS versions.

Exploiting TEE Vulnerability Vulnerability

Platform: Android
Description: Malicious applications or another attack vector can be used to exploit code vulnerabilities executed in the Trusted Execution Environment (TEE). The adversary can then receive the privileges that the TEE has, including the ability to access cryptographic keys or other sensitive data. To attack a TEE opponent, you may first need elevated privileges in the OS. If not, TEE privileges can be used to exploit OS vulnerabilities.

Protection recommendations: Check the application for known vulnerabilities. Install security updates. Using the latest OS versions.