We study MITER ATT & CK. Mobile Matrices: Device Access. Part 2

Persistence and Privilege Escalation

Links to all parts:
Part 1. Initial access to a mobile device (Initial Access)
Part 2. Persistence and Escalation of privileges
Part 3. Obtaining credentials (Credential Access)
Part 4. Protection bypass (Defense Evasion)
Part 5. Discovery and Lateral Movement Pinning

techniques describe how to obtain access rights, change the configuration of a mobile device, and other actions that result in an attacker ensuring his presence in the system. Often, an adversary is forced to maintain access to a mobile device despite the OS pausing as a result of a reboot or system reset to factory settings.

Having gained a foothold in the system, the adversary gets the opportunity to “log in” to a mobile device, but probably with very limited rights. However, by taking advantage of defense weaknesses, an adversary can obtain the higher privileges necessary to achieve the goal of the attack.

The author is not responsible for the possible consequences of applying the information set forth in the article, and also apologizes for possible inaccuracies made in some formulations and terms. The information published is a free retelling of the contents of ATT @ CK Mobile Matrices: Device Access .

Binding (Persistence)

Abuse Device Administrator Access to Prevent Removal

Platform: Android
Description: A malicious application may ask the user for device administrator privileges and, if privileges are obtained, perform manipulations that make it difficult to delete it.

Security Tips:
Pre-Validating Applications
Typically, applications rarely use administrative access. In the corporate environment, preliminary screening of applications should identify such programs with the goal of further thorough study. Maggi and Zanero describe a static application analysis approach to identify ransomware applicationsabusing device administrator access. In a nutshell, the detection of ransomware applications consists in the early detection of the following indicators in the apk file: threatening text, a code associated with blocking the device’s use of the device (non-deletable dialogs, prohibition of navigation buttons, filling the screen with a window, etc.), data encryption or abuse of the admin API.

Caution when using device administrator access
Mobile device users should be warned that they should not accept requests for granting administrator privileges to applications. In addition, the application should be checked for the use of administrator rights before its installation, and the necessary applications requesting administrator access to the device should be carefully studied and allowed to use only if there is a good reason. Android users can view the list of applications that have administrator rights in the device settings.

Using the latest OS versions
The latest versions of the OS, as a rule, contain not only patches, but also have an improved security architecture that provides resistance to previously undetected vulnerabilities. For example, Android 7 introduced changes to prevent the possibility of abuse of administrator rights.

Autostart application at boot device (App Auto-Start at Device Boot)

Platform: Android
Description: The Android application can listen to the broadcast of BOOT_COMPLITED broadcast messages, which guarantees its activation every time the device is started, without waiting for the user to start it manually. BOOT_COMPLITED is a broadcast event in Android, notifying applications about the end of the OS boot process. Any application equipped with a special BroadcastRecevier receiver can receive broadcast messages and take actions based on them. An analysis of 1260 malicious applications for Android, published in 2012, showed that 83.3% of malware listened to BOOT_COMPLITED.

Protection Recommendations:In a corporate environment, it is possible to organize application verification in order to identify programs that announce BroadcastReceiver, which contains an intent filter by BOOT_COMPLITED. However, given the huge increase in the number of applications with this behavior, this method is extremely impractical.

Modify the OS kernel or boot partition (Modify OS Kernel or Boot Partition)

Platform: Android, iOS
Description: Name an opportunity to increase privileges an adversary may try to place malicious code in the kernel of the OS or components of the boot partition, where the code cannot be detected, will be saved after the device is rebooted and cannot be deleted by the user. In some cases (for example, when using Samsung Knox ), an attack may be detected, but will lead to the transfer of the device into limited functionality mode.

Many Android devices provide the ability to unlock the bootloader for development purposes, but this functionality provides the ability to maliciously update the kernel or modify the boot partition code. If the bootloader is not unlocked, then the potential remains of exploiting vulnerabilities to update kernel code.

Protection recommendations: Install security updates, implement remote certification systems (Android SafetyNet, Samsung KNOX TIMA) and block access to corporate resources for non-certified devices. Organize a check of the bootloader lock status on devices that provide the ability to unlock the bootloader (hence allowing any OS code to be written to the device).

The Android SafetyNet Attestation API can be used to remotely identify and respond to compromised devices. Samsung KNOX provides the ability to remotely validate Samsung Android devices. Samsung KNOX devices include a “non-reversible Knox warranty bit fuse” that will work if a non-KNOX kernel is loaded on the device. When triggered, enterprise KNOX container services will not be available on the device. As described in the iOS Security Guide, iOS devices cannot boot or allow device activation if unauthorized changes are detected. Many enterprise applications perform their own checks to detect and respond to compromised devices. Such checks are not a reliable means,

Modify System Partition

Platform: Android, iOS
Description: If an adversary can increase privileges, then he will be able to use them to place malicious code in the system section of the device, where he will remain after the OS reboot and will not be easily accessible for removal by the user. Many Android devices allow you to unlock the bootloader for development purposes. This feature can also be used by an adversary to modify a system partition.

Protection Recommendations:Android devices with Verified Boot support perform cryptographic verification of the integrity of the system partition. The Android SafetyNet API can be used to identify compromised devices. Samsung KNOX also provides the ability to remotely control supported devices. IOS devices will not boot or will not allow the activation of a device in which unauthorized changes are detected.

TEE Modification (Modify Trusted Execution Environment)

Platform: Android
Description: Having the appropriate privileges, an attacker can try to place malicious code in a trusted runtime environment (TEE) of a device or other similar isolated runtime environment, where the code will not be detectable, will be saved after the device is rebooted and cannot be deleted by the user. Executing code in TEE will provide an adversary with the ability to control or falsify device operation.

Security Tips: Devices should perform integrity checks on the code that runs in TEE at boot time. iOS will not boot if code running in Secure Enclave fails digital signature verification.

Modify cached executable code

Platform: Android
Description: In order to improve performance, Android Runtime (ART) compiles the bytecode (classes.dex) into machine code during application installation. If an attacker raises privileges, he can modify this cached code. Since the code was originally compiled on the device, integrity control is not applied to it, unlike the code from the system partition.

Protection recommendations: Use the latest versions of mobile OS and mandatory installation of security patches.

Escalation of privileges

Exploit OS Vulnerability Exploit

Platform: Android, iOS
Description: Malicious applications may use the unpatched vulnerabilities of mobile OS to gain advanced privileges.

Protection recommendations: Check the application for known vulnerabilities. Install security updates. Using the latest OS versions.

Exploit TEE Vulnerability Exploit

Platform: Android
Description: Malicious applications or other attack vectors can be used to exploit vulnerabilities in code executed in a Trusted Execution Environment (TEE). The adversary can then gain the privileges that TEE has, including the ability to access cryptographic keys or other sensitive data. To attack TEE, an adversary may first need elevated OS privileges. If not, then TEE privileges can be used to exploit OS vulnerabilities.

Protection recommendations: Check the application for known vulnerabilities. Install security updates. Using the latest OS versions.