Check Your Privilege: The Risks of Privilege Escalation Exploits

By Special Guest
Michael Shaulov, Head of Mobility, Check Point

What’s the most dangerous tool a cybercriminal can use to target mobile devices?  A strong contender for the title is malware that enables privilege escalation – an exploit that gives an attacker elevated access to the device.  Once this access has been granted, attackers have free rein to do almost anything they want on the phone or tablet:  activate a keylogger, install applications without the user’s agreement, or even break into other protected applications running on the device, including corporate apps.

We are now seeing new privilege escalation vulnerabilities reach the headlines, and new techniques being used by malware in the wild, with increasing regularity.  Businesses need to be aware of this fast-growing threat to their mobile estates–especially as a recent survey estimated that 95% of enterprises have no protection against mobile malware.**

To understand how privilege escalation attacks succeed in infecting devices, let’s first look at how Google’s Android (News - Alert) operating system works (these attacks target Android devices almost exclusively).  The Android OS has three layers:  the Linux Kernel, which has complete control and access to all parts of the mobile device and operates its drivers.  The kernel has ‘root’ privileges, like ‘Administrator’ privileges in Windows.

On top of the kernel are the Android System Services (OS), which have high privileges; and above this, the user applications.  Each application is encapsulated in an individual ‘sandbox’ environment – a limited perimeter in which the app is allowed to operate.  This protects the user and the OS.  Each app is prevented from interfering with other apps except through dedicated interfaces supplied by the system service–which allows a user app to trust the environment it is running.

Smashing the sandbox

An application seeking to gain additional resources or information therefore needs to break out of its sandbox environment – which means the app needs to elevate its privileges.  And in order to gain total control of the device, it needs to ‘root’ the device and gain root privileges – enabling the app and the person using it to do whatever they want.

Most methods for rooting the device exploit vulnerabilities either in the OS, the hardware, or individual applications.  These vulnerabilities are found quite frequently:  over the past 6 months, over half of Android patches released by Google (News - Alert) are for securing devices against privilege escalation exploits.  Two recent high-profile attacks using this vector were BrainTest and HummingBad.

BrainTest malware was found in Google Play in summer 2015.  Bundled in a game that was published to Play twice, with between 100,000 and 500,000 downloads each time, it bypassed Google’s security scanning and used a range of privilege escalation exploits to install a rootkit on the device, which meant it persisted even after users uninstalled the app.

HummingBad is a particularly sophisticated form of mobile chain attack which roots users’ devices to download fraudulent apps that generate revenue for the attackers.  In March 2016, HummingBad was the 6^th most commonly-used malware detected globally, across all devices – showing how serious hackers are in targeting mobile devices, and the explosive growth in attacks. 

Improving patchy mobile protection

How, then, can you protect mobile devices against privilege escalation attacks?  Applying the Android patches regularly released by Google is strongly recommended:  there’s no reason to fall for mistakes that can be easily fixed.  Unfortunately, the patch cycle can be slow, often taking up to five months after vulnerabilities have been disclosed.  Even then, users may not install and apply those patches immediately, creating a large window of opportunity for attacks.

Some Mobile Device Management (MDM) solutions are able to identify when a device has been deliberately rooted by a user, but in some cases are unable to identify when the device has been rooted by malware.  More advanced mobile malware is also able to conceal its rooting activity, to avoid detection – making MDM largely ineffective against malware.

The best approach to stopping privilege escalation exploits is to deploy security measures on mobile devices that are capable of detecting malicious applications that even try to raise their privilege.  As the primary vector for these exploits is apps embedding themselves on devices, the solution should be able to inspect and quarantine suspicious apps in the cloud, before they are downloaded on the device.  Privilege escalations are detected using cloud based dynamic analysis that detects exploration attempts against the OS.

By monitoring and analyzing all the possible threat vectors – on the device, in the applications and in the network – it’s possible to determine if a vulnerability is being exploited, and to nullify the threat before it can take hold.  That’s the right way to keep your organization’s privileges in check. 

About the Author

Michael Shaulov is Head of Mobility Product Management at Check Point.  He leads product strategy for Check Point’s mobile security solutions including Check Point Mobile Threat Prevention. He is a recognized industry speaker, delivering talks at RSA (News - Alert) Conference, BlackHat and Infosec. Prior to his role at Check Point, Michael was the CEO and co-founder of Lacoon Mobile Security, which was acquired by Check Point in April 2015. 

** https://www.mobileiron.com/en/quarterly-security-reports/q4-2015-mobile-security-and-risk-review