In Android safety, privilege escalation extends far past standard exploit strategies. A big but usually neglected menace comes from functions that purchase extreme privileges by seemingly authentic channels. Whereas safety groups give attention to detecting malicious exploits, functions can acquire harmful ranges of system entry by authentic mechanisms like sideloading and OEM (Unique Gear Producer) permissions. That is one more technique employed by attackers as a part of their transfer to a mobile-first assault technique.
These functions regularly acquire permissions that exceed their practical necessities, creating safety vulnerabilities with out triggering commonplace detection techniques. For example, a easy utility app may request permissions for system settings modification, community entry, and storage management – every authentic in isolation, however harmful together. This situation is especially frequent with sideloaded functions that bypass Google Play retailer safety checks and functions that have been pre-installed by machine producers with elevated privileges.
To struggle this safety problem, organizations should implement complete app vetting processes. These processes ought to systematically analyze permission requests and validate utility conduct. This systematic strategy helps forestall functions from accumulating extreme privileges that would compromise system safety.
This concern has been extensively researched in tutorial literature too and with the proliferation of third occasion shops, the sideloading follow has grow to be much more problematic.
Our weblog will revisit some examples of abuses of the Android Accessibility API that some OEM apps and sideloaded apps make use of, we are going to first present an summary of such vulnerabilities after which delve into particular real-world instances.
Key Factors:
1. Understanding Privilege Escalation in Android through OEM permissions
Privilege escalation by OEM permissions represents a big safety concern in Android techniques. Machine producers usually embody proprietary permissions that grant functions in depth system entry, bypassing Android’s commonplace safety mannequin. These permissions, whereas designed for authentic system performance, will be misused by malicious functions.
Think about these real-world examples:
- OEM 1 platform permissions:
.permission. permits functions to change safety insurance policies_SECURITY .permission. allows hardware-level entry_HW_CONTROL
- OEM 2 system permissions:
.permission.USE_INTERNAL_GENERAL_API grants entry to system-level APIs- android.permission.INTERACT_ACROSS_USERS_FULL permits cross-user information entry
It’s tough to present correct attribution to the above permissions and what they’re able to as their description is imprecise and hides potential avenues for privilege escalation and misuse.
These permissions will be exploited when:
- A malicious app impersonates a system utility
- A authentic app is compromised and makes use of inherited OEM permissions
- Third-party apps request and mix a number of OEM permissions for unintended functions
For example, an utility with OEM 1 permissions might doubtlessly:
- Modify system safety settings
- Entry safe {hardware} options
- Override person privateness preferences
- Bypass commonplace Android permission restrictions
2. App Vetting: A Vital Protection Towards Privilege Escalation
App vetting serves as an important safety measure to establish functions trying to achieve extreme privileges by each authentic and malicious means. This systematic analysis course of examines functions’ permission requests, behaviors, and potential safety implications earlier than deployment in enterprise environments.
An all-around vetting answer ought to have a look at each static and dynamic permissions, which could possibly be granted through manifest or in the course of the execution of the app.
Manifest declaration:
Code test and request:
For instance the above set of permissions is able to
- SYSTEM_ALERT_WINDOW – Permits drawing overlays over different apps (can be utilized for clickjacking or to steal data together with credentials)
- ACCESSIBILITY_SERVICE – Can monitor person actions and automate interactions (usually utilized by malware to grant the malicious app additional permissions)
- WRITE_SECURE_SETTINGS – Can modify system settings
Collectively, these permissions might enable the app to:
- Monitor person enter utilizing accessibility
- Show faux UI components with overlays
- Modify system settings with out person consciousness
Accessibility Companies and Restricted Settings
The Accessibility Service is without doubt one of the most frequent options that’s being exploited by cell malware to hold out malicious actions.
Android’s Accessibility API is an extremely highly effective software supposed for builders to construct apps for customers with disabilities. The API lets apps learn the contents of the display screen and carry out inputs on behalf of the person, that are important features for display screen readers and various enter techniques, and reply to voice instructions and convert them into faucets on UI controls.
For these with visible impairments the Accessibility API is crucial. Sadly, these features are additionally extremely helpful for malicious apps (Zimperium blogged extensively about functions abusing accessibility providers) that need to:
- Studying delicate data from different apps’ screens
- Intercepting and modifying person enter
- Automating clicks/interactions with out person consciousness
- Capturing passwords and authentication tokens
- Injecting faux UI components
- Performing unauthorized actions in privileged apps or system setting
- Automate the set up of payloads, enabling them to finish the set up process with out person interplay
Because of this, Google restricted which apps on the Google Play retailer can use the Accessibility API, and in Android 13, they’re taking issues one step additional by closely limiting API entry for apps that the person has sideloaded from exterior of an official app retailer. For apps obtainable on Google Play, their use is topic to cautious scrutiny by moderators. Google calls this function “Restricted Settings“.
Determine: Restricted Setting
How Android apps can bypass Restricted Settings
App shops usually use the so-called session-based set up technique.
That is how texting apps, mail purchasers, and browsers deal with APK set up. Apps put in utilizing this technique are thought-about secure by the system.
For a sideloaded app, put in with out utilizing the session-based technique, when a person manually downloads an APK and installs it, the Accessibility API settings might be restricted. A sideloaded app can bypass the “Restricted Settings” by utilizing the session-based technique to put in one other malicious app.
Even on the Google Play retailer, malware contaminated apps have been noticed abusing the accessibility providers by the utilization of drooper apps which facilitates the set up of the malware by circumventing safety measures to grant delicate permissions by utilizing versioning, which refers to importing a clear model of the app to the Play retailer to construct belief amongst customers after which including malicious code at a later stage through app updates and by dynamically loading a DEX file payload.
Cleansing with excessive privilege
Cleaner functions are an excellent instance of apps which have permissions that may enable them to carry out highly effective actions. More often than not these permissions are required to meet the declared performance of the app, however in different instances these permissions will be abused.
The Zimperium utility vetting course of that features static code inspection, runtime and community communication evaluation, identifies these apps as safety and privateness dangers.
Understanding legitimacy of privileges
Bookkeeping and cleansing apps are sometimes on the verge when noticed underneath the privilege perspective, which means that they might require additional permissions to perform their job, nonetheless you will need to reassure that these privileges should not abused. Additionally it’s doable that the apps could require different permissions that aren’t important to their essential function, like getting and managing accounts, studying calendars, request for packages set up and extra.
In our evaluation, we discovered greater than a dozen cleaner apps (combining collectively a number of million downloads) that show malicious behaviour by abusing permissions anticipated in a cleaner app. Most of those apps should not obtainable in official shops because of failing to adjust to their TOS. A few of these apps logos are proven within the subsequent picture:
Let’s carry out a deeper evaluation on considered one of these apps. This cleaner app presents the next performance:
- File Supervisor
- Uninstall apps
- Handle telephone notifications
- Cease unused apps (Routinely hibernate them)
Additional evaluation reveals that this app is a kind of dropper which facilitates the set up of the malware by circumventing safety measures to grant delicate permissions. After being put in the app seems to have commonplace, but privileged, cleaner exercise, participating buttons on high of system dialogs and force-stopping of foreground working app providers that drain the machine battery and reminiscence.
After some time, the app dynamically loaded code and configuration from a command-and-control (C2) server. The code and configuration have been dynamically loaded as a DEX file loaded by the dalvik.system.InMemoryDexClassLoader
This replace altered the accessibility service performance, enabling it to execute malicious actions equivalent to routinely clicking buttons as soon as it obtained a configuration from the C2 server. Among the actions the app can carry out afterwards embody overlaying banking apps to steal person credentials, intercept SMS messages that would embody MFA codes, steal contacts and carry out unauthorized transactions. Furthermore, this utility was discovered to be a part of a identified malware marketing campaign that had three iterations: Anatsa, TeaBot and Toddle.
Pre-installed apps
Pre-installed functions are put in on a tool earlier than it’s bought and can’t be uninstalled by the person; they’ll solely be disabled or hidden
These apps are included for a number of causes: to offer important person expertise options (like telephone and messaging), as a part of promotional agreements, for person comfort by eliminating the necessity to search and obtain, to avoid wasting customers time and information, and to extend app visibility.
Assault by the pre-installed “privileged” utility
By design, pre-installed apps possess elevated privileges, enabling them to carry out a wider vary of actions and entry extra delicate machine assets in comparison with third-party apps. This makes them important targets for privilege escalation assaults.
Pre-installed apps are additionally vulnerable to frequent safety vulnerabilities equivalent to insecure API utilization, declared customized permissions, improper authentication and authorization, normal software program vulnerabilities, and insecure dealing with of delicate information. Sometimes, an Android machine comes with tens of pre-installed functions.
App Vetting at pre-installed functions
As OEMs and different know-how leaders are updating their pre-installed a number of functions, vulnerabilities are found and patched as part of the infinite circle of build-and-fix on the cell safety area.
On this part we present an instance of a safety vulnerability at pre-installed functions that our utility vetting system and static code inspection evaluation recognized as a safety and privateness excessive threat.
OEM’s Personal Folder App
A well-liked OEM developed an app for the work profile to safe functions and information as part of a proprietary safety and administration framework pre-installed on most cell gadgets from this OEM. Because it was launched, this utility has been put in in a whole lot of thousands and thousands of gadgets. Furthermore, it’s nonetheless pre-installed in most flagship gadgets in the present day.
Nevertheless, this utility was susceptible to a CVE found 3 years after its launch. The vulnerability is an intent redirection vulnerability, enabling attackers to execute unauthorized privileged actions. Attackers might exploit this vulnerability domestically with out requiring privileges or person interplay, impacting the confidentiality of affected gadgets.
Our static code evaluation of this APK detects safety dangers because of susceptible intent redirection in a public exercise utilizing the setResult perform, together with an uncovered Content material Supplier that would enable a malicious utility to entry personal information—together with contacts, images, name logs, textual content messages, and extra.
Determine: susceptible content material supplier as attributable to an intent redirection and a grant URI permission
Determine: an intent redirection in an uncovered exercise
Classes Realized – How Can Zimperium Assist?
Stopping privilege escalation and securing Android ecosystems towards malicious or over-privileged functions requires greater than person consciousness or reactive patching—it calls for proactive, scalable, and clever protection mechanisms.
Zimperium presents a strong, enterprise-grade Utility Vetting answer that empowers safety groups to detect extreme privilege accumulation, pre-installed vulnerabilities, and sideloaded threats earlier than they affect customers or gadgets. By means of a mix of static code evaluation, dynamic behavioral monitoring, and machine learning-powered threat scoring, Zimperium identifies threats that evade conventional app retailer checks or fundamental MDM controls.
Right here’s how Zimperium helps organizations keep forward:
- Static Code Evaluation: Detects hardcoded secrets and techniques, insecure API utilization, intent redirection vulnerabilities, and over-permissive manifest declarations earlier than an app is deployed.
- Dynamic Habits Evaluation: Evaluates runtime behaviors, together with dynamic permission requests, community communication patterns, and abuse of providers equivalent to Accessibility or overlay permissions.
- Permission Threat Modeling: Routinely flags functions with suspicious combos of permissions (e.g., SYSTEM_ALERT_WINDOW, BIND_ACCESSIBILITY_SERVICE, and WRITE_SECURE_SETTINGS) that could possibly be used for clickjacking, credential theft, or machine management.
- OEM and Pre-installed App Evaluation: Analyzes proprietary OEM apps and preloaded software program that will include undocumented permissions, insecure Content material Suppliers, or unpatched CVEs—highlighting threat even when customers can’t uninstall the app.
- Sideloaded App Threat Detection: Identifies apps put in from unofficial sources and evaluates their potential to bypass Android’s “Restricted Settings” utilizing session-based set up or dropper strategies.
- Malware detection: Zimperium’s MTD can detect malicious apps as soon as they’re put in on the machine.
- Steady Risk Intelligence Integration: Leverages world menace intelligence and real-time malware analysis to detect evolving strategies and droppers utilized in campaigns like Anatsa and TeaBot.
Implementing Zimperium’s vetting capabilities—both as a pre-release safety gate for enterprise apps, a vetting pipeline for BYOD and managed gadgets, or an evaluation software for pre-installed software program—allows organizations to implement least privilege, forestall lateral motion, and cut back cell assault floor at scale.