This February in the “Hacking Exposed: Mobile RATs” talk at the RSA conference, we released a demonstration of an end to end compromise of an Android 2.2 phone using a vulnerability in Webkit that we had weaponized. The demo consisted of sending a spearphish SMS message to the device with a link to a website hosting the exploit. Once the user clicked on the link, we stealthily compromise the browser through the Webkit vulnerability and then used another root privilege escalation exploit to gain root access to the device. Afterwards, we installed a Chinese RAT we had commandeered that would proceed to track the user’s real-time location and intercept phone calls and text messages. All that was done without any end-user interaction or awareness, beyond having clicked on the original spearphish link.
At the time, the demo only worked on Android Froyo phones because in later versions of Android, Google had introduced partial <i”>Address Space Layout Randomization (ASLR) and No Execute (NX) exploit mitigations. However, after a few weeks of additional effort in collaboration with Accuvant LABS’ Joshua “jduck” Drake, we are pleased to announce that a new Webkit exploit will be discussed at BlackHat USA 2012. Using the same vulnerability, we successfully circumvented all extra security protections present on Android 4.0.1 (Ice Cream Sandwich). The fix for the vulnerability at hand has been merged into Android since 4.0.2 and our exploit would not work on Android 4.1 (Jelly Bean), since Google completed ASLR work to include randomization of dynamic linker in that version.