Poster: Design of Backdoor on Android Devices

This paper presents a practical design of backdoor to permanently bypass the screen lock mechanisms (e.g., 4-digit PIN) on Android devices. 1. Our goal and assumptions We aim to give insights in designing backdoor that can be used to provide persistent access to a victim’s Android device by compromising the secret for user authentication while effectively hiding its presence from the victim. We assume that a victim uses the PIN scheme to protect her smartphone. Moreover, the victim can often update her PIN secret. Under these conditions, the attacker’s goal is to continuously spy on the victim’s smartphone without revealing her spying activities. In practice, many likely attackers are such insiders rather than strangers in that the people who most want to intrude on a victim’s privacy are likely to be in the victim’s circle of acquaintances. We also assume that the attacker’s backdoor is secretly installed on the victim’s smartphone at the initial stage. Probably, an insider attacker can often have some chances to install her backdoor on a victim’s smartphone in a stealthy manner by either physically accessing the device or performing a social engineering method (e.g., sending a gift app). 2. Design and implementation To validate the feasibility of the proposed attack, we designed and implemented a proof-of-concept backdoor on Android. Our implementation consists of three components: trigger application, Firebase (https://firebase.google.com) and backdoor application. Here, trigger application and Firebase are controlled by an attacker. The implementation of the remote triggering feature is important for hiding the backdoor from the device owner (i.e., the victim). We achieved this by using Firebase which supports the communication between the attacker and the backdoor through push notification services. The use of push notifications makes it difficult to detect the malicious traffic from Firebase because many normal applications are also using Firebase for push notification services. We used two Android devices; the rooted Nexus 5 with Android 5.1 Lollipop which plays the role of the victim’s device to run the backdoor application while Nexus 5X with Android 6.0 Marshmallow which plays the role of the attacker’s device to run the trigger application. For other Android versions, our backdoor can also be adapted. We found 6. Execute cracking module 7. Show password using notification 5. Receive “Open sesame” 1. Request token 4. Obtain token