Android system and anti-virus industry have been struggling with UI security issues, among which Activity Hijack Attack (AHA) is one of the most powerful UI Hijack techniques. In the era of API14~26, BankBot and Spyware could launch zero-cost hijacking attacks on user devices for access sensitive credentials or runtime permissions. However, with the continuous improvement of mitigation measures (execution/launch restrictions, strict SELinux policies for procfs, LMKD…), Google fully resolved AHA in 2019. In the past four years, no AHA techniques targeting the latest Android devices have been captured or disclosed, AHA seems to have died completely.
In this talk, we will reveal a new attack surface –PiP, which has been buried in the system for six years, and the hard-to-patch security issues lurking in privilege processes since 2009. This work mainly focuses on the analysis of framework basic components and the standard execution chain, by extending the research direction and attack surface to system_server, SystemUI, several Managers, and the asynchronous rendering process of screen content, we have discovered 10 vulnerabilities that can be stably exploited, and received $36,000 in bug bounties. Currently, two vulnerabilities have been assigned CVE numbers, four are still in fixing, and the rest have been given up fix or have exceeded one year of the fixing cycle.
This research introduces a novel hijacking attack called ‘EvilPiP’. Unlike traditional attack schemes that require runtime permissions for universal overlay or target detection, it focuses on breaking all hijacking defenses established since API 26 over the last seven years. By combining several vulnerabilities in the attack surface, EvilPiP can bypass the background execution and launch restrictions to perform universal overlay on the target. Then, various side-channel schemes will be exploited to leak the target’s runtime information for precise hijacking. To improve the exploit stability, we will also abuse system services to bypass LMKD and achieve true persistently (ignore Force-Stop and keep running with high priority). Finally, this research will weaponize a complete hijacking chain that requires no permissions, no user awareness, and zero attack cost.
At the end of the talk, we will demonstrate the EvilPiP hijacking attack that can be stably exploited on high-version Android devices (including API 33 and 34).
