Announcing X-Ray For Android

The first public of X-Ray is now available! X-Ray 1.0 supports 8 of the most common privilege escalation vulnerabilities that affect the Android platform.

What is X-Ray?

X-Ray allows you to scan your Android device for security vulnerabilities that put your device at risk.

X-Ray was developed by the security experts at Duo Security. We hope that X-Ray will empower users with knowledge of vulnerabilities on their devices and allow them to take action to improve their security. We encourage users to contact their carriers and ask for their devices to be patched.

Think your Android device is secure? X-Ray helps prove it to you.

What does X-Ray do?

X-Ray scans your Android device to determine whether there are vulnerabilities that remain unpatched by your carrier. The X-Ray app presents you with a list of vulnerabilities that it is able to identify and allows you to check for the presence of each vulnerability on your device.

X-Ray has detailed knowledge about a class of vulnerabilities known as “privilege escalation” vulnerabilities. Such vulnerabilities can be exploited by a malicious application to gain root privileges on a device and perform actions that would normally be restricted by the Android operating system. A number of such vulnerabilities have been discovered in the core Android platform, affecting nearly all Android devices. Even more have been discovered in manufacturer-specific extensions that may affect a smaller subset of Android users. Unfortunately, many of these privilege escalation vulnerabilities remain unpatched on large populations of Android devices despite being several years old.

Why are there unpatched vulnerabilities on my device?

First, the software underlying a modern mobile device is controlled by many parties. Google may be in charge of the base Android Open Source Project, but a typical device includes many different packages, drivers, and customizations from carriers, manufacturers, and other third-parties, not to mention all the open source components (Linux kernel, WebKit, libraries) owned by various project maintainers. When a vulnerability is discovered, coordinating with the responsible parties isn’t a trivial task. You’d probably lose if you tried to play Six Degrees of Separation with the developer who introduced the vulnerability, and the party who’s responsible for patching it.

Second, carriers can be slow and conservative to supply patches to their users. There is certainly a risk in supplying an update to millions of users, but that doesn’t make it acceptable to continue to leave these users exposed to public vulnerabilities for months (or years). The current incentives are flawed: there’s little motivation for carriers to put the effort into developing, testing, and deploying a patched version when the latest Android version is sitting on a new device ready for consumers to purchase.

Why are these unpatched vulnerabilities dangerous?

If there are vulnerabilities present on your device that are not patched, a malicious application may exploit the vulnerabilities to gain full, unrestricted control over your Android device. While the apps you install from the Google Play store are normally restricted by the permissions you grant them and constrained by the Android sandbox, these vulnerabilities allow a malicious application to escalate privileges to a root/superuser privilege and perform any action they desire without you knowing.

What can I do if my device is vulnerable?

If X-Ray determines that your device is vulnerable, there are a few potential actions you can take to increase the security of your device:

• You can check for available official updates from your carrier, usually by going to Settings → About phone → System Updates on your Android device.
• While it might not result in an immediate remediation, we encourage you to contact your carrier about the availability of an update to fix the vulnerabilities that X-Ray detected.
• If no official carrier updates are available, you may be able install a third-party ROM (eg. CyanogenMod) that may have patched the vulnerabilities. It’s worth noting that some third-party ROMs may introduce vulnerabilities of their own, so you should explore this option with caution.

If you’re able to update your device, you can run X-Ray again to verify that the vulnerabilities have been sufficiently patched.

Even if you’re unable to update your device, X-Ray allows you to better understand the risks associated with your mobile device. If you know that any malicious app you download can take full control of your device using publicly available exploits, you should exercise even more caution when downloading and installing third-party apps.

Is it safe to run X-Ray?

Absolutely. Running X-Ray device will have no adverse effects on the security, stability, or performance of your device. X-Ray is installed and run just like any mobile application and requires no special privileges to operate. X-Ray is able to safely probe for the presence of a vulnerability without ever exploiting it.

How does X-Ray differ from mobile antivirus software?

X-Ray takes a fundamentally different approach to mobile security.

Mobile antivirus software attempts to discover malicious applications installed on your device. Unsurprisingly, mobile antivirus is quite ineffective in protecting against new attacks since the number of malicious apps that will be created is unbounded. Updating your antivirus signatures every day to address new threats is not a sustainable approach to security.

Instead of trying to detect all the possible malicious apps in the universe, X-Ray takes a different approach and seeks out the known vulnerabilities in the underlying mobile platform itself. X-Ray doesn’t care whether the apps on your device are good or bad, it only cares whether there are vulnerabilities present that bad apps often exploit to gain full control of your device.

What information does X-Ray collect from my device?

X-Ray collects information about your device, but not about you.

The collected information serves two purposes:

• to determine whether your device is vulnerable, and
• to collect statistics on just how many Android devices out there are vulnerable

This information is useful to apply pressure on carriers to actually fix the underlying problem, so your participation may end up improving the security of all Android users.

Specifically, X-Ray collects the version of your OS (eg. “2.3.6”), the make/model of your device (eg. “Samsung Nexus S”), your carrier’s name (eg. “T-Mobile”), a randomly-generated device ID (eg. “9a17e3fedcde4695”), and potentially vulnerable software components (eg. “/system/bin/vold”). The information collected will not be shared with any third-parties except in aggregate form (eg. a graph showing the total number of vulnerable devices).

Why is X-Ray not distributed through Google Play Store?

We definitely understand that users prefer to install apps from the Play Store, especially when they’re security-related apps. Unfortunately, Google informed us that the terms of service of the Play Store disallow applications such as X-Ray that check for Android vulnerabilities.

Are these vulnerabilities unique to the Android platform?

Yes and no. All mobile platforms face vulnerabilities. Software has bugs, and many bugs can exploited by malicious parties in an attempt to take control of your device.

However, the impact of such vulnerabilities may be greater on the Android platform due to the lack of expedient patching by the carriers. Mobile platforms such as iOS may fare better at distributing patches for vulnerabilities more quickly since the updates come directly from Apple as opposed to the decentralized Android carriers.

Is X-Ray available for enterprise use?

Yes, the underlying technology that powers X-Ray can be deployed on an enterprise-wide level, giving you global visibility into vulnerabilities affecting your employees' mobile devices. Please contact xray@duosecurity.com for more information.

Vulnerabilities

X-Ray is automatically updated with the ability to scan for new vulnerabilities as they are discovered and disclosed. The app currently checks for the following vulnerabilities on your Android device:

ASHMEM

The ASHMEM custom shared memory allocator written by Google has a nasty bug that allows your device to be easily rooted. Maybe they should have stuck with POSIX SHM, but the bad guys aren’t complaining.

Levitator

Malicious apps will undoubtedly be “levitating” their privileges using this vulnerability that affects the PowerVR kernel module used for 3D graphics on all S-series devices and allows unfettered access to kernel memory.

ZergRush

No, it has nothing to do with StarCraft, sorry. The ZergRush vulnerability in Android’s libsysutils allows an attacker to overwhelm the system with command arguments, not zerglings, and take full control of your device.

Exploid

Nearly identical to a vulnerability fixed in the Linux udev daemon in 2009, Exploid impacts Android’s init daemon by forgetting to check whether Netlink messages are coming from the trusted kernel … or a malicious app.

Mempodroid

Inherited from the upstream Linux kernel, a vulnerability in the /proc/pid/mem interface allows for writing arbitrary memory in the address space of a setuid process. It’s about as complicated as it sounds, but attackers are smart like that.

Zimperlich

Always check return values. Android’s Zygote process, from which all new apps are spawned, forgets this important rule and fails to check the return value of setuid(2), leading to plentiful root shells!

Gingerbreak

A commonly-abused vulnerability in the wild by Android malware, Gingerbreak affects the Android volume manager (vold) via, you guessed it, the same Netlink issue as Exploid. Badness ensues.

Wunderbar

Another crossover from the Linux kernel, this NULL pointer dereference was one of the first privilege escalation vulnerabilities exploited on the Android platform, thanks to faulty mmap_min_addr protection on ARM.

Is your phone or tablet vulnerable?  Download X-Ray