You walk into a coffee shop and take a seat. While waiting for your coffee, you take out your smartphone and start playing a game you downloaded the other day. Later, you go to work and check your email in the elevator. Without you knowing, an attacker has just gained a foothold in your corporate network and is steadily infecting all your colleagues’ smartphones too.
Wait, what?
Bromium Labs don't talk much about Android, but now and again they like to tinker. Recently they’ve been looking at an Android remote code execution vulnerability to see how much of a problem it is in real-world usage.
While privilege-escalation techniques are common on Android (and form the basis for the common practice of ‘rooting’ a device), remote code execution is a rarer and much more dangerous type of vulnerability. It allows an attacker to run code of their choosing on a user’s device without their knowledge or permission. This bug was particularly interesting because it appeared to still be exploitable even on a fully-patched latest-model Android device, a full 18 months after it was fixed. Bromium wanted to see if this was true and if so, how much effort was required to exploit it. What Bromium found was that the scenario described above is an all-too-real possibility.
They took a two-pronged approach to investigating this bug. Firstly they wanted to try exploiting it in an environment similar to the public Wi-Fi you might find in a coffee shop, so they fired up a few Android devices and some cheap networking kit and started hacking. The second part was to try and estimate how likely the average user would be to hit the worst-case combination of circumstances that would open the door to the coffee-shop apocalypse. For this Bromium employed some static analysis techniques to see how many vulnerable apps and devices were out there.