No-privilege Android remote shell demonstrated by researcher
Security expert Thomas Cannon has demonstrated a custom-developed app that installs a backdoor in Android smartphones – without requiring any permissions or exploiting any security holes. The demo app sets up a remote shell on the device that can be accessed through a reverse proxy after the device has been locked. Cannon has also shown the operation of the remote shell in a video.
The application operates by instructing the browser to access a particular web page with specific parameters. This web page, and the server behind it, will, in turn, control the app by forwarding the browser to a URL that starts with a protocol prefix that is registered as being handled by the app, for example app://. This process can then be repeated and in doing so it enables two-way communication.
The approach is viable because even apps that don't request any privileges can remotely control a browser via the Android intents system. It also works in the opposite direction with an application registering an intent so that it is called when a particular protocol extension needs processing. A security problem that was already addressed, but not demonstrated so vividly, by security firm Lookout at the Defcon 18 hacker conference last year.
While Cannon's shell runs with restricted privileges in the Android sandbox, potentially attackers could subsequently obtain root privileges by exploiting security holes. Apps running in the sandbox still have some privileges to access certain memory areas, including the entire contents of the memory card. Cannon has managed to reproduce the problem with all versions of Android up to the current version, Ice Cream Sandwich (4.0).