CENSUS has been investigating for some time now the exploitation potential
of Man-in-the-Disk (MitD) [01] vulnerabilities in Android. Recently, CENSUS
identified two such vulnerabilities in the popular WhatsApp messenger app
for Android [34]. The first of these was possibly independently reported to
Facebook and was found to be patched in recent versions, while the second
one was communicated by CENSUS to Facebook and was tracked as CVE-2021-24027
[33]. As both vulnerabilities have now been patched, we would like to share
our discoveries regarding the exploitation potential of such vulnerabilities
with the rest of the community.

In this article we will have a look at how a simple phishing attack through
an Android messaging application could result in the direct leakage of data
found in External Storage (/sdcard). Then we will show how the two
aforementioned WhatsApp vulnerabilities would have made it possible for
attackers to remotely collect TLS cryptographic material for TLS 1.3 and TLS
1.2 sessions. With the TLS secrets at hand, we will demonstrate how a
man-in-the-middle (MitM) attack can lead to the compromise of WhatsApp
communications, to remote code execution on the victim device and to the
extraction of Noise [05] protocol keys used for end-to-end encryption in
user communications.

Android 10 introduced the scoped storage feature [13], as a proactive
defense against these types of attacks. With scoped storage, apps get by
default access only to their own content on External Storage. Apps bearing
a certain permission [36] can also access content shared by other
applications. Finally, full access to External Storage is only granted to
special purpose apps (e.g. file managers) that have been audited by Google.
Android 11 is the first version to fully enforce the scoped storage rules
on all apps, while Android 10 included a permissive mode of operation to
provide developers with the needed time to transition to the new file
access scheme.

The techniques presented in this article apply to mobile devices running
Android versions up to and including Android 9. It is possible to perform
similar attacks using file-based access in Android 10, but we have not
included these for reasons of brevity. Even without Android 10 in the
picture, the number of affected devices remains quite large. Appbrain
statistics [35] hint that devices running Android up to and including
version 9 may very well constitute a 60% of all devices running Android
today.  [...]

By admin