Normal Permissions In Android: An Audiovisual Deception presented at deepsec 2017

by Constantinos Patsakis,

Summary : Marshmallow was a significant revision for Android. Among the new fea-
tures that were introduced one of the most significant is without any doubt the
runtime permissions. The permission model was totally redesigned categorising
the permissions into four main categories. The main concept of this categorisa-
tion is to how much risk a user is exposed to when permissions are granted. Normal permissions imply the least risk for the user. However, there are some
important issues in this case. Firstly, these permissions are not actually dis-
played to the user; they are not displayed upon installation and the user needs
to dig into several menus to find them for each app. Most importantly though,
these permissions cannot be revoked. Unlike dangerous permissions, where the
user can grant or revoke a permission whenever deemed necessary, the normal
persmissions are automatically granted and cannot be revoked, unless the user
uninstalls the app that uses them. The research question that arises from this
change is whether the apps that request only normal permissions are benign.
Note that an app requesting only normal permissions will never request any
alerting action from the user, hence the user is more probable to install it and
not worry about it. Furthermore, since these persmissions are automatically
granted, this means that any malicious action that could be made with such
permissions can be ported to any installed app as they will not require any user
interaction.
Our extensive experiments have shown that apps based only on the normal
permissions are far from being considered benign as they can exploit many na-
tive Android mechanisms to perform many malicious actions. More precisely, we
present many methods which exploit the capabilities of user interface, voice as-
sistants and intents in Android that lead to serious security issues. An overview
of where these actions can be applied will be illustrated, indicating where
Nougat is still vulnerable. The attacks which will be presented have already been disclosed to Google and Microsoft, and in some of these cases the appropriate patches have been made.