Ghost in the Binder: Binder Transaction Redirection Attacks in Android System Services

ABSTRACTBinder, the main mechanism for Android applications to access system services, adopts a client-server role model in its design, assuming the system service as the server and the application as the client. However, a growing number of scenarios require the system service to act as a Binder client and to send queries to a Binder server possibly instantiated by the application. Departing from this role-reversal possibility, this paper proposes the Binder Transaction Redirection (BiTRe) attacks, where the attacker induces the system service to transact with a customized Binder server and then attacks from the Binder server---an often unprotected direction. We demonstrate the scale of the attack surface by enumerating the utilizable Binder interfaces in BiTRe, and discover that the attack surface grows with the Android release version. In Android 11, more than 70% of the Binder interfaces are affected by or can be utilized in BiTRe. We prove the attacks' feasibility by (1) constructing a prototype system that can automatically generate executable programs to reach a substantial part of the attack surface, and (2) identifying a series of vulnerabilities, which are acknowledged by Google and assigned ten CVEs.