TiYunZong: An Exploit Chain to Remotely Root Modern Android Devices - Pwn Android Phones from 2015 to 2020

Conference:  BlackHat USA 2020



The presentation discusses the exploit chain used to remotely compromise smartphones and the difficulty of targeting Pixel devices.
  • Smartphone remote attacks can be divided into two categories: those launched through the internet and those launched through adjacent networks
  • The exploit chain used to remotely compromise smartphones is a one-click internet deployable attack
  • Pixel devices are a tough target due to their advanced patches and vulnerability mitigations
  • The presentation includes an anecdote about the speaker finding a Pixel XL with a single vulnerability
In 2016, the speaker found a Pixel XL with a single vulnerability, which was similar to the exploit chain used in 2015 to get RCE in Chrome render process and then attend this RCE into a USS vulnerability. By exploiting the V8 bug again in a review, Chrome samples could be bypassed easily. This thunderbolts escaping method doesn't work anymore because WebView is sandbox now.


As more and more mitigations have been introduced into Android, modern Android devices become much more difficult to be rooted, in particular, remotely rooted. This is especially true for Pixel Devices as they always have the latest updates and mitigations. In this presentation, we will explain why Pixel devices are difficult targets and will give an attack surface analysis of remotely compromising Android. Furthermore, we will introduce an exploit chain, named TiYunZong, which can be leveraged to remotely root a wide range of Qualcomm-based Android devices including Pixel Devices. The exploit chain includes three new bugs, which are CVE-2019-5870, CVE-2019-5877, CVE-2019-10567. We will also present an effective and stable approach to chain these three vulnerabilities for exploitation without any ROP, despite the fact that ROP is the most common technique to exploit complicated vulnerabilities. The exploit chain is the first reported one-click remote root exploit chain on Pixel devices and won the highest reward for a single exploit chain across all Google VRP programs.