Securing the System: A Deep Dive into Reversing Android Pre-Installed Apps

Conference:  BlackHat USA 2019



The presentation discusses the challenges and solutions in securing pre-installed Android apps and devices, including issues with third-party plugins, security settings misconfiguration, and malware infiltration.
  • Pre-installed Android apps and devices pose unique security challenges due to the diversity of OEMs and customizations
  • Third-party plugins can pose security risks and require a remediation process involving OEMs and post-mortem analysis
  • Security settings misconfiguration, such as disabling Google Play protect, can lead to privilege escalation and malware infiltration
  • Malware, such as the Shinhwa botnet, can infiltrate the supply chain and infect millions of devices
  • Auditing devices and frameworks is important to identify customizations and potential security risks
One example of a security issue discussed in the presentation is the Shinhwa botnet, which infected 20 million devices through pre-installed and user space applications. The botnet's payloads included premium SMS fraud, click fraud, ad fraud, and app installation fraud, and it was considered one of the most impactful botnets of 2018 due to its infiltration of the supply chain.


The Android security community has been predominantly focused on user-space applications for many years. However, there is a distribution mechanism for security issues that affects more unknowing users, generally allows more privileges, and is tougher to remediate once launched: problems in pre-installed applications. With thousands of OEMs and even more firmware images, the Android pre-installed ecosystem is a big space to both audit and secure. This talk will detail the differences in reversing and analyzing pre-installed Android applications compared to the user-space applications that most security research has focused on. This will include things like identifying when a pre-installed application is unlikely to run in an emulator without modification, detecting signals that the pre-installed app may be colluding with other components and be only one piece of the puzzle, and how bad behaviors can change when they instead are run in the more privileged context of a pre-installed application. We will then dive into case-studies of Android pre-installed security issues we discovered in 2018 & 2019: malware, security misconfigurations, and remote code execution backdoor. We will walk through the code and reverse engineering process. In addition, we'll cover detection and remediation for each and how it differs from a user-space application. This talk will be a detailed tour through the Android pre-installed ecosystem: the analysis challenges and how to get around them and the interesting security issues one might uncover.