Privilege Escalation Attacks on Android

  • Lucas Davi
  • Alexandra Dmitrienko
  • Ahmad-Reza Sadeghi
  • Marcel Winandy
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6531)


Android is a modern and popular software platform for smartphones. Among its predominant features is an advanced security model which is based on application-oriented mandatory access control and sandboxing. This allows developers and users to restrict the execution of an application to the privileges it has (mandatorily) assigned at installation time. The exploitation of vulnerabilities in program code is hence believed to be confined within the privilege boundaries of an application’s sandbox. However, in this paper we show that a privilege escalation attack is possible. We show that a genuine application exploited at runtime or a malicious application can escalate granted permissions. Our results immediately imply that Android’s security model cannot deal with a transitive permission usage attack and Android’s sandbox model fails as a last resort against malware and sophisticated runtime attacks.


Instruction Sequence Attack Scenario Android Application Android Platform Installation Time 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    One, A.: Smashing the stack for fun and profit. Phrack Magazine 49(14) (1996)Google Scholar
  2. 2.
    Barrera, D., Kayacik, H.G., van Oorschot, P., Somayaji, A.: A methodology for empirical analysis of permission-based security models and its application to Android. In: ACM CCS 2010 (October 2010)Google Scholar
  3. 3.
    Chaudhuri, A.: Language-based security on Android. In: Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security, PLAS 2009, pp. 1–7 (2009)Google Scholar
  4. 4.
    Checkoway, S., Davi, L., Dmitrienko, A., Sadeghi, A.-R., Shacham, H., Winandy, M.: Return-oriented programming without returns. In: ACM CCS 2010 (October 2010)Google Scholar
  5. 5.
    Chiueh, T., Hsu, F.-H.: RAD: A compile-time solution to buffer overflow attacks. In: International Conference on Distributed Computing Systems, pp. 409–417. IEEE Computer Society, Los Alamitos (2001)CrossRefGoogle Scholar
  6. 6.
    cnet news. First SMS-sending Android Trojan reported (August 2010),
  7. 7.
    Davi, L., Dmitrienko, A., Sadeghi, A.-R., Winandy, M.: Return-oriented programming without returns on ARM. Technical Report HGI-TR-2010-002, Ruhr-University Bochum (July 2010)Google Scholar
  8. 8.
    Davi, L., Sadeghi, A.-R., Winandy, M.: ROPdefender: A detection tool to defend against return-oriented programming attacks (March 2010),
  9. 9.
    Enck, W., Gilbert, P., Chun, B.-G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: Taintdroid: An information-flow tracking system for realtime privacy monitoring on smartphones. In: USENIX Symposium on Operating Systems Design and Implementation (October 2010)Google Scholar
  10. 10.
    Enck, W., Ongtang, M., McDaniel, P.: Mitigating Android software misuse before it happens. Technical Report NAS-TR-0094-2008, Pennsylvania State University (September 2008)Google Scholar
  11. 11.
    Enck, W., Ongtang, M., McDaniel, P.: On lightweight mobile phone application certification. In: ACM CCS 2009, pp. 235–245. ACM, New York (2009)Google Scholar
  12. 12.
    Enck, W., Ongtang, M., McDaniel, P.: Understanding Android security. IEEE Security and Privacy 7(1), 50–57 (2009)CrossRefGoogle Scholar
  13. 13.
    Gupta, S., Pratap, P., Saran, H., Arun-Kumar, S.: Dynamic code instrumentation to detect and recover from return address corruption. In: WODA 2006, pp. 65–72. ACM, New York (2006)Google Scholar
  14. 14.
    Lineberry, A., Richardson, D.L., Wyatt, T.: These aren’t the permissions you’re looking for. In: BlackHat USA 2010 (2010),
  15. 15.
    Microsoft. A detailed description of the data execution prevention (DEP) feature in Windows XP Service Pack 2, Windows XP Tablet PC Edition 2005, and Windows Server 2003 (2006),
  16. 16.
    Moore, H.D.: Cracking the iPhone (2007),
  17. 17.
    Mulliner, C.: Fuzzing the phone in your phones. In: Black Hat USA (June 2009),
  18. 18.
    Nauman, M., Khan, S., Zhang, X.: Apex: Extending Android permission model and enforcement with user-defined runtime constraints. In: ASIACCS 2010, pp. 328–332. ACM, New York (2010)Google Scholar
  19. 19.
    Ongtang, M., McLaughlin, S., Enck, W., McDaniel, P.: Semantically rich application-centric security in Android. In: ACSAC 2009, pp. 340–349. IEEE Computer Society, Los Alamitos (2009)Google Scholar
  20. 20.
    Palm Source, Inc. Open Binder. Version 1 (2005),
  21. 21.
  22. 22.
    Pincus, J., Baker, B.: Beyond stack smashing: Recent advances in exploiting buffer overruns. IEEE Security and Privacy 2(4), 20–27 (2004)CrossRefGoogle Scholar
  23. 23.
    Schmidt, A.-D., Schmidt, H.-G., Batyuk, L., Clausen, J.H., Camtepe, S.A., Albayrak, S., Yildizli, C.: Smartphone malware evolution revisited: Android next target? In: Proceedings of the 4th IEEE International Conference on Malicious and Unwanted Software (Malware 2009), pp. 1–7 (2009)Google Scholar
  24. 24.
    Schmidt, A.-D., Schmidt, H.-G., Clausen, J., Yuksel, K.A., Kiraz, O., Camtepe, A., Albayrak, S.: Enhancing security of Linux-based Android devices. In: 15th International Linux Kongress, Lehmann (October 2008)Google Scholar
  25. 25.
    Shabtai, A., Fledel, Y., Elovici, Y.: Securing Android-powered mobile devices using SELinux. IEEE Security and Privacy 8, 36–44 (2010)CrossRefGoogle Scholar
  26. 26.
    Shabtai, A., Fledel, Y., Kanonov, U., Elovici, Y., Dolev, S.: Google Android: A state-of-the-art review of security mechanisms. CoRR, abs/0912.5101 (2009)Google Scholar
  27. 27.
    Shabtai, A., Fledel, Y., Kanonov, U., Elovici, Y., Dolev, S., Glezer, C.: Google Android: A comprehensive security assessment. IEEE Security and Privacy 8(2), 35–44 (2010)CrossRefGoogle Scholar
  28. 28.
    Shacham, H.: The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In: ACM CCS 2007, pp. 552–561 (2007)Google Scholar
  29. 29.
    Shin, W., Kiyomoto, S., Fukushima, K., Tanaka, T.: A formal model to analyze the permission authorization and enforcement in the Android framework. Invited paper. In: SecureCom 2010 (2010)Google Scholar
  30. 30.
    Tan, G., Croft, J.: An empirical security study of the native code in the JDK. In: Proceedings of the 17th Conference on Security Symposium, SS 2008, pp. 365–377. USENIX Association, Berkeley (2008)Google Scholar
  31. 31.
    Vendicator. Stack Shield: A ”stack smashing” technique protection tool for Linux,
  32. 32.
    Vennon, T.: Android malware. A study of known and potential malware threats. Technical report, SMobile Global Threat Center (February 2010)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Lucas Davi
    • 1
  • Alexandra Dmitrienko
    • 1
  • Ahmad-Reza Sadeghi
    • 2
  • Marcel Winandy
    • 1
  1. 1.System Security LabRuhr-University BochumGermany
  2. 2.Fraunhofer-Institut SIT DarmstadtTechnische Universität DarmstadtGermany

Personalised recommendations