Adam Radosavljevic - Fotolia

How were Android Pixel vulnerabilities exploited?

Android Pixel vulnerabilities could open the smartphone up to attack. Expert Michael Cobb explains the vulnerabilities and how to defend against them.

A team of researchers discovered a way to hack the Android Pixel phone by taking advantage of two different vulnerabilities. What are the Pixel vulnerabilities, and how were they exploited?

The Android Pixel phone, designed, developed and marketed by Google, was the only device that was not pwned in the 2017 Mobile Pwn2Own competition -- a contest held to demonstrate attacks on the most popular mobile devices. However, in August 2017, Guang Gong of Qihoo 360 Technology Co. Ltd found that by chaining two separate Pixel vulnerabilities, CVE-2017-5116 and CVE-2017-14904, and socially engineering a user to click on a malicious link in Chrome, he could inject arbitrary code into an Android Pixel phone. Exploitation of the Pixel vulnerabilities for an attack combines elements from three different technologies:

  1. WebAssembly: a low-level programming language for in-browser client-side execution.
  2. SharedArrayBuffer: a low-level mechanism to share memory between JavaScript workers and synchronize control flow across workers introduced in Google's open source JavaScript engine V8 version 6.0.
  3. Web Workers: an API for spawning background scripts in a web application.

If a software developer writes code that doesn't verify the type of object that is passed to other sections of code, it can cause type confusion problems in memory because different object types can use different memory layouts. Type confusion can lead to wrong function pointers or data being fed to the wrong piece of code.

Gong found a type confusion bug in the V8 engine's function GetFirstArgumentAsBytes which accepts either an ArrayBuffer or TypedArray object. This allows malicious WebAssembly code to be put into a SharedArrayBuffer and then transferred to a web worker. When the main thread parses the WebAssembly code, the worker thread can modify the code at the same time, resulting in a race condition. This causes a memory access out of bounds error created by the race condition, which can result in pieces of data in the stack being dumped to the WebAssembly memory. A proof of concept can be found here. By also exploiting the privilege escalation flaw in Android's libgralloc module, CVE-2017-14904, Gong could escape from Chrome's sandbox to achieve remote code execution.

All Pixel devices or partner devices using seamless system updates will automatically install the updates that fix this issue, but users must restart their devices to complete the installation. Fixes for these two Pixel vulnerabilities were issued in Android Security Bulletin -- December 2017, so devices with a security patch level of 2017-12-05 or later are protected from these issues.

Ask the expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)

Dig Deeper on Threats and vulnerabilities