Cross-user malware propagation : how to reduce the risks?

alf1342

I'm assisting an activist group that may be targeted by state-sponsored malware, helping them configure their phones to minimize the risk. However, there are a few questions I don't have answers to.

These are WiFi-only phones. We recomand to use the main profile only to install and update apps from the Play Store, and to clone the apps into other user profiles, which are isolated based on their use (public or confidential activities).

In this context, does configuring the other user sessions to "disable app install and updates" reduce the risk that this user may be compromised ?
Does it reduce the risk that a compromised user session could install something in the others users? If so, to what extent?
I understand that if malware manages to execute kernel-level code, it can pretty much install whatever it wants in the other sessions. But I have trouble understanding the analyses that have been done on discovered malware—has this kind of thing already happened on Android? Is this rare or almost systematic in state-sponsored malware that have been analysed?
Doesn't this advice give a false sense of security in terms of isolation from such a threat?

Thank you!

ryrona

alf1342 In this context, does configuring the other user sessions to "disable app install and updates" reduce the risk that this user may be compromised ?

Probably not. Even if secondary user B can install apps, those apps will only be made available in user B. They won't be made available in owner user A or any secondary user C, so won't ever start or run there. So if hypothetically an app in user B can be fooled into installing a malicious app, that app will also run in user B, and thus the attacker would still be left trying to perform their attacks from within the context of user B.

alf1342 Does it reduce the risk that a compromised user session could install something in the others users? If so, to what extent?

I wonder if this question really makes sense. There is an app sandbox, but that is about it. If the question is if a compromised app can install an app in another user profile, no, they cannot do that regardless of if you allow app installs or not. If the question is instead whether an attacker that have been able to break out of the app sandbox for an app running in secondary user B, I actually don't think is really matters what user that app was running as anymore, as there is no meaningful isolation between user profiles other than the app sandbox and what apps within a certain user profile can be granted access to while within the confines of the app sandbox.

alf1342 I understand that if malware manages to execute kernel-level code, it can pretty much install whatever it wants in the other sessions.

If they can execute kernel-level code, they can do anything. They don't need to install an app anywhere, they can just read out any data from any user profile they want. Or modify or destroy any data from any user profile.

I don't know how common kernel-level exploits are in state-sponsored malware. But it would be the holy grail if they can get that access, and they might have the capability to, which is why GrapheneOS is trying to harden the kernel further, and want to implement virtualization in the future to lower the attack surface.

alf1342 Doesn't this advice give a false sense of security in terms of isolation from such a threat?

Yeah, I would say so. If you don't need to install apps from within secondary user profiles, you can just disable the possibility. It may possible make exploitation within that user profile slightly harder, in case an app can be fooled into installing another app, but the hacker cannot gain persistence within the original app. But I think that is the extent to which this feature provides security.

DeletedUser405

Disclaimer: I'm not a professional on this front, I just like to research for fun.

ryrona Signal is written in memory safe languages, and they are taking memory security issues extremely seriously. Messengers like Element that requires you to accept a chat before any messages or other content is even attempted to be loaded are likelier also a safer choice than WhatsApp

Consider using Molly as an alternate Signal client, or SimpleX.
https://www.privacyguides.org/en/real-time-communication/

alf1342 But I have trouble understanding the analyses that have been done on discovered malware

GrapheneOS's auditor app can help scan Android devices for malware, and nonpersistent malware can be wiped after a device restart. Consider restarting every day if it suits your threat model.

If malware executes kernel level code, you might be cooked, though. Practice good browsing, email, and password habits.

Pixels 8 and later with and without GrapheneOS can be used as an alternative to desktop operating systems, you can display your phone to a monitor. This is much more secure than traditional operating systems, so it may be worth considering.

Lastly, you may want to check out this guide below, and ask the Privacy Guides forum too.
https://discuss.privacyguides.net/t/defending-against-targeted-attacks/27344/1

alf1342

ryrona
Thanks for the detailed answers.

ryrona I wonder if this question really makes sense. There is an app sandbox, but that is about it. If the question is if a compromised app can install an app in another user profile, no, they cannot do that regardless of if you allow app installs or not.

There are probably some things I must have misunderstood.
What I understand:
For me, apks are stored in a separate memory space from those of the users.
If you clone an application for a secondary user from the owner user, the apk is installed from that space into the user space. But if a secondary user has the right to install applications, and updates the application, the shared space apk will be modified and all users will install this new version of the application.
In a way, a secondary user can "propagate" a modified version of an application to all other users.
Preventing a secondary user to install apps, may reduce that risk.
Am I wrong?

ryrona If the question is instead whether an attacker that have been able to break out of the app sandbox for an app running in secondary user B, I actually don't think is really matters what user that app was running as anymore, as there is no meaningful isolation between user profiles other than the app sandbox and what apps within a certain user profile can be granted access to while within the confines of the app sandbox.

So, if I understand, if an app use an OS exploit to escape the app sandbox, for you, it can monitor all the activities taking place in the other running user sessions (like doing screenshot, ..)?

ryrona

I realize there is a question in the title too, "how to reduce the risk". The best way is to try to avoid getting infected by malware at all. State-sponsored attackers are known to:

1) Exploit vulnerabilities in WhatsApp. WhatsApp is incredibly poorly coded in unsafe languages, making the existence of exploitable vulnerabilities likely. At the same time, simply knowing the phone number of someone might be enough to trigger the exploit. WhatsApp is known being exploited by state-sponsored malware. I would recommend not to install WhatsApp at all, and instead rely solely on other messengers instead. I know at least Signal is written in memory safe languages, and they are taking memory security issues extremely seriously. Messengers like Element that requires you to accept a chat before any messages or other content is even attempted to be loaded are likelier also a safer choice than WhatsApp.

2) Attempt to trick the user into installing the malware using social engineering. I have heard about activists that have installed the malware themselves, believing they were following security advise from a trusted community member, or out of a perceived need for the app in a specific circumstance. I would recommend setting up everything you need once, and then never install any additional apps after that point. Disabling the app installation in secondary user profiles can actually be helpful to lower the temptation to install apps, since you need to go through some additional steps which might cause you to think twice. And if you install an app, make sure it is a popular app on Google Play, say in top 10 in any given category, as there is malware on Google Play too, but they usually have much lower install counts.

Other than that, the general advise of only visiting trusted websites, and never accepting chats with unknown people, and never opening attachments sent to you unexpectedly will probably also help a bit.

DeletedUser421

ryrona Do you have a source for your claim about the WhatsApp android client not being written in memory safe languages? How do you know that it’s poorly coded?

de0u

DeletedUser421 Here is a list of WhatsApp CVEs: https://app.opencve.io/cve/?vendor=whatsapp

That list contains "stack overflow", "buffer overflow", "heap corruption", etc.

ryrona

DeletedUser421 Do you have a source for your claim about the WhatsApp android client not being written in memory safe languages? How do you know that it’s poorly coded?

There are many reports on this forum about WhatsApp crashing with memory tagging violation when MTE is enabled for all apps on 8th gen and 9th gen Pixel devices that supports MTE. MTE only detects true memory violations, and those can only happen in memory unsafe languages. So WhatsApp is partially coded in memory unsafe languages. Not only that, it is so poorly coded that MTE triggers all the time even in the absence of attacks. That doesn't happen for your average app written in memory unsafe languages. And basic internal testing for security issues would catch these, so they are clearly not testing WhatsApp for security issues.

I don't know what components of WhatsApp it is that is written in memory unsafe languages, or what languages, but MTE does not lie. It only detects actual memory violations.

(To be fair, there was a single report of Signal crashing this way too. Unclear if it was due to an attack or not. So somewhere there is memory unsafe code there too. Everything in Signal seems to be written in Kotlin and Rust, so maybe there is some Rust library that is using unsafe Rust code. Will be interesting to see where that reported ticket leads to.)

DeletedUser421

de0u That doesn’t prove any of your claims. I’m particularly interested in your claims about the Android client being written in memory unsafe languages. AFAIK Java is not considered memory unsafe, like for example C.

Memory safe languages can still have those issues, so I don’t think that your link proves anything.

DeletedUser421

de0u It looks like both WhatsApp and Signal use libraries that are written in memory unsafe languages. For example WebRTC. Signal proxies traffic through their own middleware library called RingRTC, which seems to be written in memory safe languages: https://github.com/signalapp/ringrtc
However, I don’t think that this prevents memory safety issues, since it still uses WebRTC.

I don’t know exactly how WhatsApp utilizes WebRTC.

I think that this is a better source: https://margin.re/2024/07/you-cant-spell-webrtc-without-rce-part-1/

In order to prevent those issues, it would be necessary to remove video calls and probably other functions as well, like https://github.com/mollyim/mollyim-android/issues/141

DeletedUser421

de0u I’m sorry, I thought that I was replying to the same person as before, so forget about the "your claims". And sorry for posting so many times.

de0u

de0u Here is a list of WhatsApp CVEs: https://app.opencve.io/cve/?vendor=whatsapp

That list contains "stack overflow", "buffer overflow", "heap corruption", etc.

DeletedUser421 That doesn’t prove any of your claims. I’m particularly interested in your claims about the Android client being written in memory unsafe languages. AFAIK Java is not considered memory unsafe, like for example C.

What I posted was a list of WhatsApp CVEs. I don't think I made any claim about which languages WhatsApp is written in.

To my eyes, that list of CVEs does seem consistent with a claim (made by somebody else) that WhatsApp is "poorly coded".

For comparison, here is a list of Signal CVEs: https://app.opencve.io/cve/?vendor=signal

By the way, a web search for zero-click WhatsApp seems to turn up more than a search for zero-click Signal (the latter search includes reports of a location leak in CloudFlare that affected Signal among other messaging apps).

To be clear, I am not making any claims about which language(s) WhatsApp or Signal are written in.

ryrona

alf1342 For me, apks are stored in a separate memory space from those of the users.

True.

alf1342 If you clone an application for a secondary user from the owner user, the apk is installed from that space into the user space.

No. It is still only in the shared space. All that happens is that a launcher for it is added in the secondary user profile, pretty much. And data and cache directories for the app is created in that user profile.

alf1342 But if a secondary user has the right to install applications, and updates the application, the shared space apk will be modified and all users will install this new version of the application.

Yes, the APK in the shared space will be updated with the new version, so all users will automatically be using the new version.

alf1342 In a way, a secondary user can "propagate" a modified version of an application to all other users.

All APKs are signed. It is only possible to upgrade an APK for an app with a certain ID if the new upgraded version is signed by the same key as the already installed one. This might be the key of the developer or the app store. So one cannot upgrade to a compromised version without the original app developer or trusted app store cooperating by signing the compromised version.

Not even uninstalling the app and installing a new compromised one with the same app ID will work. All uninstalling will do is remove the launcher, and data and cache directories. The APK from the shared space is only removed if no user profile has the app anymore. So if the launcher is removed from within a secondary user profile, and one attempts to install a new compromised version signed with attacker controlled keys, the installation will be rejected since signing keys doesn't match already installed APK.

alf1342 Preventing a secondary user to install apps, may reduce that risk.

No, it should be secure against that already.

alf1342 So, if I understand, if an app use an OS exploit to escape the app sandbox, for you, it can monitor all the activities taking place in the other running user sessions (like doing screenshot, ..)?

That is my understanding, yes. There are no isolation between user profiles beyond the app sandbox.

dhhdjbd

I think the allow installs toggle is not a security feature like that. For example, it does not affect private spaces. Or it is still possible to update system apps.
so i think it should be treated as another hurdle for the user to accidently install an app in my opinion. And not as something that can stop an sophisticated attacker

i think, about user profiles, the features one wants to rely on in this case, is the at rest encryption of unused profiles + secure boot (frequent reboots).
(i think most of these maleware exploits are not persistent)

DeletedUser421

de0u Yes, I made a mistake, that was ryrona.
To be fair, it’s quite likely that WhatsApp is using more libraries written in memory unsafe languages, so it’s probably true to some extend. I also made a mistake in my assumption that WhatsApp is using WebRTC. It seems to be using PJSIP which is primarily written in C. Project Zero team at Google has written several posts about Android Messengers, WebRTC and WhatsApp/PJSIP

userofgos

ryrona @DeletedUser421 I can attest to WhatsApp being poorly coded when it comes to MTE crashes, DCL via memory or via storage. Happens all the time, it's extremely annoying.

DeletedUser421

ryrona If you look at past WhatsApp RCE vulnerabilities, they usually affect the media parsing libraries or (video) calls. E.g. the android-gif-drawable library which is 41% C. I don’t know if they still use those.

The recent MTE crash in Signal seems to affect RingRTC, probably due to WebRTC which is written in C++. I don’t know which media parsing libraries Signal is using.

DeletedUser405

DeletedUser405 This is much more secure than traditional operating systems, so it may be worth considering.

Important to note that this feature is still in beta, too, so you will have to tolerate some hiccups