Mystique

Download the vulnerability scanner to test whether your device is secure!
中文版阅读请点击这里

¶What's this Mystique bug?

The Mystique bug shows a previous unidentified new attack path, which breaks the application sandbox mechanism on the newest Android version of Android 11 (newest refer to the time when we discovered and reported this bug). Combining multiple zero-days discovered by us, the attacker's zero permission rogue app can silently bypass the Android application sandbox, gaining control of any other application's process such as Facebook, Whatsapp and Telegram. We named this chain Mystique after the famous Marvel comics character because it possesses similary ability.

¶Is it a remote code execution?

Nope, it's a local privilege escalation bug. But it can be combined with other RCEs, such as the Android RCE bug also discovered by us (CVE-2021-0515), which will be introduced in another article.

¶Is it fixed?

Yes, the bugs have been acknowledged and fixed by multiple vendors, with advisory published. The relevant CVE numbers are, CVE-2021-0691, CVE-2021-25450, CVE-2021-0515, CVE-2021-25485, CVE-2021-23243. The freshly released Android 12, and older Android devices with patch level newer and equal to 2021.9 have fixed these bugs, while some major vendors backported fix even earlier. You can use our tool app to detect if you have been attacked by this bug chain.

¶Does Android have similar bugs before? What makes this bug different?

In the older days of Android, there has been a small number of vulnerabilities that can obtain all app's private data and privilege. Since the recent major security enhancements and improvements of code quality, nowdays we can rarely seen such exploitable bugs. However this time we utilize a small crack in this solid sandbox design, combining with 0days in major vendors we successfully break the implicit assumption of the readonly app package file, thus gaining arbitrary privilege in userspace.

¶Is this bug related to hardware? How many devices are affected?

It's not related to hardware. All unpatched Android 11 devices are affected, which is 800 million devices according to our estimation.

¶What security mechanism does this chain bypass?

Every Android application runs in it's own sandbox, with code and data separated from others. Each runs in it's own Linux process with a assigned SELinux label, restricted by MAC and DAC sandbox. It's kind of like rooms in hotel in which guest in room A cannot by default access room B. For memory corruption bugs, ASLR/Stack Cookie/CFI mitigations are also in place.

However Mystique bypasses these restrictions, gaining the master key of the hotel.

¶Acknowledgements

CVE-2021-0691:  A-188554048 EoP 11 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-0691)
CVE-2021-0515:  A-167389063 RCE	8.1, 9, 10, 11 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-0515)
SVE-2021-21943 (CVE-2021-25450): Affected versions: O(8.1), P(9.0), Q(10.0), R(11.0) (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25450)
SVE-2021-22636 (CVE-2021-25485): Affected versions: Q(10.0), R(11.0) (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25485)
CVE-2021-23243 EoP (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-23243)

Android： https://source.android.com/security/overview/acknowledgements
Sumsang：https://security.samsungmobile.com/securityUpdate.smsb
Oppo：https://security.oppo.com/cn/noticeDetail?notice_only_key=20211632987608199

¶Reviews for Experts

• @windknown - CTO&Founder of Pangu Team

This research shows us the power of chained bugs, by starting from a logic flaw introduced by a single line of change and combine with multiple vulnerabilities in major vendors, and finally achieve realistic attacks with huge value of accessing any app's data and injecting code silently.

• Daniel Wa - Founder of GeekPwn and KeenTeam

The Mystique bug has a wide impact affecting almost all Android 11 devices with a stable exploitation. We have rarely seen similar bug nowadays. What's more, this chain is somehow steathy if exploited in the wild, making it hard to detect. The Android ecosystem will be safer with these kind of fixes.

• Liang Chen - Three time Pwn2Own Master of Pwn winner

This is a quite new style of attack in the Android framework, which can silently steal user's privacy or even take control of the phone.

¶Detection Tool

We provide detection tool and SDK for users to decide

1. If your phone has been attack by the Mystique exploit.
2. GitHub repo: https://github.com/DawnSecurityLab/Mystique_Detection_SDK
   The result is only for reference and may contain errors. If you have questions, please contact us.

Download link

¶Vulnerability Hunting Framework

Vulnerability Hunting Framework is an automatic/semi-automatic vulnerability assessment framework developed by us at JD.com. Based on static program analysis and dynamic fuzzing technique enhanced with AI, it is capable of perform deep privacy risk and vulnerability scan on IoT devices/apps and systems, eliminating the vulnerability before it goes into production. We have identified tens of CVEs with this framework in the last six months. It plays a major role in the discovery of Mystique chain.

It's now in alpha test stage and is open for application from research teams/ enterprises. If you are interested, please do not hesitate to contact us at dawnsecuritylab # jd.com

¶Detail disclosure plan

Due the fix status of these bugs, we will not disclose the details right now to protect end users. We will release the details and technical white paper in the conferences in November.