Mystique bug shows a previous unidentified new attack path, which breaks the application sandbox mechanism on the newest Android version of Android 11 (newest refer to the time when we discovered and reported this bug). Combining multiple zero-days discovered by us, the attacker's zero permission rogue app can silently bypass the Android application sandbox, gaining control of any other application's process such as Facebook, Whatsapp and Telegram. We named this chain
Mystique after the famous Marvel comics character because it possesses similary ability.
¶Is it a remote code execution?
Nope, it's a local privilege escalation bug. But it can be combined with other RCEs, such as the Android RCE bug also discovered by us (CVE-2021-0515), which will be introduced in another article.
¶Is it fixed?
Yes, the bugs have been acknowledged and fixed by multiple vendors, with advisory published. The relevant CVE numbers are, CVE-2021-0691, CVE-2021-25450, CVE-2021-0515, CVE-2021-25485, CVE-2021-23243. The freshly released Android 12, and older Android devices with patch level newer and equal to 2021.9 have fixed these bugs, while some major vendors backported fix even earlier. You can use our tool app to detect if you have been attacked by this bug chain.
¶Does Android have similar bugs before? What makes this bug different?
In the older days of Android, there has been a small number of vulnerabilities that can obtain all app's private data and privilege. Since the recent major security enhancements and improvements of code quality, nowdays we can rarely seen such exploitable bugs. However this time we utilize a small crack in this solid sandbox design, combining with 0days in major vendors we successfully break the implicit assumption of the
readonly app package file, thus gaining arbitrary privilege in userspace.
¶Is this bug related to hardware? How many devices are affected?
It's not related to hardware. All unpatched Android 11 devices are affected, which is 800 million devices according to our estimation.
¶What security mechanism does this chain bypass?
Every Android application runs in it's own sandbox, with code and data separated from others. Each runs in it's own Linux process with a assigned SELinux label, restricted by MAC and DAC sandbox. It's kind of like rooms in hotel in which guest in room A cannot by default access room B. For memory corruption bugs, ASLR/Stack Cookie/CFI mitigations are also in place.
Mystique bypasses these restrictions, gaining the master key of the
CVE-2021-0691: A-188554048 EoP 11 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-0691)
¶Reviews for Experts
- @windknown - CTO&Founder of Pangu Team
This research shows us the power of chained bugs, by starting from a logic flaw introduced by a single line of change and combine with multiple vulnerabilities in major vendors, and finally achieve realistic attacks with huge value of accessing any app's data and injecting code silently.
- Daniel Wa - Founder of GeekPwn and KeenTeam
The Mystique bug has a wide impact affecting almost all Android 11 devices with a stable exploitation. We have rarely seen similar bug nowadays. What's more, this chain is somehow steathy if exploited in the wild, making it hard to detect. The Android ecosystem will be safer with these kind of fixes.
- Liang Chen - Three time Pwn2Own Master of Pwn winner
This is a quite new style of attack in the Android framework, which can silently steal user's privacy or even take control of the phone.
We provide detection tool and SDK for users to decide
- If your phone has been attack by the
- GitHub repo: https://github.com/DawnSecurityLab/Mystique_Detection_SDK
The result is only for reference and may contain errors. If you have questions, please contact us.
¶Vulnerability Hunting Framework
Vulnerability Hunting Framework is an automatic/semi-automatic vulnerability assessment framework developed by us at JD.com. Based on static program analysis and dynamic fuzzing technique enhanced with AI, it is capable of perform deep privacy risk and vulnerability scan on IoT devices/apps and systems, eliminating the vulnerability before it goes into production. We have identified tens of CVEs with this framework in the last six months. It plays a major role in the discovery of
It's now in alpha test stage and is open for application from research teams/ enterprises. If you are interested, please do not hesitate to contact us at dawnsecuritylab # jd.com
¶Detail disclosure plan
Due the fix status of these bugs, we will not disclose the details right now to protect end users. We will release the details and technical white paper in the conferences in November.