- 15 Nov
Prepaid Android smartphones present an attractive option since they can be used and discarded at will without significant financial cost. Prepaid smartphones offer value, but there may be an additional ""cost"" for their cheap price. We present an examination of the local attack surface of 21 prepaid Android smartphones sold by American carriers (and 12 unlocked devices). While examining these devices we discovered instances of arbitrary command execution in the context of a ""system"" user app, arbitrary AT command execution, arbitrary file write in the context of the Android System (i.e., "system_server"), arbitrary file read/write in the context of a ""system"" user app, programmatic factory reset, leakage of GPS coordinates to a loopback port, numerous exposures of non-resettable device identifiers to system properties, and more.
The only user interaction that our threat model assumes is that the user installs and runs a third-party app that has no permissions or only a single ""normal"" level permission that is automatically granted to the third-party app upon installation. The installed third-party app can leverage flaws in pre-loaded software to escalate privileges to indirectly perform actions or obtain data while lacking the necessary privileges to do so directly. Due to a wide range of local interfaces with missing access control checks and inadequate input validation, a third-party app’s behavior is not truly circumscribed by the permissions that it requests. Due to the common inclusion of pre-loaded software from Android vendors, chipset manufacturers, carriers, and vendor partners, exploit code can have significant breadth.