Man in the Binder: He Who Controls the IPC Controls the Droid

At Black Hat Europe, Check Point researchers Nitay Artenstein and Idan Revivo presented their new research on what may become the new frontier of mobile malware attacks, “Man in the Binder: He Who Controls the IPC, Controls the Droid.” Nitay and Idan’s research of Android’s unique operating system (OS) architecture showed the potential capture of data and information being stored and communicated on Android devices through the Binder, the message passing mechanism in Inter-process Communication (IPC).
The research uncovered that as the single point of communication, the Binder is a natural target for Android malware. In a typical OS, a process will hold dozens of handles for the system’s hardware: hard disk, display adapter, network card, etc. Due to Android’s OS architecture, a process can achieve the same tasks, controlling all of an application’s interactions through the Binder. Data communicated over the Binder can be captured, and Check Point’s research demonstrated the ability to intercept sensitive details such as keyboard, in-app and SMS data.

Key Findings:

  • Man in the Binder uncovers the role of the Binder, a message-passing mechanism for Android devices
  • The Binder’s central role in Android OS architecture revealed that information sent and received through applications on a device, including those that are secured through two-factor authentication, encryption lines, and other security measures, can be intercepted
  • Examples of data intercepted via the Binder in this research included device keyboard input, in-application activities such as banking transactions, and SMS messages
  • The Check Point Malware and Vulnerability Research Group is highlighting the potential for new Android malware, and encourages security professionals and Android developers alike to take note and collaborate on the issue, as well as research new protection mechanisms

For more information on Man in the Binder, download the whitepaper here or download it from Black Hat Europe.