Privilege escalation: The act of exploiting a design flaw or configuration oversight in an operating system to gain elevated access to resources.

Experts say fixes are available for most Android privilege-escalation vulnerabilities. So what’s the problem? The susceptible devices are not getting updated — that’s what.

The how, why, and when Android firmware is updated is a mystery. And people on the “dark side” hope it stays that way. If I were them, I would too: Millions of phones with exploitable weaknesses in active use — what’s not to like?

Our options:

  • Jailbreak the phone, then manually update it.
  • Buy a new phone.

How’s that work for you?

Need proof

I gave a talk about this conundrum last week. Afterwards, a veteran IT manager mentioned, “What you say may be true, but unless I have proof there’s nothing I can do.” She was right. And, I didn’t have an answer — until today.

There’s this little IT company in Ann Arbor, Michigan called Duo Security. They may be small in size compared to other Ann Arbor residents — Arbor Networks and Barracuda Networks, but they make up for it in staff horsepower.

For instance, consider the two co-founders, Dug Song and Jon Oberheide. That’s Dug, up close and personal with Android (at right), whereas Jon is wondering why they took the training wheels off (below).

I’ll get serious now. Dug, Jon, and the staff at Duo Security are well aware of the Android-update mystery and users not knowing whether their version of Android is vulnerable or not. So they did something about it.


What they did was create X-Ray, a vulnerability scanner for mobile Android devices. And it debuts today. So you can imagine how busy Jon and the others have been making sure X-Ray is ready.

But, I had some questions I needed answered for this article. So I twisted Jon’s arm, mentioning I could say far worse about his biking prowess.

Kassner: Hey, Jon. Congratulations on the release of X-Ray. Can you provide more detail as to what X-Ray does?

Oberheide: I’d like to start by explaining why vulnerabilities are not getting fixed, and why we felt it important to create X-Ray.

When you buy an Android device, a number of parties besides Google, including the carriers, manufacturers, and other third parties, control the installed software. When a security vulnerability is discovered, the process should be:

  • A patch is developed.
  • An Over-the-Air update needs to be pushed out to all the affected devices.

The onus is on the carrier to deliver the patch in a timely manner to their users.

Unfortunately, carriers have consistently failed to roll out security patches. There’s little incentive for them to expend the resources required to develop, test, and deploy patches and new Android versions to their users, especially when they can make money by forcing users to buy new devices in order to get newer firmware.

While Google has attempted to improve the situation with the Android Update Alliance, many have considered the effort a failure. The end result is users remain vulnerable for months after an exploit is disclosed, and actively exploited in the wild. The reason malware exploits Android vulnerabilities is to escalate privileges, and take full control of the mobile device.

X-Ray aims to give users visibility into the unpatched vulnerabilities on their device. While X-Ray can’t patch the vulnerabilities, it provides information on what vulnerabilities may be exploited by malicious apps.

Kassner: Jon, I see the app is not in Play Store. Why is that? How do we get X-Ray?

Oberheide: X-Ray can be downloaded by visiting the the X-Ray site or using the QR code.

X-Ray is not distributed through the Play Store due to issues with Google’s terms of service. According to Google, security-testing tools that probe for firmware vulnerabilities are not allowed in Google Play.

Kassner: Even with vulnerabilities, I thought the user had to give permission for an app to install, how does this work?
Oberheide: The vulnerabilities detected by X-Ray can be exploited by malicious parties in a couple different scenarios:

  • The most common attack is when a user installs a malicious app and that app exploits one of these vulnerabilities to escalate its privileges.
  • A less common attempt, but still feasible, especially in targeted attacks, is when a user visits a malicious website that exploits the Android browser to first gain code execution. Next, a privilege-escalation exploit is used to take full control of the phone.

As to your point, we are concerned about malware that’s able to exploit vulnerabilities without requiring permission, so users are out of the loop.

Kassner: X-Ray detected vulnerabilities on my test phone. But it still does everything I want. What is the significance?

Oberheide: Security is rarely something that affects the end user until it’s too late. Despite being vulnerable, your phone may do everything you want. Even after you install a malicious app that exploits a vulnerability, your phone may still continue to do everything you want. The difference being your phone now does everything an attacker wants too.
Kassner: If X-Ray finds vulnerabilities what are our choices?
Oberheide: There are a few options:

  • The user can check for available official updates from their carrier, usually by going to Settings > About Phone > System Updates.
  • While it might not result in an immediate remediation, we encourage users to contact their carrier about the availability of a patch for vulnerabilities detected by X-Ray.
  • If no official carrier updates are available, the user could install a third-party Read Only Memory (ROM) — such as CyanogenMod — that may have patched the vulnerabilities. It’s worth noting that some third-party ROMs may introduce vulnerabilities of their own, so users should explore this option with caution.

If all else fails, X-Ray allows the user to understand the risk. If the user understands any malicious app they download can take full control of their device, perhaps they will be more cautious about the apps they’re downloading and installing.

Kassner: I see that Dug and you are former Arbor Network employees. Is that where you met? What future plans are in store for the Duo?
Oberheide: We met a bit prior to Arbor and have been scheming since to shake up the security industry. At Duo, we’ve taken a fresh approach to two-factor authentication that struck a chord with folks tired of a technology that has been stagnant for decades and everyone hates to use. We have a lot more in the pipe, continuing our quest of making security technology easy to deploy and use.

Final thoughts

When researchers find defects in software, the developer fixes them and uses some means to update all active copies. Case in point, notice how often your Android apps update. That’s been the process for years. For whatever reason, Android firmware is not following suit. Are you okay with that?

I’d like to thank Dug, Jon, and the crew at Duo Security for creating X-Ray and helping with this article.