Android Binder Vulnerabilities and Exploitation Techniques Using Drozer

This article is derived from the author's presentation at KCon 2016, with the original talk available at Binder fuzzing based on drozer .

The author first lists several Android security issues discovered in practice, including a lock‑screen password bypass affecting Android 6.0/6.0.1/7.0, Samsung shutdown eavesdropping, unauthorized theme modification on Samsung devices, and a system denial‑of‑service (DoS) vulnerability.

Android lock‑screen password bypass : A malicious APK or binary can clear all lock‑screen credentials (PIN, pattern, password, fingerprint) on the affected versions. The vulnerability is identified as CVE‑2016‑3749 and CVE‑2016‑3908. The author reported it to Google in May 2016; Google had already discovered it internally and marked the first report as duplicate. A patch released in July 2016 fixed the setLockPassword() and setLockPattern() functions.

Samsung shutdown eavesdropping : Exploits CVE‑2016‑9567 by invoking the undocumented setmDNIeScreenCurtain() function to simulate a shutdown while keeping the microphone active.

Samsung theme privilege escalation : A related vulnerability that allows unauthorized modification of the device theme.

System DoS vulnerability : Demonstrated via an NFC tag that triggers a crash in a high‑privilege system service.

The common thread of these bugs is the Android Binder IPC mechanism. The article then introduces Binder:

"In the Android platform, the binder is used for nearly everything that happens across processes in the core platform." – Dianne Hackborn, Google.

Binder is a high‑performance, secure client‑server communication system implemented in the /dev/binder driver and uses shared memory. It relies on design patterns such as Proxy, Mediator, and Bridge, and involves concepts like IBinder, AIDL, ServiceManager, and Binder Tokens.

The author presents drozer , an open‑source Android security testing framework (similar to Metasploit) composed of a Console, an Agent, and a Server. The Agent runs on the device with only Internet permission, opens a ServerSocket on port 31415, and the Console connects to it to interact with Dalvik, other apps, and system services.

Drozer leverages Java reflection and dynamic class loading. Modules can be written in Java or Python; the framework can upload an APK to the Agent’s cache and load classes at runtime.

Two operating modes are described:

Direct mode : The Agent is installed on a device, a USB connection forwards the port, and the Console sends commands directly.

Infrastructure mode : A remote Drozer Server mediates connections, optionally protected by passwords and SSL.

It is also possible to compile a headless malicious Agent that reconnects to a specified server IP/port, enabling remote control after social‑engineering attacks. Public modules such as drozer‑modules provide functionalities like calling, SMS, contact extraction, and file transfer.

Automated vulnerability discovery with Drozer : The author describes fuzzing techniques:

Intent fuzzing : Sending malformed serialized objects to exported components, causing crashes or DoS in high‑privilege services.

System service call fuzzing : Enumerating services via adb shell service list, then invoking service methods (e.g., adb shell service call lock_settings CODE i32 -1) with random or malformed arguments generated by tools like Ramda.

To implement fuzzing in a Drozer module, place the logic inside the execute() function. Modules must be (re)installed after changes, but core logic can be kept in external Python scripts that drive the fuzzing process and log parameters and logcat output.

The article concludes with several exploitation approaches:

Using AIDL : Generate Java interfaces from AIDL files and interact with bound services.

Java reflection : Directly invoke hidden methods without AIDL.

Integrating with Android source : Compile exploit code within the Android platform source tree (see BinderDemo ).

Shell script invocation via Java:

Runtime runtime = Runtime.getRuntime();
Process proc = runtime.exec(command);

Example shell command: service call lock_settings 10 i32 0 The author, a security engineer at Meituan‑Dianping Financial Services Platform, has been researching Android security and vulnerability exploitation for nearly four years and plans to continue sharing technical articles to improve developers' security awareness.