Uncovering Android Binder Service Vulnerabilities: Exploits, Causes, and Fixes

Introduction

In the previous article "Android Local Service Vulnerability Mining – Part 1" we introduced vulnerability mining for Android local services that use Socket. This second part focuses on Binder services, covering basic concepts, attack surfaces, and exploitation methods.

Fundamental Knowledge

Binder services can be classified by scope and architectural layer into four types:

Origin Binder Service : unofficial name for services in the /dev/binder namespace whose entry point is a manually coded onTransact interface.

AIDL Binder Service : uses Android Interface Definition Language (AIDL) to define the interface.

HIDL Binder Service : uses HAL Interface Definition Language (HIDL) for communication between HAL and other processes.

Vendor Binder Service : resides in the /dev/vndbinder namespace and is used for communication between vendor processes.

Origin Binder Service

Before Android 8, most Binder services were Origin services. The code quality of AOSP was relatively low, leading to many security bugs discovered by researchers.

Collecting Information

Two common ways to locate a Binder service and its entry function are:

Running the built‑in service list command. Note that many entries are pure Java services; for memory‑corruption bugs, focus on C/C++ services.

Searching the Android source for onTransact implementations, e.g., via cs.android.com.

Vulnerability Mining

Most bugs stem from improper validation of client‑supplied Parcel data, leading to memory corruption such as uninitialized memory, out‑of‑bounds reads/writes, and type confusion. Exploitation can be manual auditing or fuzzing, but fuzzing is often ineffective because:

Parcel data contains complex types (file handles, native handles, parcelable objects) that generic mutators struggle to handle.

Service interfaces have contextual dependencies; triggering one method may require prior calls to another.

Deep services may require interaction through public interfaces.

Low code complexity makes manual auditing efficient.

Uninitialized Memory

Example CVE‑2020‑0134 shows a stack‑allocated state variable that is not initialized before being passed to getOfflineLicenseState. If the function returns early, state remains undefined and is later written back to the client:

reply->writeInt32(static_cast<DrmPlugin::OfflineLicenseState>(state));

Other uninitialized‑memory patterns include:

Calling Parcel::read(void* outData, size_t len) without checking the return value when the parcel is shorter than len.

Binder objects whose member variables are never initialized in constructors.

Starting with Android 12, the compiler zero‑initializes stack variables by default, greatly reducing this class of bugs, though large heap allocations may still be exempt for performance reasons.

Out‑of‑Bounds Read/Write

In CVE‑2020‑0346, the ATTACH_BUFFER branch deserializes a GraphicBuffer from parcel data. An integer overflow in the size calculation ( static_cast<size_t>(3 + numIntsInToken) * sizeof(int)) causes sizeNeeded to be smaller than the actual buffer, bypassing length checks and leading to an out‑of‑bounds memcpy write.

Type Confusion

CVE‑2021‑1027 demonstrates type confusion in the SET_TRANSACTION_STATE branch. A ComposerState structure contains a layer_state_t with an IBinder member surface. The code casts this weak handle to a Layer::Handle without validation, allowing a malicious client to supply a crafted object that the service treats as a valid layer, leading to arbitrary memory access.

For more details, see the Google patch: https://android.googlesource.com/platform/frameworks/native/+/a8c7c54eed57e5a4b56905a4fb00e27e25b1b908 .

Summary

Recent statistics from Pixel devices show a sharp decline in Origin Binder (C/C++) services and related vulnerabilities. Researchers are encouraged to explore other attack surfaces such as business‑logic flaws, permission checks, and smart‑pointer lifecycle issues, which may yield new findings.

References:

https://source.android.com/docs/security/bulletin/