Is it easy to create persistent programs that run before Android's boot? (in firmware maybe)

Information Security Asked by Paprika on February 21, 2021

I’ve been wondering about which level of trust I can apply to a used phone bought from someone else. I can easily unlock the bootloader and flash a brand new Android. However, what about firmware customizations? What if there is something bad that runs before Android boots?

I’m not talking about something that the manufacturer plants in the phone, but something that the user or malware might have done.

It’s more a question of how easy it is to run things on Android beyond the flashed image. Can anyone do it with basic tools, or is this something hard, exploit-related that might be possible on some specific brand?

One Answer

If the bootloader is locked, all android partitions are verified by android verified boot (AVB) and android bootloader (ABL) is verified by secure boot which is enforced by chipmaker in production SoCs. Devices with Qualcomm Snapdragon SoCs, Qualcomm's Primary Bootloader (PBL) of SoC verifies Xtended Bootloader (XBL), XBL verifies ABL and ABL enforces AVB.

To break this chain of trust, the attacker can exploit a vulnerability somewhere in the chain to bypass signature verification. One can also tamper with PBL on board. While modifying it may be considered feasible in theory, it is not scalable. PBL is burned on CPU die and its public key is stored in eFUSE which make it tamper resistant. Android has infamous fragmentation problem, most android devices never receive timely updates and new vulnerabilities remain unpatched. Some of the critical vulnerabilities in chipmakers' bootloader and android bootloader were found in the past which could be used for persistent malware and bypass of secure boot and AVB.

If your device's bootloader is locked and has been factory reset then it is running stock image otherwise the device would brick on first boot. The device can also run with custom root of trust where AVB key is user generated. This allows user to make its own modifications and re-sign images to enforce custom AVB. You can see the verified boot state of the device in bootloader mode.

Verified | SelfSigned | Unverified | Failed

Answered by defalt on February 21, 2021

Add your own answers!

Related Questions

Diffie Hellman c# implementation

2  Asked on January 2, 2022 by roger-far


How to know if an RFI/LFI attack was successful?

2  Asked on December 31, 2021 by user226295


Suricata and rules based on MAC address

1  Asked on December 28, 2021 by loi219


Signing CSR using an ECC keypair

2  Asked on December 28, 2021


How to identify IP from a UDP-based DoS

4  Asked on December 26, 2021 by nihas


PostgreSQL injection with basic sanitization

1  Asked on December 26, 2021 by asker-asky


Ask a Question

Get help from others!

© 2023 All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP