Big Brother is watching your droid. His name is Binder.
As the only vehicle of IPC in Android, Binder is the system component that makes the operating system tick. A process running in a typical OS will hold dozens of handles to the system's hardware: hard disk, display adapter, network card, and many more. Android's unique architecture, on the contrary, means that a process will achieve the same tasks just by grabbing a file descriptor to the Binder device - greatly minimizing the attack surface against the kernel. As the god of IPC in Android, Binder controls an application's interaction with just about anything.
From that perspective, it becomes immediately apparent that this system component is a prime target for any Android malware. By controlling any single link in the long chain which leads down from the Java APIs to the native Binder code, an attacker could stealthily implement a keylogger, set up VNC-like functionality, modify sensitive data in transit, and do many other evil deeds.
In this presentation, we will showcase a POC rootkit which provides a basis for all of the above, and more. We will also give a comprehensive overview of Binder at the lowest level. We'll talk about how the data transport buffers are actually constructed, what gets sent down to the kernel, and what comes back up. We believe this is an important contribution to the security community: Binder has simply not been researched enough.