I have a rooted device, with superuser rights granted to a few apps I trust. I have often found my /system or /vendor partition mounted read/write, and some files chmoded to 0777. Similarly directories/files with random names are created/deleted (e.g. /sdcard/.a03Degpoif), .nomedia files are created inside them to hide their contents from gallery etc.
logcat/dmesg contains no traces of all this happening in background. This doesn't happen periodically but in a slapdash way, internet connectivity isn't a condition either. I have tried disabling/uninstalling apps, looking for any suspicious processes running, but couldn't identify the culprit(s).
Is there a way to figure out who is doing this?
Answer
Note: Following solution requires a rooted device.
The only good thing Google did was to choose the flexible and configurable Linux kernel for Android, not going for something like a crippled kernel and trying to handle everything from userspace, including running a Linux kernel (1).
Linux kernel's Audit System makes it possible to log any system calls or filesystem changes made by a process. In our case we need to identify the process(es) which are writing to /sdcard or /system and making syscalls mount and chmod.
Linux distributions have a service auditd which communicates with kernel to get information about security-related events. On Android we have already logd, not as configurable as auditd but enough for basic monitoring. logd mainly covers the functionality of its desktop counterpart syslogd, but also includes klogd and partially auditd to get logs from SELinux subsystem of kernel.
We can add a few more rules using auditctl to also report events we are interested in. You can use auditctl from a minimal Linux environment on your Android device, or compile the binary from source code (should be built with --with-arm / --with-aarch64 whatever your devices' architecture is), or get one pre-compiled here.
Now create rules files in /etc or wherever you want to:
# /etc/audit-start.rules
# enable auditing, won't work in PID namespace
# won't work if permanently disabled with kernel parameter "audit=0"
-e 1
# delete previous rules (though there are none on Android)
-D
# increase the buffers to avoid failure
# no. of event to be queued, waiting for logd to read them
-b 10000
# disable rate limit (msgs/sec) to avoid failure
-r 0
# this determines how long to wait in burst of events
--backlog_wait_time 0
# set failure mode to dmesg
-f 1
# define filesystem rules, whatever file/directory you want to watch
-w /system -p wa -k FILESYSTEM_AUDIT
# define syscall rules, see all syscalls with 'ausyscall --dump' or
# here: github.com/linux-audit/audit-userspace/blob/master/lib/aarch64_table.h
-a always,exit -S fchmod -S fchmodat -k CHMOD_AUDIT
-a always,exit -S mount -k MOUNT_AUDIT
# /etc/audit-stop.rules
# clear on exit, restore Android default values
-e 0
-D
-b 64
-r 5
--backlog_wait_time 18000
Apply rules:
~# auditctl -R /etc/audit-start.rules
Now make changes; mount /system R/W, write/delete something there and change file permissions.
Depending on logd configuration, you can get audit log in one or more of different logs (2) including events buffer (3) of logcat and main buffer (4):
~# logcat -d -b events,main | grep _AUDIT
Or in kernel's printk buffer (5) and logact's kernel buffer (6):
~# dmesg | grep _AUDIT
~# logcat -d -b kernel | grep _AUDIT
audit(0.0:16122): arch=c00000b7 syscall=40 success=yes exit=0 a0=7fcec5db38 a1=7fcec5db3f a2=0 a3=8021 items=1 ppid=761 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="busybox" exe="/data/data/com.mixplorer/files/busybox/busybox" subj=u:r:magisk:s0 key="MOUNT_AUDIT"
audit(0.0:16126): arch=c00000b7 syscall=53 success=yes exit=0 a0=ffffff9c a1=7b839180c0 a2=81a4 a3=0 items=1 ppid=11687 auid=4294967295 uid=10135 gid=10135 euid=10135 suid=10135 fsuid=10135 egid=10135 sgid=10135 fsgid=10135 tty=(none) ses=4294967295 comm="Thread-7" exe="/system/bin/app_process64" subj=u:r:untrusted_app:s0:c135,c256,c512,c768 key="CHMOD_AUDIT"
audit(0.0:16141): arch=c00000b7 syscall=35 success=yes exit=0 a0=ffffff9c a1=7bc22a3c40 a2=0 a3=7bdfbd3098 items=2 ppid=11687 auid=4294967295 uid=10135 gid=10135 euid=10135 suid=10135 fsuid=10135 egid=10135 sgid=10135 fsgid=10135 tty=(none) ses=4294967295 comm="pool-2-thread-1" exe="/system/bin/app_process64" subj=u:r:untrusted_app:s0:c135,c256,c512,c768 key="FILESYSTEM_AUDIT"
First line shows that some process running as root with Magisk's SELinux context has made syscall 40 (mount) and the command shows it's MiXplorer app (just as example, I did that myself). Second line indicates that the app running with UID 10135 has chmoded something.
Third line shows the same app (by making syscall 35) deleted something in /system partition.
This is a simple use case. More recursive rules can be defined to deal with complex situations, interpreting other fields of log as well, as explained here.
To clear rules:
~# auditctl -R /etc/audit-stop.rules
NOTE:
- For simple cases where the objective is just to get notified of some filesystem changes (and not to trace the originator),
inotifyAPI can be used instead as explained in this answer. - In order to mark all the processes that run before the audit starts auditable by kernel, pass
audit=1boot parameter to kernel, either by editingcmdlineinboot.imgor usefastboot -coption. To save audit log to a file, run
logcatin background:logcat -s auditd -b events -f /data/media/0/auditd.log &
No comments:
Post a Comment