Born with a Silver Spoon: On the (In)Security of Native Granted App Privileges in Custom Android ROMs

The customization and fragmentation of the Android ecosystem have fostered its prosperity and highlighted the growing importance of conducting security audits on these customized systems. This significance is driven by the distinct strategies that Original Equipment Manufacturers (OEMs) deploy to enhance device performance and user experience, which are important to their competitive differentiation. A key aspect of these strategies includes system-level optimizations for super apps and other widely used apps, marking a competitive trend among OEMs. Granting privileges to such apps often stems from trust in these apps. However, without proper validation of apps' identities, this can lead to severe implicit trust vulnerabilities, providing a convenient pathway for malicious apps to impersonate privileged ones and gain their access rights. For malicious developers, exploiting these vulnerabilities is both cost-effective and potentially highly rewarding. In this study, we undertook a comprehensive analysis of 686 custom Android ROMs from 46 OEMs, aimed at uncovering potential security risks associated with implicit trust vulnerabilities in apps. Our investigation identified 3,085 instances where thirdparty app package names were embedded within the ROMs. Alarmingly, only seven of these instances had implemented adequate authentication mechanisms to mitigate the associated risks, exposing 3,078 potential vulnerabilities that exhibited an increasing trend over time. We have reported 22 manually confirmed cases to seven relevant OEMs. As of the time of writing this paper, four vulnerabilities have been explicitly acknowledged by the OEMs, and one has been assigned a CVE ID.