System-level attacks against android by exploiting asynchronous programming

To avoid unresponsiveness, Android developers utilize asynchronous programming to schedule long-running tasks in the background. In this work, we conduct a systematic study on IntentService, one of the async constructs provided by Android using static program analysis, and find that in Android 6, 974 intents can be sent by third-party applications without protection. Based on this observation, we develop a tool, ATUIN , to demonstrate the feasibility of attacking a CPU automatically by exploiting the intents that can be handled by an Android system. Furthermore, by investigating the unprotected intents, we discover tens of critical vulnerabilities that have not been reported before, including Wi-Fi DoS, telephone signal blocking, SIM card removal, homescreen hiding, and NFC state cheating. Our study sheds light on research into protecting asynchronous programming from being exploited by hackers.