On November 22nd, Magisk author topjohnwu published an article mentioning that he discovered a vulnerability in millions of Android devices when he researched the root detection mechanism of the Fate/Grand Order mobile game. Using this vulnerability will leak the process information on the system. In addition to a few manufacturers such as Samsung, most manufacturers’ equipment is affected.
According to the information on the XDA Forum, the affected and unaffected devices are as follows:
|OEM||Device||Android Version||procfs Leaks|
|Asus||ZenFone 5Z||Android 8.0 Oreo||Yes|
|BlackBerry||KEY2||Android 8.0 Oreo||No|
|Essential||PH-1||Android 9 Pie||No|
|Pixel 2||Android 9 Pie||No|
|Pixel 3||Android 9 Pie||No|
|Pixel 3 XL||Android 9 Pie||No|
|Honor||Magic 2||Android 9 Pie||Yes|
|HTC||U12+||Android 8.0 Oreo||Yes|
|Huawei||Mate 20 X||Android 9 Pie||Yes|
|LG||G7 ThinQ||Android 8.0 Oreo||Yes|
|LG||V40 ThinQ||Android 8.1 Oreo||Yes|
|Motorola||Moto G4||Android 8.1 Oreo||No|
|Nokia||7.1||Android 8.1 Oreo||No|
|OnePlus||6||Android 8.1 Oreo/Android 9 Pie||Yes|
|OnePlus||6T||Android 9 Pie||Yes|
|Razer||Phone 2||Android 8.1 Oreo||Yes|
|Samsung||Galaxy Note 8||Android 8.0 Oreo||No|
|Samsung||Galaxy Note 9||Android 8.1 Oreo/Android 9 Pie||No|
|Samsung||Galaxy S7||Android 8.0 Oreo||No|
|Samsung||Galaxy S8||Android 8.0 Oreo||No|
|Samsung||Galaxy S9||Android 9 Pie||No|
|Samsung||Galaxy S9+ (Exynos)||Android 8.0 Oreo||Yes|
|Sony||Xperia XZ1||Android 9 Pie||No|
|Xiaomi||Mi Mix 2S||Android 9 Pie||Yes|
|Xiaomi||POCO F1||Android 8.1 Oreo||Yes|
In the Linux system, you can access the internal information of many kernels through the /proc file system. The hidepid option has been added to the Linux kernel 3.2 and above. This option defines how many other users can view information.
Google prevents apps from reading the status of other apps via procfs by mounting /proc with the flag “hidepid=2.” By mounting procfs with hidepid=2, apps can only see the status of their own process. Thus, an app would need to use the accepted APIs like UsageStats or AccessibilityService to gain information on what apps and services are running on the device.
Starting with android7.0, hidepid=2 should be set to 2 when /proc is mounted. In android9.0, SELinux has been enhanced. If the target API of the APP compile time is API 28 (Android 9.0), then even if a process without hidepid=2 is set, the information of other processes cannot be obtained. However, many APP compile time target APIs are still lower than API 28 (Android 9.0).
A SELinux context is like a label for a file which has information like the user and role. Apps with the same SELinux context can read information about other apps in the same context if the hidepid=2 flag is not enabled for procfs. On devices running Android 9 Pie, only apps that are built targeting Android Pie will have Android Pie’s new SELinux changes apply to them. Apps that target Android 8.1 Oreo or below will use the old SELinux rules, allowing them to access information about processes in the same SELinux context so long as procfs is mounted without hidepid=2.
At present, OEMs have been aware of this problem. Before the system update is released, users can download and install the ProcGate detection tool written by topjohnwu here. If your Android system is vulnerable, the ProcGate app will show other processes.
If you have root privileges, you can choose to use the app to run a”mount -o remount,hidepid=2,gid=3009 /proc” command to remount /proc to fix the problem. Users who affected by this vulnerability but cannot be repaired without root privileges are not too worried. The weakness is limited, and only some other process information can be leaked. The vulnerability cannot be used to obtain sensitive data such as root privileges or user passwords.