 So our next speaker is Jonathan Bar or on how getting a free phone got me to report critical Vulnerabilities affecting millions of Android devices. I am so glad you did that. Thank you Jonathan Bar or JBO is the Microsoft Defender research architect for cross-platform Blah-blah-blah. I rented these looks this morning. They're not working Research architect for cross-platform focusing on Mac OS Linux Android and iOS research Jonathan has rich offensive security research on various platforms and architectures as well as combination of defensive skills and threat research So without any further ado Jonathan take it over Thank you Yeah, you need to pick up a microphone in order to Yeah, hold on turn it on Hold on do I pick that with R or L? Come on leave it to her Just the left click Jesus all right and anyone hear me at all. I Can't yes, we hear you just fine So I do have the mic right now I think so All right, awesome real quick Doesn't look like I have the mic, but let me okay. I Turned megaphone on for you. So it should work. All right. So thank you so much So, let's go on the next slide, please Who am I? My name is Jonathan or or JBO for short. That's my Twitter handle if you ever want to contact As as I was introduced I'm the Microsoft Defender for cross-platform research architect That's basically a very long name But it basically means that I look at everything that does not run Windows and that's my responsibility I do Windows once in a while though Especially when it comes to you know, the things that intertwine between Windows and and and other operating systems like WSL and WSA And I released some cool blog posts this year on all of these platforms. The Chrome OS one will be released soon Next slide, please Well, how did this get started I Relocated to the US back in 2017 and I'm an Android user So I relocated with the same old Android phone that I had back home and my carrier who shall not be named decommissioned 3g and transitioned into 5g right with all the cool stuff that it brings and Because my phone didn't support 5g it basically became useless. So they decided to send me a free phone as compensation and You know, my brain started pounding and I'm like should I really trust them? And I decided not to trust their phone blindly and actually see what's inside and Buy myself a new phone and play with the old one next and next slide, please So when exploring a brand new phone you can do a bunch of stuff But first thing first, you know that the easiest things I decided to look at apps and I just I discovered that there are tons of system apps there and One of them seemed to be bundled with something called DTE Ignite Which is an advertisement advertisement framework that might install new apps on your phone silently based on your browsing habits It sounds terrible, but I'm actually not here to talk about that. I'm here to talk about something else that I discovered So I discovered tons of stuff, but one thing in particular caught my eye and that was Something called a device health app and it's a system app and had tons of permissions and that's our focus for today. Next slide, please the Just some background if you're really unfamiliar with Android Android apps are conceptually archives They're not really archives that you can think of them as archives and they contain various files And those files are resources code metadata digital signatures, you know, they're all separated by design and are basically different files And one of the most important sections there is called a manifest which contains metadata about the app The app name version activities in it as well as permissions And the first thing in any Android app analysis is to examine the permissions that it has It's saved under Android manifest dot XML is a binary data But any basic Android analysis tool translates that XML to a human readable text So just some background next slide, please And this is this is a list I don't know how much you can see without the outpace VR thingy But this is a pretty big list of what the app is capable of doing and basically it can access the internet access Wi-Fi state read phone state read external storage Get packages size size use the camera use the fingerprints record audio read phone numbers And it can do a bunch of stuff that that You know is is really overwhelming what it can do. So and the list goes on and on. This is just a partial screenshot so just Right So when you look at the activities, they're also in the manifest XML file The thing that transfer that shows the metadata of the package You can see that there is the main activity called com MCE main activity And then there are a bunch of other stuff there like the actions and so on and the thing that caught my eye is the last two Readable lines the one that says browsable and then it has the Android scheme MCE digital So this is basically like the main activity and it's browsable next slide, please Browsable activities the app registers a new schema called MCE digital, right? And basically when the schema is browsed to this is an Android feature, right? The main activity starts and this is for example how when you open like a zoom link the You know Android knows to start to zoom with the right parameters It's basically a way for an app to say hey, I want to register that that schema and whenever that schema Is accessed, please please wake me up And this is the first obvious foothold for a logical remote code execution mentally that's that's how I imagine it in my mind and Sometimes an attacker can pass malicious data with a schema that will be parsed by the activity like a buggy schema URL get parameters info And the next analysis goal for me is well, what does the app do once it launches through the schema and Can I give it any meaningful input right from the URL that's being accessed next slide, please Something about web views if you've completely been living under a rock in the Android world In Android web views are basically components that can parse and present web contents including JavaScript capabilities So they're like almost mini browsers if you will They're useful for developers especially for engines that use them extensively cross-platform, right? So if you want to write an app and make it available in Android and iOS you can use that and The one view is a component. Well react will do that But web view is a component that will be used extensively actually to run that app and a lot of apps rely on web views that's not a very very new and You know a security question is that granting web view capabilities to do certain things because a lot of apps are you know Relying on web views granting the web view capabilities to do certain things is is quite problematic like think of unlimited file access from something that behaves like a browser, right and Plausible scenarios that attack or could actually inject malicious coding to the web view and the question is how does Android solve this problem next slide, please And this is achieved by something called an Android base bridge and app It's a web view and it can declare a JavaScript interface and attach it to the web view and from that point on the web view can actually invoke methods in the app by that Interface and get responses back The data that can be sent is limited to primitive data types in in the Java virtual machine And this is what's called an Android JS bridge next slide, please This is a toy example of joy JS bridge in the First part you can see Java code that will run in the in the Java app on the Android device and You can see that I declare a class called JS interface. I have to declare something called JavaScript interface That's an annotation to a method and then the method actually just adds two numbers. So nothing scary here And you can see that I had to do two other things Given a web view I had to basically enable JavaScript. Then I basically add JavaScript interface with that Sense of that class that I just said and expose it under name in this case I expose it under some name and then the web view can run JavaScript. That's the lower part of the page here And it will basically invoke window dot some name dot add numbers just invoke it like that And the parameters and everything will be sent from the web view to the Android app And then basically invoked and I can also get the result. So this is how you add two numbers With an Android JS bridge slightly is Only methods, this is something Just a little more background on Android JS bridges only methods that are annotated with a JavaScript interface Annotation you've seen that one slide two slides ago can be invoked Starting API level four, which is ages ago Otherwise, you get this funny vulnerability where you say where the web you can do windows Name dot get cloud or for name Whatever and you can basically get the runtime dot exec methods, right? This happened in 2004 something so very very old and And you can't do that anymore after you know after like Android API level four And therefore what I'm trying to say is that an analysis of a JS interface should examine the methods that are annotated with that JavaScript interface Right, so this is kind of like a background on what what why I'm doing what I'm doing next slide, please If we're going back to my app analysis, we have the health app right and the health app basically is browsable and One thing that I discovered is that it also has a web view called Jarvis web view That's how they expose it to do it like Actually not expose it. This is how they declare it in the classes there And the web view has an attached Java JavaScript interface called Jarvis JS interface That's just the name that they expose and the interfaces Can be accessed from within the web web page via the JavaScript bridges and invoke accessible methods Just so and one remark is that they're notorious for trust issues, right? In many cases the app can blindly trust the web views input, right and next slide, please this is Kind of like a code blurb of the annotated methods that I found you can see Three out of four of the annotated methods and I'll explain why I added the third one as well The first one is called in it it gets string and it basically saves something that I while reverting Just called a public name The second one is called requested gets a string and it calls super dot requests with with that string The third one is called Send response and it's not annotated so you can't really Access it from the web view and the fourth one is called windows window close, which is not very interesting And I'm just not going to talk about that at all slide, please From a software design perspective the JavaScript JS the Jarvis JS interface that we saw in the app It works as an asynchronous Server to the JavaScript client it gets requests in the three methods That that I've just shown you And returns callbacks by injecting JavaScript back to the web view So this kind of explains the stuff that we saw earlier In it basically gets a string and saves it that string is going to be used later as a callback function JavaScript function to the client a closed window is not very interesting and request serves the requests from the JavaScript client and This also explains the response methods that we saw earlier the response methods Would you actually mind going back one slide? Is that possible? Awesome, thank you. So the the send response Method that we saw is going to be invoked later by the app when it's ready to send a response And if you can see the code there, I know it's a bit difficult, but basically it's going to build like a URL that starts with JavaScript colon and Add some JavaScript code there that also includes the callback name by the way and Basically inject it with load URL. That's the last line in the third method here. So next slide and then next slide again Thank you the request method is well The request method actually invokes the superclass Dot request and the superclass for that Java Java's JS interface is just called service transport and after some unimportant tasks I Examined what it does and it will treat the input string as a JSON object and it extracts some members from it Those are the four members. First of all, there is context, which I think of as a request ID basically in an asynchronous model when you have a Client in a server the client needs to supply or in some way there needs to be tracing of some request ID So that's the context basically Service is a service name more on that later command is an integer effectively It's a command number and data is is effectively the arguments that are sent with that command next slide, please And you know when you start to take a look at the services that are implemented again, let me remind everyone If I have malicious code that runs in the web view I can basically Invoke the Jarvis JS interface methods one of them is called request and With request I can actually invokes Services and what does that mean? So I started reverse engineering that thing and there are many services that gets registered in a global table I won't bore you with the gory details too much But basically there is some global table The resources are saved and each service declares its exposed methods map them to command members along with argument names and types it expects and the entire request is being translated on the flight with JavaScript reflection with Java reflection, sorry and each request can also invoke the send response methods that we saw earlier to actually Bring back like return a response to the client next slide, please Some of the Invocable services that I saw this is a very partial list of interesting services that are accessible from the web view One of them is audio you can control audio on the phone including peripheral volumes and stuff like that Camera you can take silent camera pictures Connectivity you can basically control Wi-Fi Bluetooth NFC and whatnot Device controls many aspects of the device. I also found the command injection there more on that later Location you can access GPS and whatnot package manager. You can control packages. You can install new apps Which by the way because you're a system app you can do that silently so not great so my my Basically my understanding is that he who controls the JavaScript control controls the device if you're able to get malicious JavaScript code into the web view you basically win because it can do a lot of those stuff and many many more Next slide, please This is an example of the camera service This is actually how the code looks like After some predefined by me You have basically all services must implement something called set service methods map That's what I refer to earlier as kind of registering their own There are methods and you can see that there are two methods exposed here One of them is get camera list and the other one is capture still image no preview and get camera list basically gets Gets no arguments and Capture still image no preview gets one argument which is called the camera ID and it's a string and there is another class called IPC which maps the Method names to the actual numbers so method numbers zero is get camera list and method number one is capture still image No preview that just an example of how a service looks like and then the service can implement those methods However, it sees fit next slide, please Well one of the services In device specifically gets this is just a command injection that I found I mentioned that two slides ago one of the Services that gets an activity name and tries to stop it by running the following command I am force desktop Open quotes activity name close quotes and guess what happens with the activity when the activity name has quotation marks So surprise surprise if the if the activity name has quotation marks You can basically run arbitrary commands, right? So this is kind of a command injection just in case I wanted to take control of the device even further this would basically allow me to If I'm able to run malicious code in the web view to inject arbitrary code to run as the Device health app, which is a system app again So this is just one thing one minor thing that I found slide, please At this point I was pretty convinced that you know, this is big and I assume that Havascript injection is possible somehow to the web view and if we assume that we can Control the phone with all the service services and we can abuse the command injection to or simply do other fun stuff like taking cameras Snapshots turning on the microphone, you know all the fun stuff that you see in the movies So, you know, you have to do this kind of mental exercise and you know, I was like this is too good Not to inject into there might be a way So even before I was convinced I'm going to inject into the web view I basically Implemented my own exploit which is kind of like a post exploit if you think about it because you'll have to inject into the web view And this is what I did next slide, please This is kind of like a post exploit code you basically implement you implement just the thing that the The web view is supposed to implement, right? So basically Create some map I created a C2 just for us to have fun and you can invoke that with Ajax and you can set the callback if you can see If you can see in the last part it says window dot response callback in equals whatever and then you can actually call the bridge and initiate that with with what not next slide please and This is kind of like a generic code for the send request part This actually sends a request to the to the web view To the JS bridge, sorry And this makes everything very simple because now if you look at the right part, you'll see that it says Basically, this is how you run stuff from the web view if you could inject into it You basically do a exploit equals newsploit and then exploit dot camera get camera lists Floyd dot storage do whatever and so on so you can just Invoke those methods freely as I said you can basically control the phone So I prepared that and you know, I basically patched the app Just to see that it works and it works well Next slide, please Kind of like a mid-talk summary because we've been through a lot Have a system app that system app is pre-installed on the phone And it has a remotely invocable main activity through a browser ball activity, right? If you the mc digital thing the activity loads a web view, right that if and I put a strong emphasis on if if injected into can essentially take take over the phone And we can build an exploit code that that does just that But can we really inject into the web view? That's the question that I had in mind and that that's the 1 million dollar 1 million vulnerable android apps devices question Next slide, please Well the first attempts to inject was that I discovered that the page that is being loaded to the web view is loaded Is actually embedded in the app itself as an asset So a web view can you know just like a normal browser can just load stuff from Or it can load stuff from like file comma slash slash right like an asset And this is what happens in this case And the JavaScript code that runs on the web is quite obfuscated and was extremely long like 100k lines long and you know at this point by the way, I did forget to mention but it Like it it became too big for me and I'm like, okay, let's involve our android team because why not And I basically involved our android v team In defender and we reversed the generic part parts of it But we couldn't find meaningful ways to affect the behavior from the browsable intent So that was kind of a bummer And the second hope that I had was to basically have like kind of like a person in the middle story If the app is opened and the web view opens a plain text page I can basically inject as just because I'm I'm like a person middle between the phone and the internet And we did find several scenarios when that happens and this is kind of like a success, right? Because basically what you have to do right now Is is in my opinion, you know, it's not trivial, but it's not impossible. Next slide, please So the scenario for remote code execution in this case Be a person in the middle, right? You can achieve that in numerous ways. Like I can open, you know, a starbox wi-fi on my phone or something I can, you know control your router or do other other stuff Send a link to the target or inject it into a normal plain text web view that the target just browsers into And trigger the browsable activity the mc digital thing because the mc digital browser activity actually Kicks in and it's registered by that device health app Which is a system app that was by the way hidden from the ui The app kicks in the app loads the web view which Runs complicated logic and ends up Viewing more contents in plain text, right load stuff from external http over plain text and then Inject malicious javascript code into the plain text code And you know, I run my exploit and they basically take over the phone. So that's pretty good Next slide, please It sounds like our kind of fun rce on android is is over, but You know one thing that got me a bit worried or a bit You know intrigued was the fact that during their reverse engineering we saw that Like, you know, I got my phone from my carrier But in all of the class names and whatnot when reverse engineering that app, we didn't see that like carrier name at all And we suspected that there is an entire framework which was not carrier specific, right? You did see that mc digital thing and so on And Basically tried to assess, you know, we already had an rce and we're I was going to basically Um disclose it Responsibly, but when assessing the number of affected devices, we decided to hunt for similar apps that might be using the same framework and You know, there is no shame to to say we actually just used virus total and uh surprisingly we discovered numerous telcos That use the same framework, right? So imagine all the big telcos. I will not mention anyone because I want to be sued But imagine, you know, all the big telcos in america and whatnot. I mean This was embedded in in in five of them and big ones There seemed to be uh some customization per telco So one telco might have certain features and different telco might have other features Obviously besides the app name and logos that are used and stuff like that And not all apps were susceptible to like the person in the middle tag, right? Some of them actually did not load Did not load uh external code from plain text. So the remote code execution part didn't work and um One one thing that I also discovered is that besides those five telcos Um, there are certain apps that use that framework that might be installed by for phone repair shops Or for trading purposes. So if it wasn't clear, the device health app is supposed to basically Make sure that the camera is camera is working that the microphone is working. This is why it needed all those permissions and basically Some of the those telcos uh pre-install it in the firmware, right? That's what I I've got initially But we also discovered that there is a specific app that can be installed by by repair shops And sometimes they forget to uninstall the app after you get your phone, you know back from Fixed and whatnot. So this is another issue that we saw and you know users are always in this case either Because the app is baked into the firmware or because you got your you know, phone fixed and someone installed an app unbeknownst to you End users are always we're always um to the best of my knowledge unsuspecting that this thing even existed Next slide, please So we decided to dig deeper and see if we could exploit the app that the apps that were not susceptible to the person in the middle JavaScript injection attacks and eventually we found a local JavaScript injection And uh, this is like, uh, I won't actually wait for responses But the question is can you spot the injection opportunity with the next slide? So this is kind of like Well, this this code is taken from multiple methods, but basically the injection part actually actually resides In in the last part in the third part But basically what's going to happen here is that you get some Parameter called flow input that I will mention what it does briefly in like in a sec But basically this flow input is going to be sent to the web views init function The init function is going to basically If it's empty and if it's not empty it's going to save it in other member name and later that member name if it's not empty is going to be basically Basically loaded into the web view with load URL again, just like the JavaScript injection that we saw earlier Next slide, please This is kind of like what I mentioned There is a member called mflow SDK input. By the way, I have no idea what it's supposed to do I never saw it actually being used but member exists And the member is a JSON object string if I then purposely injected into the web view as we saw There is the interesting part and this is where the injection kicks in there is no string sanitization on the string on the string itself Which means that we could inject it into the to control that member, right? If I can control that member I can actually inject JavaScript into the web view locally And the member is initialized very indirectly like there are four or five different classes there By the intent that creates the app Interestingly from a google fire based parcel. It doesn't really it doesn't really matter that much but just just Because it's funny to me Next slide, please I did have one task limitation that the entire payload because because we're talking about the json object and It's going to be, you know, eventually turned into Turned into a string and then injected into the Into the web view with a javascript injection The entire payload can contain new lines because because json stuff But you can easily overcome that with eval a to b and then base 64 encoded payload So if you have a payload, you can just turn it into base 64 and then add some code to You know unwrap and undo what what you wanted like this entire The entire base 64 thingy And basically this is this is kind kind of like how you run javascript code in one line, right? Which is not a big thing but still Next slide, please Oh, this this has a nice PowerPoint animation kudos to me In in the left side, you can see the app itself in the middle part You can see the web view and in the right part. There is an attacker, right? And basically what's going to happen and Can you click one time, please? You basically I prepared like the second stage js loader. That's the first like Part where you know the the entire payload where I assumed that I could inject So I have that code and then next click, please I wrap it with eval a to b and base 64, but just just to make it a one liner next please I repeat into some Member that is called dynamic. This is how google firebase works in this case next one, please I wrap it into something called a parcel. This is how Objects are basically being serialized in android Next please This thing is turned into bytes because this is how you like intents can just contain bytes next one, please Then I wrap it into Into an intent an intent. Basically. I didn't mention it, but that's the way that you that's like a very popular ipc naturally Basically is the thing that all fires apps and activities and whatnot Next click, please So the intent gets into the app next click And then the app Just say intent unwraps it takes the bytes unwraps it takes the parcel unwraps it and so on It does all of those things and eventually it will basically run the second stage js loader So it will load the javascript into the web view next one, please The web view loads the javascript the web view actually loads additional javascript from ic2 Next one, please It invokes it invokes a client requests, right and next one, please It provides responses also by the way if you want to take pictures of of You know cameras or turned on the microphone. What's not this all works well so And I mentioned here local injection because if it wasn't clear to fire that intent with the very specific bytes inside You have to run it gets an app I signed to the system app that you know the health device health app But this is still considered an elevation of privilege for obvious reasons like your initial app Doesn't have to have any permissions and if you can inject and do all of those things and you can basically take over the phone Next slide, please This is my exploit code Uh, I won't dive too much into it But you can see in the first part that I basically take the javascript payload I uh, basically add some code to embed that payload into the web view itself by just inserting a new script element And loading loading the um Loading the source from ic2 And basically I had to append one code at the So An extra quote and then I just put a is there for fun And the idea behind that is that you know, this is how the javascript injection works, right? Like it takes my input and treats it treats it as a string with quotation marks So if I finish a quotation, I can actually inject more javascript stuff there And then basically the second part was to encode these encode everything into a single statement that It's just, you know, basic student coding next slide, please um, and this this basically is uh Is is is kind of oh and um In the previous slide. Sorry. Can you go one slide back? I apologize And the thing that that has the red rectangle is basically where the other injection kicks in You basically have to uh put like a single quote, right? Um, this is where the um The javascript injection actually kicks in Flow input member that we discussed. Sorry now next slide This basically continues building the entire thing I build something called the dynamic link data um and basically in that dynamic link data the only thing that actually Uh, uh, was meaningful is is is building it eventually as a parcel And then the parcel I have to embed into Like I have to marshal it it turns into bytes and then those bytes are basically embedded in the app itself In the intent itself. I apologize As the com google firebase dynamic links dynamic link data. That's the last part of the uh of this right here um next slide, please This is uh a recording of the local injection. I hope it plays well. Can you please try to play it? Let's see how that works Hey, okay, so on the left side, you can see uh the two We actually had two servers for c2 for other reasons And then on the right side, you can see uh the checkup app The injection and this like our pc app injects into into the system app The system app by the way doesn't have to be turned on. I just like turned it off. That's fine Doesn't really matter because we can always start an intent This will basically start the intent and on the left side, you can study it actually it starts getting data, right? So this is basically how our exploit works Um This is this is our recording and next slide, please Okay responsible disclosure Uh, we disclosed everything to uh the company that maintains the framework itself like the entire sdk As well as all the telcos that were involved. There are five in total Um, I can't give an exact number But we're talking about millions of android devices with vulnerable system apps affected by bugs ranging from full rce to local eop um And it took a lot of months actually because this is quite problematic like you can't really even Remove system apps, you know from your android phone at least, you know My grandma kind of kind of users can't do that And we basically released details in coordination with everyone involved to make sure that no end user is is put in danger Because you know releasing new firmware and basically make sure that everyone updates and so on is is very painful to those telcos And uh, we also constantly work together with google to actually improve google play protect and spot similar bugs automatically um This is kind of interesting Those apps those device health apps or that sdk actually Was in google play and it still is by the way in google in the google play store Uh, and you know google play has basically something called google play protect which scans your apps against you know evil and also vulnerabilities But they simply didn't have Good handling of that vulnerability class like vulnerabilities that involve j s interfaces. So um, so we're we are working with google on that Next slide please Uh resolution so disclosure happened around sept September 2021 but it took more than six months until user risk became sufficiently low for public disclosure and Just my to my take on the thing one of the main problems is that those were system apps, right? I don't want to use the the term bloatware, but I already used it. So let's call it bloatware System apps are baked into the device the device firmware image You can turn them off and there are many unsuspecting users like I bet if some of you are operate users like I'm willing to bet that You don't know at least like at least 30 of the system apps that are installed on your phone at any given time And basically, you know Me working as microsoft for defender We also have microsoft defender android and we support something called Vulnerability management with which does indicate the existence of vulnerable apps. So if you have a vulnerable app on your phone Uh, and specifically that set of vulnerabilities we'd be able to at least tell you so You know, you can't uninstall the system app, but but that's a good start. I think Next slide please And a quick note for android developers Overpowered web views with js interfaces are the source of many interesting security bugs And apps as I mentioned before sometimes just blindly trust input from the web views, right? You have a web view and you have your app and and and the app simply trusts it without Thinking whether it could be injected into or not And that's that's one thing. So whenever you develop an app, you know Be mindful of those things if you implement an asynchronous client server module by JavaScript injection Then please don't do that. It's it's really a bad practice and there are good apis that That are included in android x web message listener specifically google pointed that out and and we You know, we actually look at that code and the entire serialization is In my opinion pretty flawless there unlike injecting javascript and not sun. It is sanitizing your strings so um, so use uses your own api and don't develop something from scratch and Again again, and this is this is like a recurring theme in in server security if you're forced to inject Sanitize your inputs. That should be obvious Next next slide please These are kind of conclusions system apps in my opinion. Uh, do not get enough attention from the security industry They're especially bad because they can't be easily removed and users never suspect they have all these apps to begin with Bloatware that's what what what some of us call them I did mention other suspicious looking bloatware that were also installed on that phone but No, I didn't pay too much attention to them I just really need to find the time to be honest But I bet there are other things in in that phone as well And there are special things here to the android v team that worked with me Which is uh sanction jung michael peck joe mancer and the poor vakumar and the entire microsoft 365 defender research team And with that i'm done if you have any questions, uh, please do ask them now or you can just reach out over twitter or something My dms are open. Thank you so much for attending I have a question Yes So so like, um, this is so like, um the The device the device i think is like Is it like one of those System apps that come with android or is one of those carrier system apps like Like the um In an m4 like the synonym for running um apps That you get when you get from that specific carrier So so it's uh, it's it's it's actually well It's not done by google or by Yeah, it's it's more of the latter than the former although you could actually as I said you can actually install that from google play Or if you ever get your phone fixed or traded in or something it might be installed there already so It can be either Someone installing that or it could be baked into your your your firmware just by the carrier itself Hope that answers the question Okay. Yes. Okay. Yeah, there's a carrier thing Yeah, that's why I mentioned those telcos. It's it's done Well, not by the telcos. They're actually just using that other company that developed the sdk with customization But basically the telcos are are kind of Responsible for that in this case Okay um Go ahead Like I'm just trying to think about like, you know, those kind of those those kind of exploits between, you know, like Those that You know how like you need root to have to remove like the system apps and stuff like How actually how I mean if you if you run as root. Yes, you can uninstall those system apps Like is it I mean like Is it just is it mean it is it doesn't it does the exploit doesn't really have any practical use for Other things other things, you know, or just, you know threat actor stuff I mean generally Those kind of exploits could mostly be used in my opinion for for bad stuff could be like an NSO kind of level exploit where someone remotely can just Accure phone also because it's a system app in most cases it can actually install apps silently which Normal app if you try to install an app it would actually pop up and is at least ask the user for permission But as far as I remember not for system apps um and I mean It's it's hard for me to say exploits are usually used for were You know either bad guys or for um educational purposes in this case we actually Yeah, go ahead Yeah, because yeah, because like I know like Yeah, yeah, yeah, no because no there's those exploits are used for they're using an explorer used for an exploit chain um, oh Oh, you mean yeah, you mean like like for gel breaking and stuff like that. Yeah, that's what i'm saying the difference between you know The the the exploits even more is it is it also is it more of an Can also be used for that or is it mostly just for they're really really bad stuff Well, to be honest, I think I think mostly not for that I mean for jailbreak you'll have to run as root normally or flashing you flashing you And and you bootloader or whatnot This is not this kind of exploit this exploit I mean it is beneficial in some cases to run as a system app But like it's it's not running this route Oh Okay, yeah, so it's not really useful for that kind of stuff more so just Oh, it's mostly for bad guys. Yeah, that's what I was asking Thank you Any more questions I wanted to ask like oftentimes I've heard horror stories of people revealing vulnerabilities with big companies and getting some negative responses Um, did you get any kind of negative response from big telco companies when you kind of uh revealed to them that there's this kind of vulnerability on their product? Good question. Uh, this is kind of like a political question. So it's hard for me to answer but I would say that Uh, the responses were mixed I think that the telco industry is not as mature as other companies and they might not see you exploiting their their stuff with with the you know, uh They don't see it as a nice gesture. Even you even though we really worked hard To do responsible disclosure. We also I didn't mention that but after that company The company that develops everything, you know patched everything We actually tested to make sure that they did everything properly. We did code reviews and whatnot. So it's not just about the exploitation It's also about how to get That's fixed and and and they were pretty collaborative to be honest Uh, the telcos it's it's mixed some of them were really open and really, you know Uh, really receptive to you know to to basically that kind of disclosure Others were were not as much and had to be convinced Um, in this case, I would say I I'm I'm lucky that I'm running, you know, I'm basically um Part of a big company that can you know, someone important from my company can talk to someone important from that telco But if you're an individual researcher, um I don't know. I think it would have been much more difficult. Um, I would I would probably say that I don't Yeah, yeah, hopefully not uh, I Hopefully not Yeah I have a guard cat in my home, so Awesome. Yes, go. Um, yes, perfect Yes, perfectly. Make sure make and make sure you protect both the front and back door. Yeah, yeah. Well, I need another cat. More questions. Awesome. Well, if there are any follow-up questions or you wanna get more technical data or whatnot, just reach out to me. I do also Mac OS Linux, Chrome OS, iOS, those sort of things. And I'm interested in everything that runs code. So thank you so much. And I'll see you guys around. Thank you, Jonathan. Give our speaker a round of applause. We've got roughly 10 minutes till our next speaker. So good time to take a bio break and choose with the people that are here in network and then look around for Easter eggs. And we'll see you back in about 10 minutes.