VirtualPatch: Distributing Android security patches through Android virtualization

The Android Operating System (OS) is a complex system that might contain vulnerabilities and allow malicious apps to damage the legitimate ones on the same device or steal sensitive user data. Vulnerabilities in the Android OS are fixed through security patches that can only be distributed through an update of the whole OS. Google is responsible for the development of security patches for the official Android platform i.e., the Android Open Source Project (AOSP). However, several other mobile vendors (e.g., Samsung, Xiaomi) sell smartphones running a customized version of AOSP and are responsible for integrating the AOSP security patches into their custom OS. This integration should occur before Google makes a vulnerability and the associated security patch public. Unfortunately, this is not always the case: we have found that the median time that Samsung requires to integrate a security patch is 35 days. This is astonishing and confirms the urgent need for a solution. In this paper, we propose VirtualPatch, a solution that allows the development of security patches and their immediate distribution on any Android device without involving mobile vendors. VirtualPatch creates a virtual environment through the Android virtualization technique and executes the target app with security patches inside it. To evaluate VirtualPatch, we selected 25 Android CVEs. For each of them, we developed the exploit and the security patch through VirtualPatch, and we then proved that the latter could prevent the former. We successfully implemented security patches for all the 25 Android CVEs and measured the additional overhead introduced by VirtualPatch at the startup time and at runtime. Finally, we conducted a user study with 29 participants to evaluate VirtualPatch usability.