Abdullah Joseph in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.
The slides and other presentations can be found on https://def.camp/archive
1. BERLIN • NEW YORK • SAN FRANCISCO • SÃO PAULO • PARIS • LONDON • MOSCOW • ISTANBUL
SEOUL • SHANGHAI • BEIJING • TOKYO • MUMBAI • SINGAPORE
Abdullah Obaied
Stealing Traffic:
Analyzing Mobile Fraud
2. 2
About me
‣ Security Specialist
‣ Former Software Engineer
‣ Part of Adjust’s Fraud Team
‣ RiverBird.co
‣ @cheese0x02
4. 4
How mobile attribution works
Ad
impression
Click on Ad
Media
First Open:
SDK Initialization
App
Download
initialized
Install
finished on
device
App Store
Redirect
6. 6
Click Injection 1.0:
Abusing Broadcasts
‣ A “Broadcast” is an event that occurs in the
system.
‣ Any app can have a “Broadcast Receiver”
and listen to system broadcasts
8. 8
Click Injection 1.0: Abusing PACKAGE_ADDED Broadcast
Ad Impression Ad store redirect
Ad
impression
Click on Ad
Media
First Open:
SDK Initialization
App
Download
initialized
Install
finished on
device
App Store
Redirect
10. 10
‣ “firstInstallTime” allowed us to pinpoint an app’s install timestamp.
‣ Install requests with distorted timestamps are ignored
Click Injection 1.0: Mitigation
12. 12
Click Injection 2.0
Click Injection 2.0: Same game, different time stamp
Click on Ad
Media
App
Download
initialized
Action_Package_Added
broadcast
First Open:
SDK Initialization
Click Injection:
Content Provider Exploit
App Store
Redirect
Install
finished on
device
Click Injection: Referrer
Broadcast
Click Injection 1.0
19. 19
‣ What the app is allowed to do in the context
of the machine and user data
App Permissions
20. 20
‣ AppX is allowed to extract
device data
‣ AppX is allowed to restart
itself upon boot
‣ AppX is allowed to monitor/
kill running processes
AppX Permissions
21. 21
‣ AppX is able to receive PACKAGE_ADDED broadcasts
AppX Broadcasts Receivers
22. 22
‣ AppX has a list of ~200 app
names in an SQLite DB
AppX Hard-coded Databases
23. 23
‣ AppX has a list of ~3500 app
names in SQLite and txt files
‣ Mostly games and paid apps
that run heavy ad campaigns
AppX Hard-coded Databases
24. 24
1. AppX is allowed to extract device data
2. AppX is allowed to restart itself upon boot
3. AppX is allowed to monitor/kill running processes
4. AppX is able to receive PACKAGE_ADDED broadcasts
5. AppX has a list of ~3500 app names in SQLite and txt files
Findings
27. 27
Plan
We need to know:
‣ What happens when we open the app?
‣ What happens when we install/uninstall other apps?
‣ Most importantly, what happens when we install an app on Google Play Store?
30. 30
‣ AppX has a long-running
background process in the
form of a notification toolbar.
‣ AppX sends device and
analytics data to multiple
foreign servers (Over HTTP)
On AppX Open
31. 31
‣ AppX sends an “uninstall
notification” to a foreign server
when the user uninstalls a
listed app.
On App Uninstall
33. 33
‣ This request occurred before the app finished downloading. The malicious app was able to get all the
details necessary to launch fake installs from this device and steal traffic.
On App Install (From Google Play):
GET /getDlAd Request
35. 35
1. AppX has a long-running background process in the shape of a notification toolbar
2. AppX sends multiple requests upon an app uninstall
A. Possibly for re-attribution campaigns.
B. Also, so as not to repeat too quickly for multiple user downloads
3. AppX sends all the details of a download-in-progress BEFORE the app finishes downloading to a
foreign server
Findings
38. 38
What Do We Wanna Know?
Many things: But most importantly:
‣ What do the other parameters in GET /
getDlAd request mean?
‣ How are the apps in game_list.txt used?
‣ What is the difference between those and
the SQLite database?
‣ What other events are there other than
install/uninstall that the app reacts to?
‣ What are all the endpoints in the app?
‣ How is AppX sniffing
in-progress downloads??
39. 39
‣ Look for traffic sniffing activity (HTTP and Google Play-related keywords)
‣ Access to resources (Content Providers)
‣ Possible exploits (C/C++)
How Do We Do It?
40. 40
‣ But, what’s a Content Provider?
Finding: AppX is Observing A Content Provider
41. 41
‣ Provides an abstract wrapper
for apps to access resources
(files, databases, etc.)
‣ This allows app developers to
focus on development and be
able to change the “Data Layer”
to another type later on.
Android Content Providers
42. 42
‣ Provides an abstract wrapper
for apps to access resources
(files, databases, etc.)
‣ This allows app developers to
focus on development and be
able to change the “Data Layer”
to another type later on.
‣ Any access to a
resource is usually
important
Android Content Providers
43. 43
‣ A content provider that has all the info of an in-progress download
What is Being Observed?
The “Temp Downloads Content Provider”
44. 44
‣ Step #1:
The “Temp Downloads Content
Provider” is being observed and
a function will trigger when a
change occurs.
How Is AppX Sniffing In-Progress Downloads?
45. 45
‣ Step #2:
When a change occurs, a query to another “Public” content provider is triggered
How Is AppX Sniffing In-Progress Downloads?
46. 46
‣ Step #3:
the query is parsed and the
“packageName” of the app
being downloaded is extracted.
‣ Step #4:
AppX sends the collected
details to a foreign server
(already observed)
How Is AppX Sniffing In-Progress Downloads?
48. 48
1. AppX is observing the “Temp Downloads Content Provider” and a function will trigger when a
change occurs (Does not provide enough info)
2. AppX is then querying the “Public Downloads Content Provider” for more info on the package
3. AppX parses the query and extracts the name of the app being downloaded
4. AppX fires a request to a server with all the info of the newly downloaded app (confirmed with
behavioural analysis)
Confirmed Findings
53. New York
Paris
São Paulo
San Francisco
London Berlin
Istanbul
Moscow
Mumbai
Beijing
Seoul
Tokyo
Shanghai
Singapore
Abdullah Obaied
SECURITY SPECIALIST
abdullah@adjust.com
ADJUST HQ
Saarbrücker Str. 37a
10405 Berlin
Germany