SlideShare ist ein Scribd-Unternehmen logo

Stealing Traffic: Analyzing a Mobile Fraud

DefCamp
DefCamp

Abdullah Joseph in Bucharest, Romania on November 8-9th 2018 at DefCamp #9. The slides and other presentations can be found on https://def.camp/archive

Technologie
1 von 53
Downloaden Sie, um offline zu lesen
BERLIN • NEW YORK • SAN FRANCISCO • SÃO PAULO • PARIS • LONDON • MOSCOW • ISTANBUL SEOUL • SHANGHAI • BEIJING • TOKYO • MUMBAI • SINGAPORE Abdullah Obaied Stealing Traffic: Analyzing Mobile Fraud
2 About me ‣ Security Specialist ‣ Former Software Engineer ‣ Part of Adjust’s Fraud Team ‣ RiverBird.co ‣ @cheese0x02
3 Click Injection Story Time
4 How mobile attribution works Ad impression Click on Ad Media First Open: SDK Initialization App Download initialized Install finished on device App Store Redirect
5 First Version of Click Injection
6 Click Injection 1.0: Abusing Broadcasts ‣ A “Broadcast” is an event that occurs in the system. ‣ Any app can have a “Broadcast Receiver” and listen to system broadcasts
7 Click Injection 1.0: Abusing PACKAGE_ADDED Broadcast
8 Click Injection 1.0: Abusing PACKAGE_ADDED Broadcast Ad Impression Ad store redirect Ad impression Click on Ad Media First Open: SDK Initialization App Download initialized Install finished on device App Store Redirect
9 Click Injection 1.0: Mitigation
10 ‣ “firstInstallTime” allowed us to pinpoint an app’s install timestamp. ‣ Install requests with distorted timestamps are ignored Click Injection 1.0: Mitigation
11 Second Version of Click Injection
12 Click Injection 2.0 Click Injection 2.0: Same game, different time stamp Click on Ad Media App Download initialized Action_Package_Added broadcast First Open: SDK Initialization Click Injection: Content Provider Exploit App Store Redirect Install finished on device Click Injection: Referrer Broadcast Click Injection 1.0
13 Introduction to AppX
14 Target App: AppX
15 ‣ Utility app ‣ +100M downloads | +13M reviews ‣ Beautiful images and animations ‣ It actually does what it says it does Target App: AppX
16 Analysis
17 Theory This app is performing a new way of conducting click injections
18 Step #1: Static Properties Findings are purple
19 ‣ What the app is allowed to do in the context of the machine and user data App Permissions
20 ‣ AppX is allowed to extract device data ‣ AppX is allowed to restart itself upon boot ‣ AppX is allowed to monitor/ kill running processes AppX Permissions
21 ‣ AppX is able to receive PACKAGE_ADDED broadcasts AppX Broadcasts Receivers
22 ‣ AppX has a list of ~200 app names in an SQLite DB AppX Hard-coded Databases
23 ‣ AppX has a list of ~3500 app names in SQLite and txt files ‣ Mostly games and paid apps that run heavy ad campaigns AppX Hard-coded Databases
24 1. AppX is allowed to extract device data 2. AppX is allowed to restart itself upon boot 3. AppX is allowed to monitor/kill running processes 4. AppX is able to receive PACKAGE_ADDED broadcasts 5. AppX has a list of ~3500 app names in SQLite and txt files Findings
25 Step #2: Behavioural Analysis
26 Before moving forward, we need a plan
27 Plan We need to know: ‣ What happens when we open the app? ‣ What happens when we install/uninstall other apps? ‣ Most importantly, what happens when we install an app on Google Play Store?
28 Setup
29 On AppX Open
30 ‣ AppX has a long-running background process in the form of a notification toolbar. ‣ AppX sends device and analytics data to multiple foreign servers (Over HTTP) On AppX Open
31 ‣ AppX sends an “uninstall notification” to a foreign server when the user uninstalls a listed app. On App Uninstall
32 On App Install (From Google Play): Requests upon install
33 ‣ This request occurred before the app finished downloading. The malicious app was able to get all the details necessary to launch fake installs from this device and steal traffic. On App Install (From Google Play): GET /getDlAd Request
34 On App Install (From Google Play): GET /getDlAd Request
35 1. AppX has a long-running background process in the shape of a notification toolbar 2. AppX sends multiple requests upon an app uninstall A. Possibly for re-attribution campaigns. B. Also, so as not to repeat too quickly for multiple user downloads 3. AppX sends all the details of a download-in-progress BEFORE the app finishes downloading to a foreign server Findings
36 Step #3: Static Analysis
37 Step #3: Static Analysis What do we wanna know and how do we do it?
38 What Do We Wanna Know? Many things: But most importantly: ‣ What do the other parameters in GET / getDlAd request mean? ‣ How are the apps in game_list.txt used? ‣ What is the difference between those and the SQLite database? ‣ What other events are there other than install/uninstall that the app reacts to? ‣ What are all the endpoints in the app? ‣ How is AppX sniffing
 in-progress downloads??
39 ‣ Look for traffic sniffing activity (HTTP and Google Play-related keywords) ‣ Access to resources (Content Providers) ‣ Possible exploits (C/C++) How Do We Do It?
40 ‣ But, what’s a Content Provider? Finding: AppX is Observing A Content Provider
41 ‣ Provides an abstract wrapper for apps to access resources (files, databases, etc.) ‣ This allows app developers to focus on development and be able to change the “Data Layer” to another type later on. Android Content Providers
42 ‣ Provides an abstract wrapper for apps to access resources (files, databases, etc.) ‣ This allows app developers to focus on development and be able to change the “Data Layer” to another type later on. ‣ Any access to a resource is usually important Android Content Providers
43 ‣ A content provider that has all the info of an in-progress download What is Being Observed? The “Temp Downloads Content Provider”
44 ‣ Step #1:
 The “Temp Downloads Content Provider” is being observed and a function will trigger when a change occurs. How Is AppX Sniffing In-Progress Downloads?
45 ‣ Step #2: 
 When a change occurs, a query to another “Public” content provider is triggered How Is AppX Sniffing In-Progress Downloads?
46 ‣ Step #3: 
 the query is parsed and the “packageName” of the app being downloaded is extracted. ‣ Step #4: 
 AppX sends the collected details to a foreign server (already observed) How Is AppX Sniffing In-Progress Downloads?
47 Analysis Concluded
48 1. AppX is observing the “Temp Downloads Content Provider” and a function will trigger when a change occurs (Does not provide enough info) 2. AppX is then querying the “Public Downloads Content Provider” for more info on the package 3. AppX parses the query and extracts the name of the app being downloaded 4. AppX fires a request to a server with all the info of the newly downloaded app (confirmed with behavioural analysis) Confirmed Findings
49 Theory Confirmed This app is performing a new way of conducting click injections
50 Mitigations
51 Play Store Referrer API
52 Conclusions
New York Paris São Paulo San Francisco London Berlin Istanbul Moscow Mumbai Beijing Seoul Tokyo Shanghai Singapore Abdullah Obaied SECURITY SPECIALIST
 abdullah@adjust.com ADJUST HQ
 Saarbrücker Str. 37a
 10405 Berlin
 Germany

Empfohlen

Hyperic HQ for Cloud Infrastructure Monitoring
Hyperic HQ for Cloud Infrastructure MonitoringHyperic HQ for Cloud Infrastructure Monitoring
Hyperic HQ for Cloud Infrastructure MonitoringSumit Arora
 
A Lap Around Developer Awesomeness in Splunk 6.3
A Lap Around Developer Awesomeness in Splunk 6.3A Lap Around Developer Awesomeness in Splunk 6.3
A Lap Around Developer Awesomeness in Splunk 6.3Glenn Block
 
Emily Stark at Stanford ACM Hackathon
Emily Stark at Stanford ACM HackathonEmily Stark at Stanford ACM Hackathon
Emily Stark at Stanford ACM HackathonMeteorJS
 
DevNet 1056 WIT Spark API and Chat Bot Workshop
DevNet 1056 WIT Spark API and Chat Bot WorkshopDevNet 1056 WIT Spark API and Chat Bot Workshop
DevNet 1056 WIT Spark API and Chat Bot WorkshopTessa Mero
 
Compliance as Code - Using the Open Source InSpec testing Framework
Compliance as Code - Using the Open Source InSpec testing FrameworkCompliance as Code - Using the Open Source InSpec testing Framework
Compliance as Code - Using the Open Source InSpec testing FrameworkSonatype
 
Experiences Bringing CD to a DoD Project
Experiences Bringing CD to a DoD ProjectExperiences Bringing CD to a DoD Project
Experiences Bringing CD to a DoD ProjectGene Gotimer
 
Technical Webinar with AWS - Everything You Need to Measure in Your Migration
Technical Webinar with AWS - Everything You Need to Measure in Your MigrationTechnical Webinar with AWS - Everything You Need to Measure in Your Migration
Technical Webinar with AWS - Everything You Need to Measure in Your MigrationNew Relic
 
SpringOne2GX 2014 Splunk Presentation
SpringOne2GX 2014 Splunk PresentationSpringOne2GX 2014 Splunk Presentation
SpringOne2GX 2014 Splunk PresentationDamien Dallimore
 

Empfohlen

Hyperic HQ for Cloud Infrastructure Monitoring
Hyperic HQ for Cloud Infrastructure MonitoringHyperic HQ for Cloud Infrastructure Monitoring
Hyperic HQ for Cloud Infrastructure MonitoringSumit Arora
 
A Lap Around Developer Awesomeness in Splunk 6.3
A Lap Around Developer Awesomeness in Splunk 6.3A Lap Around Developer Awesomeness in Splunk 6.3
A Lap Around Developer Awesomeness in Splunk 6.3Glenn Block
 
Emily Stark at Stanford ACM Hackathon
Emily Stark at Stanford ACM HackathonEmily Stark at Stanford ACM Hackathon
Emily Stark at Stanford ACM HackathonMeteorJS
 
DevNet 1056 WIT Spark API and Chat Bot Workshop
DevNet 1056 WIT Spark API and Chat Bot WorkshopDevNet 1056 WIT Spark API and Chat Bot Workshop
DevNet 1056 WIT Spark API and Chat Bot WorkshopTessa Mero
 
Compliance as Code - Using the Open Source InSpec testing Framework
Compliance as Code - Using the Open Source InSpec testing FrameworkCompliance as Code - Using the Open Source InSpec testing Framework
Compliance as Code - Using the Open Source InSpec testing FrameworkSonatype
 
Experiences Bringing CD to a DoD Project
Experiences Bringing CD to a DoD ProjectExperiences Bringing CD to a DoD Project
Experiences Bringing CD to a DoD ProjectGene Gotimer
 
Technical Webinar with AWS - Everything You Need to Measure in Your Migration
Technical Webinar with AWS - Everything You Need to Measure in Your MigrationTechnical Webinar with AWS - Everything You Need to Measure in Your Migration
Technical Webinar with AWS - Everything You Need to Measure in Your MigrationNew Relic
 
SpringOne2GX 2014 Splunk Presentation
SpringOne2GX 2014 Splunk PresentationSpringOne2GX 2014 Splunk Presentation
SpringOne2GX 2014 Splunk PresentationDamien Dallimore
 
Revolutionize Your Workflow with ChatOps
Revolutionize Your Workflow with ChatOpsRevolutionize Your Workflow with ChatOps
Revolutionize Your Workflow with ChatOpsTessa Mero
 
OSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin Parm
OSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin ParmOSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin Parm
OSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin ParmNETWAYS
 
AppSec Pipeline Reference Architecture
AppSec Pipeline Reference ArchitectureAppSec Pipeline Reference Architecture
AppSec Pipeline Reference ArchitectureAaron Weaver
 
Tests your pipeline might be missing
Tests your pipeline might be missingTests your pipeline might be missing
Tests your pipeline might be missingGene Gotimer
 
What Is New In TestMaker 6
What Is New In TestMaker 6What Is New In TestMaker 6
What Is New In TestMaker 6Clever Moe
 
How to be Successful in the DevOps Business
How to be Successful in the DevOps BusinessHow to be Successful in the DevOps Business
How to be Successful in the DevOps BusinessAtlassian
 
Роман Яворский "Introduction to DevOps"
Роман Яворский "Introduction to DevOps"Роман Яворский "Introduction to DevOps"
Роман Яворский "Introduction to DevOps"Anna Shymchenko
 
DOO-002_Building Automated Tooling for Datacenters
DOO-002_Building Automated Tooling for DatacentersDOO-002_Building Automated Tooling for Datacenters
DOO-002_Building Automated Tooling for Datacentersdecode2016
 
In graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challengesIn graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challengesMohammed A. Imran
 
AppleWatch_Presentation
AppleWatch_PresentationAppleWatch_Presentation
AppleWatch_PresentationRuptapas Chakraborty
 
Federating new FIWARE Lab nodes
Federating new FIWARE Lab nodesFederating new FIWARE Lab nodes
Federating new FIWARE Lab nodesFernando Lopez Aguilar
 
DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015Aaron Weaver
 
Evilgrade Defcon 18 2010
Evilgrade Defcon 18 2010Evilgrade Defcon 18 2010
Evilgrade Defcon 18 2010Francisco Müller Amato
 
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...sparkfabrik
 
Using Data Science & Serverless Python to find apartment in Toronto
Using Data Science & Serverless Python to find apartment in TorontoUsing Data Science & Serverless Python to find apartment in Toronto
Using Data Science & Serverless Python to find apartment in TorontoDaniel Zivkovic
 
Stephanie Vanroelen - Mobile Anti-Virus apps exposed
Stephanie Vanroelen - Mobile Anti-Virus apps exposedStephanie Vanroelen - Mobile Anti-Virus apps exposed
Stephanie Vanroelen - Mobile Anti-Virus apps exposedNoNameCon
 
Firefox OS Presentation
Firefox OS PresentationFirefox OS Presentation
Firefox OS PresentationJosé Manuel Cantera Fonseca
 
Android 103 - Firebase and Architecture Components
Android 103 - Firebase and Architecture ComponentsAndroid 103 - Firebase and Architecture Components
Android 103 - Firebase and Architecture ComponentsKai Koenig
 
DevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
DevOps on AWS: Accelerating Software Delivery with the AWS Developer ToolsDevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
DevOps on AWS: Accelerating Software Delivery with the AWS Developer ToolsAmazon Web Services
 
Open Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure CultureOpen Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure CultureWhiteSource
 
Open Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure CultureOpen Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure CultureDevOps.com
 
Automation and Release in Federal
Automation and Release in FederalAutomation and Release in Federal
Automation and Release in FederalSerena Software
 

Weitere ähnliche Inhalte

Was ist angesagt?

Revolutionize Your Workflow with ChatOps
Revolutionize Your Workflow with ChatOpsRevolutionize Your Workflow with ChatOps
Revolutionize Your Workflow with ChatOpsTessa Mero
 
OSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin Parm
OSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin ParmOSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin Parm
OSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin ParmNETWAYS
 
AppSec Pipeline Reference Architecture
AppSec Pipeline Reference ArchitectureAppSec Pipeline Reference Architecture
AppSec Pipeline Reference ArchitectureAaron Weaver
 
Tests your pipeline might be missing
Tests your pipeline might be missingTests your pipeline might be missing
Tests your pipeline might be missingGene Gotimer
 
What Is New In TestMaker 6
What Is New In TestMaker 6What Is New In TestMaker 6
What Is New In TestMaker 6Clever Moe
 
How to be Successful in the DevOps Business
How to be Successful in the DevOps BusinessHow to be Successful in the DevOps Business
How to be Successful in the DevOps BusinessAtlassian
 
Роман Яворский "Introduction to DevOps"
Роман Яворский "Introduction to DevOps"Роман Яворский "Introduction to DevOps"
Роман Яворский "Introduction to DevOps"Anna Shymchenko
 
DOO-002_Building Automated Tooling for Datacenters
DOO-002_Building Automated Tooling for DatacentersDOO-002_Building Automated Tooling for Datacenters
DOO-002_Building Automated Tooling for Datacentersdecode2016
 
In graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challengesIn graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challengesMohammed A. Imran
 
DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015Aaron Weaver
 

Was ist angesagt? (12)

Revolutionize Your Workflow with ChatOps
Revolutionize Your Workflow with ChatOpsRevolutionize Your Workflow with ChatOps
Revolutionize Your Workflow with ChatOps
 
OSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin Parm
OSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin ParmOSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin Parm
OSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin Parm
 
AppSec Pipeline Reference Architecture
AppSec Pipeline Reference ArchitectureAppSec Pipeline Reference Architecture
AppSec Pipeline Reference Architecture
 
Tests your pipeline might be missing
Tests your pipeline might be missingTests your pipeline might be missing
Tests your pipeline might be missing
 
What Is New In TestMaker 6
What Is New In TestMaker 6What Is New In TestMaker 6
What Is New In TestMaker 6
 
How to be Successful in the DevOps Business
How to be Successful in the DevOps BusinessHow to be Successful in the DevOps Business
How to be Successful in the DevOps Business
 
Роман Яворский "Introduction to DevOps"
Роман Яворский "Introduction to DevOps"Роман Яворский "Introduction to DevOps"
Роман Яворский "Introduction to DevOps"
 
DOO-002_Building Automated Tooling for Datacenters
DOO-002_Building Automated Tooling for DatacentersDOO-002_Building Automated Tooling for Datacenters
DOO-002_Building Automated Tooling for Datacenters
 
In graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challengesIn graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challenges
 
AppleWatch_Presentation
AppleWatch_PresentationAppleWatch_Presentation
AppleWatch_Presentation
 
Federating new FIWARE Lab nodes
Federating new FIWARE Lab nodesFederating new FIWARE Lab nodes
Federating new FIWARE Lab nodes
 
DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015
 

Ähnlich wie Stealing Traffic: Analyzing a Mobile Fraud

CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...sparkfabrik
 
Using Data Science & Serverless Python to find apartment in Toronto
Using Data Science & Serverless Python to find apartment in TorontoUsing Data Science & Serverless Python to find apartment in Toronto
Using Data Science & Serverless Python to find apartment in TorontoDaniel Zivkovic
 
Stephanie Vanroelen - Mobile Anti-Virus apps exposed
Stephanie Vanroelen - Mobile Anti-Virus apps exposedStephanie Vanroelen - Mobile Anti-Virus apps exposed
Stephanie Vanroelen - Mobile Anti-Virus apps exposedNoNameCon
 
Android 103 - Firebase and Architecture Components
Android 103 - Firebase and Architecture ComponentsAndroid 103 - Firebase and Architecture Components
Android 103 - Firebase and Architecture ComponentsKai Koenig
 
DevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
DevOps on AWS: Accelerating Software Delivery with the AWS Developer ToolsDevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
DevOps on AWS: Accelerating Software Delivery with the AWS Developer ToolsAmazon Web Services
 
Open Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure CultureOpen Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure CultureWhiteSource
 
Open Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure CultureOpen Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure CultureDevOps.com
 
Automation and Release in Federal
Automation and Release in FederalAutomation and Release in Federal
Automation and Release in FederalSerena Software
 
It's What's Inside that Counts!
It's What's Inside that Counts!It's What's Inside that Counts!
It's What's Inside that Counts!New Relic
 
AWS re:Invent 2016: DevOps on AWS: Accelerating Software Delivery with the AW...
AWS re:Invent 2016: DevOps on AWS: Accelerating Software Delivery with the AW...AWS re:Invent 2016: DevOps on AWS: Accelerating Software Delivery with the AW...
AWS re:Invent 2016: DevOps on AWS: Accelerating Software Delivery with the AW...Amazon Web Services
 
N-Tier Application with Windows Forms - Deployment and Security
N-Tier Application with Windows Forms - Deployment and SecurityN-Tier Application with Windows Forms - Deployment and Security
N-Tier Application with Windows Forms - Deployment and SecurityPeter Gfader
 
Develop IoT project with AirVantage M2M Cloud
Develop IoT project with AirVantage M2M CloudDevelop IoT project with AirVantage M2M Cloud
Develop IoT project with AirVantage M2M CloudCrystal Lam
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security AgileOleg Gryb
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guideSudhanshu Chauhan
 
From Duke of DevOps to Queen of Chaos - Api days 2018
From Duke of DevOps to Queen of Chaos - Api days 2018From Duke of DevOps to Queen of Chaos - Api days 2018
From Duke of DevOps to Queen of Chaos - Api days 2018Christophe Rochefolle
 
Life of an event - A never ending tool chain
Life of an event - A never ending tool chainLife of an event - A never ending tool chain
Life of an event - A never ending tool chainArnold Van Wijnbergen
 
Life of an event - A never ending tool chain
Life of an event - A never ending tool chainLife of an event - A never ending tool chain
Life of an event - A never ending tool chainDevoteam
 

Ähnlich wie Stealing Traffic: Analyzing a Mobile Fraud (20)

Evilgrade Defcon 18 2010
Evilgrade Defcon 18 2010Evilgrade Defcon 18 2010
Evilgrade Defcon 18 2010
 
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
 
Using Data Science & Serverless Python to find apartment in Toronto
Using Data Science & Serverless Python to find apartment in TorontoUsing Data Science & Serverless Python to find apartment in Toronto
Using Data Science & Serverless Python to find apartment in Toronto
 
Stephanie Vanroelen - Mobile Anti-Virus apps exposed
Stephanie Vanroelen - Mobile Anti-Virus apps exposedStephanie Vanroelen - Mobile Anti-Virus apps exposed
Stephanie Vanroelen - Mobile Anti-Virus apps exposed
 
Firefox OS Presentation
Firefox OS PresentationFirefox OS Presentation
Firefox OS Presentation
 
Android 103 - Firebase and Architecture Components
Android 103 - Firebase and Architecture ComponentsAndroid 103 - Firebase and Architecture Components
Android 103 - Firebase and Architecture Components
 
DevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
DevOps on AWS: Accelerating Software Delivery with the AWS Developer ToolsDevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
DevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
 
Open Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure CultureOpen Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure Culture
 
Open Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure CultureOpen Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure Culture
 
Automation and Release in Federal
Automation and Release in FederalAutomation and Release in Federal
Automation and Release in Federal
 
It's What's Inside that Counts!
It's What's Inside that Counts!It's What's Inside that Counts!
It's What's Inside that Counts!
 
Monitoring in 2017 - TIAD Camp Docker
Monitoring in 2017 - TIAD Camp DockerMonitoring in 2017 - TIAD Camp Docker
Monitoring in 2017 - TIAD Camp Docker
 
AWS re:Invent 2016: DevOps on AWS: Accelerating Software Delivery with the AW...
AWS re:Invent 2016: DevOps on AWS: Accelerating Software Delivery with the AW...AWS re:Invent 2016: DevOps on AWS: Accelerating Software Delivery with the AW...
AWS re:Invent 2016: DevOps on AWS: Accelerating Software Delivery with the AW...
 
N-Tier Application with Windows Forms - Deployment and Security
N-Tier Application with Windows Forms - Deployment and SecurityN-Tier Application with Windows Forms - Deployment and Security
N-Tier Application with Windows Forms - Deployment and Security
 
Develop IoT project with AirVantage M2M Cloud
Develop IoT project with AirVantage M2M CloudDevelop IoT project with AirVantage M2M Cloud
Develop IoT project with AirVantage M2M Cloud
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guide
 
From Duke of DevOps to Queen of Chaos - Api days 2018
From Duke of DevOps to Queen of Chaos - Api days 2018From Duke of DevOps to Queen of Chaos - Api days 2018
From Duke of DevOps to Queen of Chaos - Api days 2018
 
Life of an event - A never ending tool chain
Life of an event - A never ending tool chainLife of an event - A never ending tool chain
Life of an event - A never ending tool chain
 
Life of an event - A never ending tool chain
Life of an event - A never ending tool chainLife of an event - A never ending tool chain
Life of an event - A never ending tool chain
 

Mehr von DefCamp

Remote Yacht Hacking
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht HackingDefCamp
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!DefCamp
 
The Charter of Trust
The Charter of TrustThe Charter of Trust
The Charter of TrustDefCamp
 
Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?DefCamp
 
Bridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXDefCamp
 
Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...DefCamp
 
Drupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDefCamp
 
Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)DefCamp
 
Trust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFATrust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFADefCamp
 
Threat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationThreat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationDefCamp
 
Building application security with 0 money down
Building application security with 0 money downBuilding application security with 0 money down
Building application security with 0 money downDefCamp
 
Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...DefCamp
 
Lattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochLattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochDefCamp
 
The challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareThe challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareDefCamp
 
Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?DefCamp
 
Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured DefCamp
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...DefCamp
 
We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.DefCamp
 
Connect & Inspire Cyber Security
Connect & Inspire Cyber SecurityConnect & Inspire Cyber Security
Connect & Inspire Cyber SecurityDefCamp
 
The lions and the watering hole
The lions and the watering holeThe lions and the watering hole
The lions and the watering holeDefCamp
 

Mehr von DefCamp (20)

Remote Yacht Hacking
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht Hacking
 
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
 
The Charter of Trust
The Charter of TrustThe Charter of Trust
The Charter of Trust
 
Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?
 
Bridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UX
 
Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...
 
Drupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the Attacker
 
Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)
 
Trust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFATrust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFA
 
Threat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical ApplicationThreat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical Application
 
Building application security with 0 money down
Building application security with 0 money downBuilding application security with 0 money down
Building application security with 0 money down
 
Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...
 
Lattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epochLattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epoch
 
The challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcareThe challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcare
 
Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?
 
Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
 
We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.
 
Connect & Inspire Cyber Security
Connect & Inspire Cyber SecurityConnect & Inspire Cyber Security
Connect & Inspire Cyber Security
 
The lions and the watering hole
The lions and the watering holeThe lions and the watering hole
The lions and the watering hole
 

Kürzlich hochgeladen

Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 

Kürzlich hochgeladen (20)

Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 

Stealing Traffic: Analyzing a Mobile Fraud

  • 1. BERLIN • NEW YORK • SAN FRANCISCO • SÃO PAULO • PARIS • LONDON • MOSCOW • ISTANBUL SEOUL • SHANGHAI • BEIJING • TOKYO • MUMBAI • SINGAPORE Abdullah Obaied Stealing Traffic: Analyzing Mobile Fraud
  • 2. 2 About me ‣ Security Specialist ‣ Former Software Engineer ‣ Part of Adjust’s Fraud Team ‣ RiverBird.co ‣ @cheese0x02
  • 4. 4 How mobile attribution works Ad impression Click on Ad Media First Open: SDK Initialization App Download initialized Install finished on device App Store Redirect
  • 5. 5 First Version of Click Injection
  • 6. 6 Click Injection 1.0: Abusing Broadcasts ‣ A “Broadcast” is an event that occurs in the system. ‣ Any app can have a “Broadcast Receiver” and listen to system broadcasts
  • 7. 7 Click Injection 1.0: Abusing PACKAGE_ADDED Broadcast
  • 8. 8 Click Injection 1.0: Abusing PACKAGE_ADDED Broadcast Ad Impression Ad store redirect Ad impression Click on Ad Media First Open: SDK Initialization App Download initialized Install finished on device App Store Redirect
  • 10. 10 ‣ “firstInstallTime” allowed us to pinpoint an app’s install timestamp. ‣ Install requests with distorted timestamps are ignored Click Injection 1.0: Mitigation
  • 11. 11 Second Version of Click Injection
  • 12. 12 Click Injection 2.0 Click Injection 2.0: Same game, different time stamp Click on Ad Media App Download initialized Action_Package_Added broadcast First Open: SDK Initialization Click Injection: Content Provider Exploit App Store Redirect Install finished on device Click Injection: Referrer Broadcast Click Injection 1.0
  • 15. 15 ‣ Utility app ‣ +100M downloads | +13M reviews ‣ Beautiful images and animations ‣ It actually does what it says it does Target App: AppX
  • 17. 17 Theory This app is performing a new way of conducting click injections
  • 18. 18 Step #1: Static Properties Findings are purple
  • 19. 19 ‣ What the app is allowed to do in the context of the machine and user data App Permissions
  • 20. 20 ‣ AppX is allowed to extract device data ‣ AppX is allowed to restart itself upon boot ‣ AppX is allowed to monitor/ kill running processes AppX Permissions
  • 21. 21 ‣ AppX is able to receive PACKAGE_ADDED broadcasts AppX Broadcasts Receivers
  • 22. 22 ‣ AppX has a list of ~200 app names in an SQLite DB AppX Hard-coded Databases
  • 23. 23 ‣ AppX has a list of ~3500 app names in SQLite and txt files ‣ Mostly games and paid apps that run heavy ad campaigns AppX Hard-coded Databases
  • 24. 24 1. AppX is allowed to extract device data 2. AppX is allowed to restart itself upon boot 3. AppX is allowed to monitor/kill running processes 4. AppX is able to receive PACKAGE_ADDED broadcasts 5. AppX has a list of ~3500 app names in SQLite and txt files Findings
  • 27. 27 Plan We need to know: ‣ What happens when we open the app? ‣ What happens when we install/uninstall other apps? ‣ Most importantly, what happens when we install an app on Google Play Store?
  • 30. 30 ‣ AppX has a long-running background process in the form of a notification toolbar. ‣ AppX sends device and analytics data to multiple foreign servers (Over HTTP) On AppX Open
  • 31. 31 ‣ AppX sends an “uninstall notification” to a foreign server when the user uninstalls a listed app. On App Uninstall
  • 32. 32 On App Install (From Google Play): Requests upon install
  • 33. 33 ‣ This request occurred before the app finished downloading. The malicious app was able to get all the details necessary to launch fake installs from this device and steal traffic. On App Install (From Google Play): GET /getDlAd Request
  • 34. 34 On App Install (From Google Play): GET /getDlAd Request
  • 35. 35 1. AppX has a long-running background process in the shape of a notification toolbar 2. AppX sends multiple requests upon an app uninstall A. Possibly for re-attribution campaigns. B. Also, so as not to repeat too quickly for multiple user downloads 3. AppX sends all the details of a download-in-progress BEFORE the app finishes downloading to a foreign server Findings
  • 36. 36 Step #3: Static Analysis
  • 37. 37 Step #3: Static Analysis What do we wanna know and how do we do it?
  • 38. 38 What Do We Wanna Know? Many things: But most importantly: ‣ What do the other parameters in GET / getDlAd request mean? ‣ How are the apps in game_list.txt used? ‣ What is the difference between those and the SQLite database? ‣ What other events are there other than install/uninstall that the app reacts to? ‣ What are all the endpoints in the app? ‣ How is AppX sniffing
 in-progress downloads??
  • 39. 39 ‣ Look for traffic sniffing activity (HTTP and Google Play-related keywords) ‣ Access to resources (Content Providers) ‣ Possible exploits (C/C++) How Do We Do It?
  • 40. 40 ‣ But, what’s a Content Provider? Finding: AppX is Observing A Content Provider
  • 41. 41 ‣ Provides an abstract wrapper for apps to access resources (files, databases, etc.) ‣ This allows app developers to focus on development and be able to change the “Data Layer” to another type later on. Android Content Providers
  • 42. 42 ‣ Provides an abstract wrapper for apps to access resources (files, databases, etc.) ‣ This allows app developers to focus on development and be able to change the “Data Layer” to another type later on. ‣ Any access to a resource is usually important Android Content Providers
  • 43. 43 ‣ A content provider that has all the info of an in-progress download What is Being Observed? The “Temp Downloads Content Provider”
  • 44. 44 ‣ Step #1:
 The “Temp Downloads Content Provider” is being observed and a function will trigger when a change occurs. How Is AppX Sniffing In-Progress Downloads?
  • 45. 45 ‣ Step #2: 
 When a change occurs, a query to another “Public” content provider is triggered How Is AppX Sniffing In-Progress Downloads?
  • 46. 46 ‣ Step #3: 
 the query is parsed and the “packageName” of the app being downloaded is extracted. ‣ Step #4: 
 AppX sends the collected details to a foreign server (already observed) How Is AppX Sniffing In-Progress Downloads?
  • 48. 48 1. AppX is observing the “Temp Downloads Content Provider” and a function will trigger when a change occurs (Does not provide enough info) 2. AppX is then querying the “Public Downloads Content Provider” for more info on the package 3. AppX parses the query and extracts the name of the app being downloaded 4. AppX fires a request to a server with all the info of the newly downloaded app (confirmed with behavioural analysis) Confirmed Findings
  • 49. 49 Theory Confirmed This app is performing a new way of conducting click injections
  • 53. New York Paris São Paulo San Francisco London Berlin Istanbul Moscow Mumbai Beijing Seoul Tokyo Shanghai Singapore Abdullah Obaied SECURITY SPECIALIST
 abdullah@adjust.com ADJUST HQ
 Saarbrücker Str. 37a
 10405 Berlin
 Germany