SlideShare ist ein Scribd-Unternehmen logo

TetCon Saigon 2015 presentation, Analyze Code4HK's campaign Android Malware aka mRat

Als ODP, PDF herunterladen
Minh-Triet Pham Tran
Minh-Triet Pham Tran

TetCon Saigon 2015 presentation, Analyze Code4HK Android Malware aka mRat In this presentation, I present how I reverse engineer, deobfuscate and analyze ProGuard obfuscated Code4HK Android Malware from Hong Kong Code4HK malware campaign with JEB.

Präsentationen & Vorträge
1 von 42
TetCon Saigon 2015 Phạm Trần Minh Triết <minhtrietphamtran@gmail.com> & Nguyễn Văn Ngôn <computerline1z@gmail.com> Analyze Code4HK Android Malware aka mRat
Who am I? ● Malware Analyst ● Reverse Engineer Phạm Trần Minh Triết Nguyễn Văn Ngôn ● Programmer
Agenda ● Introduction ● Android Reverse Engineering Intro ● Fake Code4HK Static Analysis
Part I Introduction
● Hong Kong activists receive Whatsapp phishing messages from an unknown phone number containing a link to download and install app ● Phishing message: “Check out this Android app designed by CODE4HK, for the coordination of OCCUPYCENTRAL!”. How was fake Code4HK Distributed?
Fake Code4HK Installation Process ● An .apk file is downloaded to device after victim presses the link in the Whatsapp phishing message ● If the victim select to install the apk, a list of sensitive permissions is requested to proceed the installation. ● A new prompt to install second apk from the app is presented to victim with the message “Application is updated, please click to install.”
Fake Code4HK Permission Request
What Can fake Code4HK Get from the Device? ● Contacts: name, contact id, phones, emails ● SMS messages ● Call logs: number, name, type of call (incoming, outgoing, missed), date, duration ● Geographic location (networkId, systemId, baseStationId, latitude, longitude), Mac address ● Email accounts (email provider, username, password) and email contents (display name, sender, recipient, sending time, subject, email body)
What Can fake Code4HK Get from the Device? ● Browser bookmarks ● Telephone: phone number, device ID, telephone provider (China Mobile, China Unicom, China Telecom), max CPU frequency, network state (connected, connecting), SIM serial number, Mac address, IP address, total memory) ● Wifi passwords: SSID Name, WPA Passphrase, Encryption Type, priority
What Other Capabilities does fake Code4HK Possess? ● LIST_DIR: Get tree of files, directories and size of files in a directory ● DO_REMARK: write to log file ● DO_TOAST: show a quick little message for the user ● DO_CALL: call a phone number ● DO_SHELL: execute commands from CnC server ● DO_SET_MONITORNUM: set phone number to monitor ● DO_DOWNFILE: Download file to victim device ● DO_DELETEFILE: delete file from victim device ● DO_UPLOADFILE: upload file from victim host to CnC server ● DO_DELAY_RECORD: delay audio recording time
What Other Capabilities does fake Code4HK Possess? ● DO_START_RECORD: start recording audio ● DO_STOP_RECORD: stop recording audio ● DO_XSHELL: create a thread to receive, execute commands and send back results to CnC server ● DO_GET_ROOT_FILE: get content of a file in victim device, save file to /data/data/com.v1/ and send back to CnC server ● DO_SAVE_ALL: get all the data Code4HK could steal from victim device ● DO_GET_SDCARD: Get tree of files, directories in sdcard
Part II Introduction to Reverse Engineering Android Applications
JEB ● Disassembler ● Decompiler ● Resource viewer ● Interactive features to analyse protected Android applications and Android malware ● JEB = IDA + Hex-Rays for Android with some limitations
ProGuard Protected Android applications
Reverse engineer with JEB to deobfuscate ProGuard
Reverse Engineering Strategies with JEB ● Using manifest viewer to know the essential information the app present itself to the Android system: permission, package, names of application/activities/services/receivers and corresponding intent- filters,... ● Start from the main activity to traverse the app, renaming variables, methods and classes to meaningful names ● Utilize cross-references to know how an object is used in a class and how a method is used across the application ● Use Strings window to quickly search for interesting references while reading the code ● Study Android APIs used in the app with the corresponding used prototype: http://developer.android.com/reference/packages.html
Empty methods in JEB and IDA ● When Android app loadLibrary from native Android libraries to use external methods, JEB doesn't know the content of the methods. We get empty methods inside classes. ● Solution: Apktool d target.apk : get the native libraries used in the app (in directory /lib) ● Map library: MyLibrary turned into libMyLibrary.so ● Research exported functions of Android native libraries with IDA and Hex-Rays ARM
Empty methods in JEB and IDA
Part III Fake Code4HK Analysis
Basic Android App Information android:versionCode="1" android:versionName="3.2.1" package="com.v1" android:minSdkVersion="3" android:targetSdkVersion="17"
App MD5 Hashes code4hk.apk: 15E5143E1C843B4836D7B6D5424FB4A5 qq.xml : B9484AE3403C974DB0F721B01BD6C302
Digital Certificate Type: X.509 Version: 1 Serial Number: 0xc481b832c80b4239 Issuer: EMAILADDRESS=2safeweb@gmail.com, CN=maerts, OU=itsc, O=qq.com, L=GZ, ST=JX, C=zh Validity: from = Mon Mar 10 13:51:27 ICT 2014 to = Thu Jul 25 13:51:27 ICT 2041 Subject: EMAILADDRESS=2safeweb@gmail.com, CN=maerts, OU=itsc, O=qq.com, L=GZ, ST=JX, C=zh
Required Permission android.permission.CHANGE_NETWORK_STATE (change network connectivity) android.permission.ACCESS_MOCK_LOCATION (mock location sources for testing) android.permission.PROCESS_OUTGOING_CALLS (intercept outgoing calls) android.permission.ACCESS_COARSE_LOCATION (coarse (network-based) location) android.permission.INTERNET (full Internet access) android.permission.ACCESS_FINE_LOCATION (fine (GPS) location) android.permission.INTERACT_ACROSS_USERS_FULL () android.permission.ACCESS_NETWORK_STATE (view network status) android.permission.WRITE_CALL_LOG (write (but not read) the user's contacts data.) android.permission.GET_TASKS (retrieve running applications) android.permission.READ_CALL_LOG (read the user's call log.) com.android.browser.permission.READ_HISTORY_BOOKMARKS (read browser's history and bookmarks) android.permission.WRITE_EXTERNAL_STORAGE (modify/delete SD card contents) android.permission.RECORD_AUDIO (record audio)
Required Permission android.permission.RECEIVE_BOOT_COMPLETED (automatically start at boot) android.permission.VIBRATE (control vibrator) android.permission.PERMISSION_NAME (Unknown permission from android reference) android.permission.WRITE_SETTINGS (modify global system settings) android.permission.READ_PHONE_STATE (read phone state and identity) android.permission.MOUNT_UNMOUNT_FILESYSTEMS (mount and unmount file systems) android.permission.READ_SMS (read SMS or MMS) com.android.email.permission.ACCESS_PROVIDER (Unknown permission from android reference) android.permission.ACCESS_WIFI_STATE (view Wi-Fi status) android.permission.CHANGE_WIFI_STATE (change Wi-Fi status) android.permission.RECEIVE_SMS (receive SMS) android.permission.READ_CONTACTS (read contact data) android.permission.MODIFY_AUDIO_SETTINGS (change your audio settings)
Infection flow 1.) Open “qq.xml” from the Assets directory. 2.) Create a new directory, “/sdcard/.qq/” 3.) Read the contents of “qq.xml” and create a file, “/sdcard/.qq/temp.apk” 4.) Start StreamService (this will run after reboot) 5.) Display Update message Code4hk.apk Create /sdcard/.qq/ 2 Start SteamService 4 Create /sdcard/.qq/temp.apk 3
qq.xml & temp.apk qq.xml is a minor version of Code4HK which was extracted, renamed to temp.apk and copied to /sdcard/.qq/temp.apk on the first run. This file will execute if victim clicks “Update” button when the app first run.
C&C Address ● Primary C&C: config.dat IP: 61.36.11.75, Port : 1430 ● Backup C&C IP: 221.226.58.202, Port: 1430
Register Service as Startup
MainActivity
CnC commands
Record Phone Received
Get SMS List
Get Contact List
Get Call Logs
List Files and file size in Directory
Do Call a Phone Number
Call Shell Command
Download / Delete / Upload Files
Get Email List
Prevention and Mitigation ● Don't download and install applications from third-party Android stores or unknown sources. ● Look for homepages, information and reviews of the application before you install it to make sure it's legitimate and it only asks for necessary permissions. ● Use an up-to-date antivirus software.
Conclusion ● Malware targets Hong Kong protesters. ● Include many specific malware features, some of them are not implemented. ● Android users should read carefully permissions needed while installing apps, compare to the functionalities of the app. When in doubt, submit the apk to Android sandbox or reverse engineers for application audit.
Q & A ?

Empfohlen

CNIT 128 8. Android Implementation Issues (Part 3)
CNIT 128 8. Android Implementation Issues (Part 3)CNIT 128 8. Android Implementation Issues (Part 3)
CNIT 128 8. Android Implementation Issues (Part 3)
Sam Bowne
 
CNIT 128 7. Attacking Android Applications (Part 2)
CNIT 128 7. Attacking Android Applications (Part 2)CNIT 128 7. Attacking Android Applications (Part 2)
CNIT 128 7. Attacking Android Applications (Part 2)
Sam Bowne
 
Towards the methods of analysis malicious applications for Android
Towards the methods of analysis malicious applications for AndroidTowards the methods of analysis malicious applications for Android
Towards the methods of analysis malicious applications for Android
Sergey Staroletov
 
Android Workshop
Android WorkshopAndroid Workshop
Android Workshop
Junda Ong
 
Lecture 2(b) Android Internals A Quick Overview
Lecture 2(b) Android Internals A Quick OverviewLecture 2(b) Android Internals A Quick Overview
Lecture 2(b) Android Internals A Quick Overview
Ahsanul Karim
 
Android malware presentation
Android malware presentationAndroid malware presentation
Android malware presentation
Sandeep Joshi
 
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android ApplicationsManish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Positive Hack Days
 
Mobile application security
Mobile application securityMobile application security
Mobile application security
Shubhneet Goel
 

Empfohlen

CNIT 128 8. Android Implementation Issues (Part 3)
CNIT 128 8. Android Implementation Issues (Part 3)CNIT 128 8. Android Implementation Issues (Part 3)
CNIT 128 8. Android Implementation Issues (Part 3)
Sam Bowne
 
CNIT 128 7. Attacking Android Applications (Part 2)
CNIT 128 7. Attacking Android Applications (Part 2)CNIT 128 7. Attacking Android Applications (Part 2)
CNIT 128 7. Attacking Android Applications (Part 2)
Sam Bowne
 
Towards the methods of analysis malicious applications for Android
Towards the methods of analysis malicious applications for AndroidTowards the methods of analysis malicious applications for Android
Towards the methods of analysis malicious applications for Android
Sergey Staroletov
 
Android Workshop
Android WorkshopAndroid Workshop
Android Workshop
Junda Ong
 
Lecture 2(b) Android Internals A Quick Overview
Lecture 2(b) Android Internals A Quick OverviewLecture 2(b) Android Internals A Quick Overview
Lecture 2(b) Android Internals A Quick Overview
Ahsanul Karim
 
Android malware presentation
Android malware presentationAndroid malware presentation
Android malware presentation
Sandeep Joshi
 
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android ApplicationsManish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Positive Hack Days
 
Mobile application security
Mobile application securityMobile application security
Mobile application security
Shubhneet Goel
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
Ishan Girdhar
 
CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 3)
CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 3)CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 3)
CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 3)
Sam Bowne
 
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
FFRI, Inc.
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
nullowaspmumbai
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013
Stephan Chenette
 
128-ch4.pptx
128-ch4.pptx128-ch4.pptx
128-ch4.pptx
SankalpKabra
 
Android Penetration testing - Day 2
Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2
Mohammed Adam
 
Android application penetration testing
Android application penetration testingAndroid application penetration testing
Android application penetration testing
Roshan Kumar Gami
 
Android Security
Android SecurityAndroid Security
Android Security
Arqum Ahmad
 
Easy steps to develop android application (tutorial)
Easy steps to develop android application (tutorial)Easy steps to develop android application (tutorial)
Easy steps to develop android application (tutorial)
Dewan Razib
 
Android Malware and Machine Learning
Android Malware and Machine LearningAndroid Malware and Machine Learning
Android Malware and Machine Learning
caleb194331
 
Corporate Secret Challenge - CyberDefenders.org by Azad
Corporate Secret Challenge - CyberDefenders.org by AzadCorporate Secret Challenge - CyberDefenders.org by Azad
Corporate Secret Challenge - CyberDefenders.org by Azad
Azad Mzuri
 
Android Training in Chandigarh | Industrial Training in Android Apps Development
Android Training in Chandigarh | Industrial Training in Android Apps DevelopmentAndroid Training in Chandigarh | Industrial Training in Android Apps Development
Android Training in Chandigarh | Industrial Training in Android Apps Development
Big Boxx Animation Academy
 
CNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidCNIT 128 Ch 4: Android
CNIT 128 Ch 4: Android
Sam Bowne
 
How to create android applications
How to create android applicationsHow to create android applications
How to create android applications
TOPS Technologies
 
Android development
Android developmentAndroid development
Android development
Ahmed Ali
 
Android Scripting
Android ScriptingAndroid Scripting
Android Scripting
Juan Gomez
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maal
Harsimran Walia
 
CNIT 128 7. Attacking Android Applications (Part 3)
CNIT 128 7. Attacking Android Applications (Part 3)CNIT 128 7. Attacking Android Applications (Part 3)
CNIT 128 7. Attacking Android Applications (Part 3)
Sam Bowne
 
Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)
ClubHack
 
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
Sheetaleventcompany
 
Dreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video TreatmentDreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video Treatment
nswingard
 

Weitere ähnliche Inhalte

Ähnlich wie TetCon Saigon 2015 presentation, Analyze Code4HK's campaign Android Malware aka mRat

Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013
Stephan Chenette
 
Android development
Android developmentAndroid development
Android development
Ahmed Ali
 
Android Scripting
Android ScriptingAndroid Scripting
Android Scripting
Juan Gomez
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maal
Harsimran Walia
 

Ähnlich wie TetCon Saigon 2015 presentation, Analyze Code4HK's campaign Android Malware aka mRat (20)

Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 3)
CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 3)CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 3)
CNIT 128 8. Identifying and Exploiting Android Implementation Issues (Part 3)
 
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013
 
128-ch4.pptx
128-ch4.pptx128-ch4.pptx
128-ch4.pptx
 
Android Penetration testing - Day 2
Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2
 
Android application penetration testing
Android application penetration testingAndroid application penetration testing
Android application penetration testing
 
Android Security
Android SecurityAndroid Security
Android Security
 
Easy steps to develop android application (tutorial)
Easy steps to develop android application (tutorial)Easy steps to develop android application (tutorial)
Easy steps to develop android application (tutorial)
 
Android Malware and Machine Learning
Android Malware and Machine LearningAndroid Malware and Machine Learning
Android Malware and Machine Learning
 
Corporate Secret Challenge - CyberDefenders.org by Azad
Corporate Secret Challenge - CyberDefenders.org by AzadCorporate Secret Challenge - CyberDefenders.org by Azad
Corporate Secret Challenge - CyberDefenders.org by Azad
 
Android Training in Chandigarh | Industrial Training in Android Apps Development
Android Training in Chandigarh | Industrial Training in Android Apps DevelopmentAndroid Training in Chandigarh | Industrial Training in Android Apps Development
Android Training in Chandigarh | Industrial Training in Android Apps Development
 
CNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidCNIT 128 Ch 4: Android
CNIT 128 Ch 4: Android
 
How to create android applications
How to create android applicationsHow to create android applications
How to create android applications
 
Android development
Android developmentAndroid development
Android development
 
Android Scripting
Android ScriptingAndroid Scripting
Android Scripting
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maal
 
CNIT 128 7. Attacking Android Applications (Part 3)
CNIT 128 7. Attacking Android Applications (Part 3)CNIT 128 7. Attacking Android Applications (Part 3)
CNIT 128 7. Attacking Android Applications (Part 3)
 
Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)
 

Kürzlich hochgeladen

No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
Sheetaleventcompany
 
Uncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoUncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac Folorunso
Kayode Fayemi
 
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
Delhi Call girls
 
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Delhi Call girls
 
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
Delhi Call girls
 

Kürzlich hochgeladen (20)

No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
 
Dreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video TreatmentDreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video Treatment
 
Uncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoUncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac Folorunso
 
My Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle BaileyMy Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle Bailey
 
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
 
lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.
 
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfThe workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
 
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdfAWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
 
Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)
 
Report Writing Webinar Training
Report Writing Webinar TrainingReport Writing Webinar Training
Report Writing Webinar Training
 
Dreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio IIIDreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio III
 
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyCall Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
 
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
 
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, YardstickSaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
 
Air breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animalsAir breathing and respiratory adaptations in diver animals
Air breathing and respiratory adaptations in diver animals
 
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
Busty Desi⚡Call Girls in Sector 51 Noida Escorts >༒8448380779 Escort Service-...
 
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesVVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
 
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 93 Noida Escorts >༒8448380779 Escort Service
 
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxMohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
 
Causes of poverty in France presentation.pptx
Causes of poverty in France presentation.pptxCauses of poverty in France presentation.pptx
Causes of poverty in France presentation.pptx
 

TetCon Saigon 2015 presentation, Analyze Code4HK's campaign Android Malware aka mRat

  • 1. TetCon Saigon 2015 Phạm Trần Minh Triết <minhtrietphamtran@gmail.com> & Nguyễn Văn Ngôn <computerline1z@gmail.com> Analyze Code4HK Android Malware aka mRat
  • 2. Who am I? ● Malware Analyst ● Reverse Engineer Phạm Trần Minh Triết Nguyễn Văn Ngôn ● Programmer
  • 3. Agenda ● Introduction ● Android Reverse Engineering Intro ● Fake Code4HK Static Analysis
  • 5. ● Hong Kong activists receive Whatsapp phishing messages from an unknown phone number containing a link to download and install app ● Phishing message: “Check out this Android app designed by CODE4HK, for the coordination of OCCUPYCENTRAL!”. How was fake Code4HK Distributed?
  • 6. Fake Code4HK Installation Process ● An .apk file is downloaded to device after victim presses the link in the Whatsapp phishing message ● If the victim select to install the apk, a list of sensitive permissions is requested to proceed the installation. ● A new prompt to install second apk from the app is presented to victim with the message “Application is updated, please click to install.”
  • 8. What Can fake Code4HK Get from the Device? ● Contacts: name, contact id, phones, emails ● SMS messages ● Call logs: number, name, type of call (incoming, outgoing, missed), date, duration ● Geographic location (networkId, systemId, baseStationId, latitude, longitude), Mac address ● Email accounts (email provider, username, password) and email contents (display name, sender, recipient, sending time, subject, email body)
  • 9. What Can fake Code4HK Get from the Device? ● Browser bookmarks ● Telephone: phone number, device ID, telephone provider (China Mobile, China Unicom, China Telecom), max CPU frequency, network state (connected, connecting), SIM serial number, Mac address, IP address, total memory) ● Wifi passwords: SSID Name, WPA Passphrase, Encryption Type, priority
  • 10. What Other Capabilities does fake Code4HK Possess? ● LIST_DIR: Get tree of files, directories and size of files in a directory ● DO_REMARK: write to log file ● DO_TOAST: show a quick little message for the user ● DO_CALL: call a phone number ● DO_SHELL: execute commands from CnC server ● DO_SET_MONITORNUM: set phone number to monitor ● DO_DOWNFILE: Download file to victim device ● DO_DELETEFILE: delete file from victim device ● DO_UPLOADFILE: upload file from victim host to CnC server ● DO_DELAY_RECORD: delay audio recording time
  • 11. What Other Capabilities does fake Code4HK Possess? ● DO_START_RECORD: start recording audio ● DO_STOP_RECORD: stop recording audio ● DO_XSHELL: create a thread to receive, execute commands and send back results to CnC server ● DO_GET_ROOT_FILE: get content of a file in victim device, save file to /data/data/com.v1/ and send back to CnC server ● DO_SAVE_ALL: get all the data Code4HK could steal from victim device ● DO_GET_SDCARD: Get tree of files, directories in sdcard
  • 12. Part II Introduction to Reverse Engineering Android Applications
  • 13. JEB ● Disassembler ● Decompiler ● Resource viewer ● Interactive features to analyse protected Android applications and Android malware ● JEB = IDA + Hex-Rays for Android with some limitations
  • 15. Reverse engineer with JEB to deobfuscate ProGuard
  • 16. Reverse Engineering Strategies with JEB ● Using manifest viewer to know the essential information the app present itself to the Android system: permission, package, names of application/activities/services/receivers and corresponding intent- filters,... ● Start from the main activity to traverse the app, renaming variables, methods and classes to meaningful names ● Utilize cross-references to know how an object is used in a class and how a method is used across the application ● Use Strings window to quickly search for interesting references while reading the code ● Study Android APIs used in the app with the corresponding used prototype: http://developer.android.com/reference/packages.html
  • 17. Empty methods in JEB and IDA ● When Android app loadLibrary from native Android libraries to use external methods, JEB doesn't know the content of the methods. We get empty methods inside classes. ● Solution: Apktool d target.apk : get the native libraries used in the app (in directory /lib) ● Map library: MyLibrary turned into libMyLibrary.so ● Research exported functions of Android native libraries with IDA and Hex-Rays ARM
  • 18. Empty methods in JEB and IDA
  • 22. Digital Certificate Type: X.509 Version: 1 Serial Number: 0xc481b832c80b4239 Issuer: EMAILADDRESS=2safeweb@gmail.com, CN=maerts, OU=itsc, O=qq.com, L=GZ, ST=JX, C=zh Validity: from = Mon Mar 10 13:51:27 ICT 2014 to = Thu Jul 25 13:51:27 ICT 2041 Subject: EMAILADDRESS=2safeweb@gmail.com, CN=maerts, OU=itsc, O=qq.com, L=GZ, ST=JX, C=zh
  • 23. Required Permission android.permission.CHANGE_NETWORK_STATE (change network connectivity) android.permission.ACCESS_MOCK_LOCATION (mock location sources for testing) android.permission.PROCESS_OUTGOING_CALLS (intercept outgoing calls) android.permission.ACCESS_COARSE_LOCATION (coarse (network-based) location) android.permission.INTERNET (full Internet access) android.permission.ACCESS_FINE_LOCATION (fine (GPS) location) android.permission.INTERACT_ACROSS_USERS_FULL () android.permission.ACCESS_NETWORK_STATE (view network status) android.permission.WRITE_CALL_LOG (write (but not read) the user's contacts data.) android.permission.GET_TASKS (retrieve running applications) android.permission.READ_CALL_LOG (read the user's call log.) com.android.browser.permission.READ_HISTORY_BOOKMARKS (read browser's history and bookmarks) android.permission.WRITE_EXTERNAL_STORAGE (modify/delete SD card contents) android.permission.RECORD_AUDIO (record audio)
  • 24. Required Permission android.permission.RECEIVE_BOOT_COMPLETED (automatically start at boot) android.permission.VIBRATE (control vibrator) android.permission.PERMISSION_NAME (Unknown permission from android reference) android.permission.WRITE_SETTINGS (modify global system settings) android.permission.READ_PHONE_STATE (read phone state and identity) android.permission.MOUNT_UNMOUNT_FILESYSTEMS (mount and unmount file systems) android.permission.READ_SMS (read SMS or MMS) com.android.email.permission.ACCESS_PROVIDER (Unknown permission from android reference) android.permission.ACCESS_WIFI_STATE (view Wi-Fi status) android.permission.CHANGE_WIFI_STATE (change Wi-Fi status) android.permission.RECEIVE_SMS (receive SMS) android.permission.READ_CONTACTS (read contact data) android.permission.MODIFY_AUDIO_SETTINGS (change your audio settings)
  • 25. Infection flow 1.) Open “qq.xml” from the Assets directory. 2.) Create a new directory, “/sdcard/.qq/” 3.) Read the contents of “qq.xml” and create a file, “/sdcard/.qq/temp.apk” 4.) Start StreamService (this will run after reboot) 5.) Display Update message Code4hk.apk Create /sdcard/.qq/ 2 Start SteamService 4 Create /sdcard/.qq/temp.apk 3
  • 26. qq.xml & temp.apk qq.xml is a minor version of Code4HK which was extracted, renamed to temp.apk and copied to /sdcard/.qq/temp.apk on the first run. This file will execute if victim clicks “Update” button when the app first run.
  • 27. C&C Address ● Primary C&C: config.dat IP: 61.36.11.75, Port : 1430 ● Backup C&C IP: 221.226.58.202, Port: 1430
  • 35. List Files and file size in Directory
  • 36. Do Call a Phone Number
  • 38. Download / Delete / Upload Files
  • 40. Prevention and Mitigation ● Don't download and install applications from third-party Android stores or unknown sources. ● Look for homepages, information and reviews of the application before you install it to make sure it's legitimate and it only asks for necessary permissions. ● Use an up-to-date antivirus software.
  • 41. Conclusion ● Malware targets Hong Kong protesters. ● Include many specific malware features, some of them are not implemented. ● Android users should read carefully permissions needed while installing apps, compare to the functionalities of the app. When in doubt, submit the apk to Android sandbox or reverse engineers for application audit.