Your SlideShare is downloading. ×
Wtf is happening_inside_my_android_phone_public
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Wtf is happening_inside_my_android_phone_public


Published on

1 Comment
No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. ! Lost in translationWTF is happening inside my AndroidPhone Ok Cancel
  • 2. 8:30 PMContents Contents Android System Static Analysis Dynamic Analysis Reversing Red Bunny Conclusion Cancel
  • 3. 8:30 PMAndroid architecture
  • 4. 8:30 PM DALVIK VM - Register-based virtual machine - It uses its own bytecode, not Java bytecode. - Run on a slow CPU with little RAM.- Run on an operating system without swap space. - Optimized for memory efficiency. - Dex class file format.
  • 5. 8:30 PMDex file format header string_ids type_ids proto_ids field_idsmethod_ids class_defs data
  • 6. 8:30 PM Analysis EnvironmentToolsCase-sensitive file system :DAndroid SDKAndroid NDKAndroid source codeEclipseApktool, Dex2jar, JD-GUIAndroid Emulator
  • 7. 8:30 PM Example .java/jd-gui Compiler dex2jar .java/source .dex/dexdump .smali/baskmalibaskmali
  • 8. 8:30 PM Anti-analysis Examples:- Easy: Use a.class and A.class as class names: the file willbe hidden on case-insensitive file systems.- Medium: Optimize/ofuscate the code with ProGuard.- Hard: Modify bytecode to break reversing tools (besure that it still runs on Dalvik.) if self.__value_type >= VALUE_SHORTEj: androguard-a1: ... elif self.__value_type == VALUE_ARRAY : ... elif self.__value_type == VALUE_BYTE :Insert value type ...VALUE_ANNOTATION elif self.__value_type == VALUE_NULL : ... elif self.__value_type == VALUE_BOOLEAN : ... else : raise(“oops”)
  • 9. 8:30 PM Dynamic Analysis Basic:- Create an Android Virtual Device. -> $android (SDK)- $emulator -port 5560 @virtual-device -tcpdump capture.pcap- $adb install app.apk- $adb shell monkey -v -p 700- $adb shell logcat -d && $adb shell logcat -b events -d (radio also)- $adb shell /data/busybox find / -type f -exec /data/busybox md5sum
  • 10. 8:30 PM Make it more real- Simulate phone events:Send SMS:echo sms send +34656566789 test | nc localhost 5554D/AT ( 32): AT< 00200b914356566687f900001120720274404004e3f0380cSimulate calls:$echo gsm call +34656566789 |nc localhost 5554$echo gsm accept +34656566789 |nc localhost 5554$echo gsm cancel +34656566789 |nc localhost 5554Change GPS coordinates:$echo geo fix -82.411629 28.054553|nc localhost 5554
  • 11. 8:30 PM Dynamic Analysis Advance:- Create you own system image and modify the java classes to log theprogram flow. Example, framework/base/core/java/android/os/
  • 12. 8:30 PM Compiling Android Kernel modules$git clone git://$git branch -a$git checkout --track -b android-goldfish-2.6.29 origin/android-goldfish-2.6.29$adb pull /proc/config.gz ./;gunzip config.gz; mv config .configEdit and Add CONFIG_MODULES=y (disable by default onemulator kernel)$emulator -avd armv5y -kernel /tmp/zImage
  • 13. 8:30 PMSystem-Call Hooking $grep sys_call_table
  • 14. 8:30 PM Anti-VM- Detecting the emulator is very easy:DEVICE_ID:String id = Settings.Secure.getString(this.getContentResolver(), Settings.Secure.ANDROID_ID);boolean emulator = TextUtils.isEmpty(id);Solution:Change secure->android_id on data/data/ manager = (TelephonyManager)getSystemService(TELEPHONY_SERVICE);String imsi = manager.getSubscriberId(); (00000... on emulator)Solution:Patch the emulator binary (search for +CGSN string) or the emulator source code (external/qemu/telephony/android_modem.c).
  • 15. 8:30 PM More Anti-VM- LocationManager.NETWORK_PROVIDER -> IllegalArgumentException- Detect ADB stuff.. process, network, debug enabled...- /proc/cpuinfo - > Hardware : Goldfish- vibrator.vibrate(milliseconds) and use SensorListener (sensor data doesn’tchange)(Thanks Ehooo)- Qemu specific detection (Google)Solution:Patch emulator, Qemu, system hooking...
  • 16. 8:30 PM Alternatives to Android Emulator- . Supports VMware- Use a real phone... Slower
  • 17. 8:30 PM Attack Vectors- Alternative markets, repacked applications.-SMS, MMS vulnerabilities, Fuzzing!!!.- Wireless, Bluetooth Drivers- NFC- System componentes: Webkit,sound library, Kernel.
  • 18. 8:30 PM Third party softwareSource:
  • 19. 8:30 PM ADRD aka Redbunny- "Security Alert 2011-02-14: New Android Trojan ADRD Was Found inthe Wild by Aegislab" ( ) ! Notification- "[…] Today, we found a new Android trojan,we call it "ADRD", which was not reported by any security vendors before.[…]"- Jaime Blasco and Pablo Rincón were working together,analyzing this malware on Feb 2, 2011:* Name: com.beautyfullivewallpaper* Date: Feb. 2, 2011, 1:49 p.m.- Also known as HongTouTou
  • 20. 8:30 PM Detection- Permission list: * INTERNET, WRITE_EXTERNAL_STORAGE, ACCESS_NETWORK_STATE, READ_PHONE_STATE,RECEIVE_BOOT_COMPLETED, MODIFY_PHONE_STATE, WRITE_APN_SETTINGS..- Cipher module/library calls (DES): * init        Ljavax/crypto/Cipher;    Lcom/xxx/yyy/ddda;    decrypt- Function calls to retrieve the IMSI/IMEI codes: * IMEI:    getDeviceId       Lcom/xxx/yyy/MyService;    onCreate * IMSI:    getSubscriberId     Lcom/xxx/yyy/MyService;    onCreate- HTTP Requests (GET and POST): * String str8 = "" +(String)localObject; *    POST    /index.aspx?im=82a68757db94a88dace3e401a5721b33af757f73d68485eab1244e5dace3ed65910991f4dbd438af
  • 21. 8:30 PM Detection- Sends http requests through a proxy: * HttpHost localHttpHost = new HttpHost("", 80, "http"); * HttpParams localHttpParams =localDefaultHttpClient.getParams().setParameter("http.route.default-proxy", localHttpHost);- Services: * * .beauty.Beauty- Intents: * android.intent.action.BOOT_COMPLETED **** -> Boots at system startup * android.intent.action.PHONE_STATE *
  • 22. 8:30 PM Analysis I Service module (MyService): Sets a Proxy for GET/POST and- Sets the preferred apn 1 HTTP specially crafted headers- Runs each 12 hours (UA, MIME types)- Looks for specific APN network : 2 “CMWAP” || “UNIWAP” Cipher data moduleSend data to public static String encrypt/decrypt 3index.aspx?im=%s: Cipher localCipher = Cipher.getInstance("DES/CBC/PKCS5Padding");+ IMEI+ IMSI Loop+ Netway (preferred APN) + Decrypt response+ iversion + Switch(cmd) It depends on the+ oversion 4 + 0 Do nothing + 1 adad.StartGo() adad.StartGo() + 2 ParseO 5Sends + 3 UpdateHelper()+encrypt(IMEI+IMSIParses the big list of ulrs/referersB#1#963a_w1| UpdateHelper installs the updateg.ashx?w=963a_w1 apk 6BBBB.Go() -> Retrieves search lists Send random requests addingBAIDU_WISE_UID and HTTP_HEADERS. ParseO(): parse server response (number, flags, tags..): Sends log data to control servers 6 T213607170863|12345|+ -10086+ abc -597| [ 6
  • 23. 8:30 PM Analysis II - Following the encryption routines, the DES key is found…: this.kk = "48734154";* UpdateHelper class: public class UpdateHelper { private static String savefilepath = "/myupdate.apk"; private Context ct; private int netway;* Benefit from visits to the content (Baidu) and bandwidth consumption (China Mobile &&Unicom) and also SMS charges.- Server URLs (there are more): We want to know more!!
  • 24. 8:30 PM Control Servers- from an eagle view:* Microsoft-IIS/6.0* Debug Enabled (Displaying .NET errors and backtraces)* Hidden paths to the .Net/aspx application* ALL is Chinese! (WTF!?!"·$%&/(?)- Possible vector attacks:* HTTP functions + DES key + pyDes = "legal" HTTP Requests (at least for the adrd server)
  • 25. 8:30 PM Control Servers - First results: Search* Exceptions in chinese. Google Translate is your friend* Errors at .NET (it didnt generate any html list/table, or view to use for data displaying)* We got a successful Sql injection after the last ciphered parameter :D).* User without admin privileges.* Permissions to run Backups + Shared Resources = Timeout * Other possibilities: + 1: Create a temporal db, with just one table each time, dump paginated rows and runbackups. Problem: Complex to do and complex to rebuild the original DB (Also the langdidnt help) + 2: Try to get a shell in any possible way. Problem: time, exploits, noise (our currentattacks were hidden by DES at the http logs, and its not usual to log all the db queries forperformance reason.
  • 26. 8:30 PM Database Information - All the scheme obtained: list of Tables, Fields, types, stored procedures- IMEI/IMSIs list (at least some of them), logs, keywords, Baidu accounts- The main stored procedure affected by the sql injection retrieves the URL of myupdate.apk, thatpoints to ! * Parameters: @imei varchar(50), @imsi varchar(50), @ip varchar(128), @logs varchar(256), @netwap int* Store procedure: --if (@netwap=2) select T-1|T11 --select T3 --select T213607170863|12345|+ -10086+ abc -597| [ --else --select T013607170863* Looks that they were considering the netwap (based on the mobile operator) as a criteria to sendcommands * TX (where X seems to be a command type) * 13607170863 is a phone number located at Wuhan
  • 27. 8:30 PM Database Scheme t_baiduHourPercent: autoid, mHour, mPercent t_ : myear, mmonth, mday, mhour, totalt_baidukeyword: keyword, viewcount t_ : way, flagt_baidukeywordflash: keywordt_baiduOrtherKey: keyword, viewcount t_ : keyword, flagt_baidupwd: id, way, username, pwd t_ _wap: keyword, flagt_baiduwayname: way, wayname t_ _wap_back : keyword, flagt_keywordResult: id, keyword, link, head, flagt_androidtemplog: id, imsi, way, result, createtime t_ _wap_back : keyword, flagt_keywordResult20100601: id, keyword, link, head, flag t_ : flagt_keywordResult20101108: id, keyword, link, head, flag t_ : keyword, createtimet_baiduHourPercent20101012: autoid, mHour, mPercentt_androidtemplog_backup: id, imsi, way, result, createtime t_ _wap: keyword, createtimet_androidtemperrlog: id, compresslog, decompresslog, createtime t_ : keyword, createtimet_androidtemplog_backup201101: id, imsi, way, result, createtime t_ _wap: keyword, createtimet_android : id, imei, imsi, logs, ip, createtime, netwayt_android : , , , , createtimet_baidutask: maxmdncount, mdncount, percent, f3percent, createtime, useridt_ : way, maxClick, minClick, leaveTotalClick, leaveEffectClickt_ _wap_20100323: keyword, createtimet_ _wap_20100722 : keyword, createtime
  • 28. 8:30 PM Myupdate.apk- It uses the main package of the ADRD family xxx.yyy.- The update has other permissions: WRITE_SMS, READ_SMS,RECEIVE_SMS, SEND_SMS..- Looks like a google reader- It adds a local sqlite DB (keyword storage). go_g1_sms: id, keyword, type, flag go_g2_sms: id, keyword, keyword2- SMSObserver: * Replaces keywords on SMS’s. * Sends SMS!
  • 29. 8:30 PM Samples Package name Md5 Adrd Ver IVercom.beautyfullivewallpaper 4556a687a2845bf4dfac62c594938cf3 6com.yodesoft.yohandcar 6783cee889fa64df68af58a56ff6e362 adrd.zt.2 aa5216da617839e818d83d8185da42b0 adrd.zt.jtj.2 6com.magicwach.rdefense 839c37f3a2c8d31561d28f619a2a712e 6com.tat.livewallpaper.dandelion 5192ad05597e7a148f642be43f6441f6 6com.classicnerds.livewallpaper.HK b72724d8fc0f633194dcc3bd28eec026 7fishnoodle.night_city a01ba26a34e55f71873782348ff5e074 adrd.zt.dxm.6 7com.appspot.swisscodemonkeys.steam cdfca19bf212adf3292e4fe677fe46a6 7kr.mobilesoft.yxplayer e3cc6c7af0d83fe322116254c01cf720 7com.labgency.wallpapers.waves 7d764347a0b0c9d11160d7a7684bf02b adrd.zt.dxm.8 7com.laucass.andromax 627f41c8f8e7ab007641c4a0c1d8ce1b 7com.digitalchocolate.androidrollergapp 71c0a67daa544450d7c620a48cc059b0 7proscio.wallpaper.shamroc e09782d35d72a769dc7454adb6d8e2e9 7 f2596f8f3c52381318f62d1ab161c284 ?? ??
  • 30. 8:30 PM Infectionsg Geolocation
  • 31. 8:30 PM Infectionsg Infections by operator +20K different IMSIs Other affected operators: Far EasT one Peoples Telephone Company Hutchison 3G PCCW Mobile Sunday Hong Kong Telecom Smart One Mobile
  • 32. 8:30 PM Thank You ! Questions? Ok Cancel@jaimeblascob@PabloForThePPL