Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Stealing Traffic: Analyzing a Mobile Fraud

46 views

Published on

Abdullah Joseph in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.

The slides and other presentations can be found on https://def.camp/archive

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Stealing Traffic: Analyzing a Mobile Fraud

  1. 1. BERLIN • NEW YORK • SAN FRANCISCO • SÃO PAULO • PARIS • LONDON • MOSCOW • ISTANBUL SEOUL • SHANGHAI • BEIJING • TOKYO • MUMBAI • SINGAPORE Abdullah Obaied Stealing Traffic: Analyzing Mobile Fraud
  2. 2. 2 About me ‣ Security Specialist ‣ Former Software Engineer ‣ Part of Adjust’s Fraud Team ‣ RiverBird.co ‣ @cheese0x02
  3. 3. 3 Click Injection Story Time
  4. 4. 4 How mobile attribution works Ad impression Click on Ad Media First Open: SDK Initialization App Download initialized Install finished on device App Store Redirect
  5. 5. 5 First Version of Click Injection
  6. 6. 6 Click Injection 1.0: Abusing Broadcasts ‣ A “Broadcast” is an event that occurs in the system. ‣ Any app can have a “Broadcast Receiver” and listen to system broadcasts
  7. 7. 7 Click Injection 1.0: Abusing PACKAGE_ADDED Broadcast
  8. 8. 8 Click Injection 1.0: Abusing PACKAGE_ADDED Broadcast Ad Impression Ad store redirect Ad impression Click on Ad Media First Open: SDK Initialization App Download initialized Install finished on device App Store Redirect
  9. 9. 9 Click Injection 1.0: Mitigation
  10. 10. 10 ‣ “firstInstallTime” allowed us to pinpoint an app’s install timestamp. ‣ Install requests with distorted timestamps are ignored Click Injection 1.0: Mitigation
  11. 11. 11 Second Version of Click Injection
  12. 12. 12 Click Injection 2.0 Click Injection 2.0: Same game, different time stamp Click on Ad Media App Download initialized Action_Package_Added broadcast First Open: SDK Initialization Click Injection: Content Provider Exploit App Store Redirect Install finished on device Click Injection: Referrer Broadcast Click Injection 1.0
  13. 13. 13 Introduction to AppX
  14. 14. 14 Target App: AppX
  15. 15. 15 ‣ Utility app ‣ +100M downloads | +13M reviews ‣ Beautiful images and animations ‣ It actually does what it says it does Target App: AppX
  16. 16. 16 Analysis
  17. 17. 17 Theory This app is performing a new way of conducting click injections
  18. 18. 18 Step #1: Static Properties Findings are purple
  19. 19. 19 ‣ What the app is allowed to do in the context of the machine and user data App Permissions
  20. 20. 20 ‣ AppX is allowed to extract device data ‣ AppX is allowed to restart itself upon boot ‣ AppX is allowed to monitor/ kill running processes AppX Permissions
  21. 21. 21 ‣ AppX is able to receive PACKAGE_ADDED broadcasts AppX Broadcasts Receivers
  22. 22. 22 ‣ AppX has a list of ~200 app names in an SQLite DB AppX Hard-coded Databases
  23. 23. 23 ‣ AppX has a list of ~3500 app names in SQLite and txt files ‣ Mostly games and paid apps that run heavy ad campaigns AppX Hard-coded Databases
  24. 24. 24 1. AppX is allowed to extract device data 2. AppX is allowed to restart itself upon boot 3. AppX is allowed to monitor/kill running processes 4. AppX is able to receive PACKAGE_ADDED broadcasts 5. AppX has a list of ~3500 app names in SQLite and txt files Findings
  25. 25. 25 Step #2: Behavioural Analysis
  26. 26. 26 Before moving forward, we need a plan
  27. 27. 27 Plan We need to know: ‣ What happens when we open the app? ‣ What happens when we install/uninstall other apps? ‣ Most importantly, what happens when we install an app on Google Play Store?
  28. 28. 28 Setup
  29. 29. 29 On AppX Open
  30. 30. 30 ‣ AppX has a long-running background process in the form of a notification toolbar. ‣ AppX sends device and analytics data to multiple foreign servers (Over HTTP) On AppX Open
  31. 31. 31 ‣ AppX sends an “uninstall notification” to a foreign server when the user uninstalls a listed app. On App Uninstall
  32. 32. 32 On App Install (From Google Play): Requests upon install
  33. 33. 33 ‣ This request occurred before the app finished downloading. The malicious app was able to get all the details necessary to launch fake installs from this device and steal traffic. On App Install (From Google Play): GET /getDlAd Request
  34. 34. 34 On App Install (From Google Play): GET /getDlAd Request
  35. 35. 35 1. AppX has a long-running background process in the shape of a notification toolbar 2. AppX sends multiple requests upon an app uninstall A. Possibly for re-attribution campaigns. B. Also, so as not to repeat too quickly for multiple user downloads 3. AppX sends all the details of a download-in-progress BEFORE the app finishes downloading to a foreign server Findings
  36. 36. 36 Step #3: Static Analysis
  37. 37. 37 Step #3: Static Analysis What do we wanna know and how do we do it?
  38. 38. 38 What Do We Wanna Know? Many things: But most importantly: ‣ What do the other parameters in GET / getDlAd request mean? ‣ How are the apps in game_list.txt used? ‣ What is the difference between those and the SQLite database? ‣ What other events are there other than install/uninstall that the app reacts to? ‣ What are all the endpoints in the app? ‣ How is AppX sniffing
 in-progress downloads??
  39. 39. 39 ‣ Look for traffic sniffing activity (HTTP and Google Play-related keywords) ‣ Access to resources (Content Providers) ‣ Possible exploits (C/C++) How Do We Do It?
  40. 40. 40 ‣ But, what’s a Content Provider? Finding: AppX is Observing A Content Provider
  41. 41. 41 ‣ Provides an abstract wrapper for apps to access resources (files, databases, etc.) ‣ This allows app developers to focus on development and be able to change the “Data Layer” to another type later on. Android Content Providers
  42. 42. 42 ‣ Provides an abstract wrapper for apps to access resources (files, databases, etc.) ‣ This allows app developers to focus on development and be able to change the “Data Layer” to another type later on. ‣ Any access to a resource is usually important Android Content Providers
  43. 43. 43 ‣ A content provider that has all the info of an in-progress download What is Being Observed? The “Temp Downloads Content Provider”
  44. 44. 44 ‣ Step #1:
 The “Temp Downloads Content Provider” is being observed and a function will trigger when a change occurs. How Is AppX Sniffing In-Progress Downloads?
  45. 45. 45 ‣ Step #2: 
 When a change occurs, a query to another “Public” content provider is triggered How Is AppX Sniffing In-Progress Downloads?
  46. 46. 46 ‣ Step #3: 
 the query is parsed and the “packageName” of the app being downloaded is extracted. ‣ Step #4: 
 AppX sends the collected details to a foreign server (already observed) How Is AppX Sniffing In-Progress Downloads?
  47. 47. 47 Analysis Concluded
  48. 48. 48 1. AppX is observing the “Temp Downloads Content Provider” and a function will trigger when a change occurs (Does not provide enough info) 2. AppX is then querying the “Public Downloads Content Provider” for more info on the package 3. AppX parses the query and extracts the name of the app being downloaded 4. AppX fires a request to a server with all the info of the newly downloaded app (confirmed with behavioural analysis) Confirmed Findings
  49. 49. 49 Theory Confirmed This app is performing a new way of conducting click injections
  50. 50. 50 Mitigations
  51. 51. 51 Play Store Referrer API
  52. 52. 52 Conclusions
  53. 53. New York Paris São Paulo San Francisco London Berlin Istanbul Moscow Mumbai Beijing Seoul Tokyo Shanghai Singapore Abdullah Obaied SECURITY SPECIALIST
 abdullah@adjust.com ADJUST HQ
 Saarbrücker Str. 37a
 10405 Berlin
 Germany

×