Stealing Traffic: Analyzing a Mobile Fraud

DefCamp
DefCampDefCamp
BERLIN • NEW YORK • SAN FRANCISCO • SÃO PAULO • PARIS • LONDON • MOSCOW • ISTANBUL SEOUL • SHANGHAI • BEIJING • TOKYO • MUMBAI • SINGAPORE Abdullah Obaied Stealing Traffic: Analyzing Mobile Fraud
2 About me ‣ Security Specialist ‣ Former Software Engineer ‣ Part of Adjust’s Fraud Team ‣ RiverBird.co ‣ @cheese0x02
3 Click Injection Story Time
4 How mobile attribution works Ad impression Click on Ad Media First Open: SDK Initialization App Download initialized Install finished on device App Store Redirect
5 First Version of Click Injection
6 Click Injection 1.0: Abusing Broadcasts ‣ A “Broadcast” is an event that occurs in the system. ‣ Any app can have a “Broadcast Receiver” and listen to system broadcasts
7 Click Injection 1.0: Abusing PACKAGE_ADDED Broadcast
8 Click Injection 1.0: Abusing PACKAGE_ADDED Broadcast Ad Impression Ad store redirect Ad impression Click on Ad Media First Open: SDK Initialization App Download initialized Install finished on device App Store Redirect
9 Click Injection 1.0: Mitigation
10 ‣ “firstInstallTime” allowed us to pinpoint an app’s install timestamp. ‣ Install requests with distorted timestamps are ignored Click Injection 1.0: Mitigation
11 Second Version of Click Injection
12 Click Injection 2.0 Click Injection 2.0: Same game, different time stamp Click on Ad Media App Download initialized Action_Package_Added broadcast First Open: SDK Initialization Click Injection: Content Provider Exploit App Store Redirect Install finished on device Click Injection: Referrer Broadcast Click Injection 1.0
13 Introduction to AppX
14 Target App: AppX
15 ‣ Utility app ‣ +100M downloads | +13M reviews ‣ Beautiful images and animations ‣ It actually does what it says it does Target App: AppX
16 Analysis
17 Theory This app is performing a new way of conducting click injections
18 Step #1: Static Properties Findings are purple
19 ‣ What the app is allowed to do in the context of the machine and user data App Permissions
20 ‣ AppX is allowed to extract device data ‣ AppX is allowed to restart itself upon boot ‣ AppX is allowed to monitor/ kill running processes AppX Permissions
21 ‣ AppX is able to receive PACKAGE_ADDED broadcasts AppX Broadcasts Receivers
22 ‣ AppX has a list of ~200 app names in an SQLite DB AppX Hard-coded Databases
23 ‣ AppX has a list of ~3500 app names in SQLite and txt files ‣ Mostly games and paid apps that run heavy ad campaigns AppX Hard-coded Databases
24 1. AppX is allowed to extract device data 2. AppX is allowed to restart itself upon boot 3. AppX is allowed to monitor/kill running processes 4. AppX is able to receive PACKAGE_ADDED broadcasts 5. AppX has a list of ~3500 app names in SQLite and txt files Findings
25 Step #2: Behavioural Analysis
26 Before moving forward, we need a plan
27 Plan We need to know: ‣ What happens when we open the app? ‣ What happens when we install/uninstall other apps? ‣ Most importantly, what happens when we install an app on Google Play Store?
28 Setup
29 On AppX Open
30 ‣ AppX has a long-running background process in the form of a notification toolbar. ‣ AppX sends device and analytics data to multiple foreign servers (Over HTTP) On AppX Open
31 ‣ AppX sends an “uninstall notification” to a foreign server when the user uninstalls a listed app. On App Uninstall
32 On App Install (From Google Play): Requests upon install
33 ‣ This request occurred before the app finished downloading. The malicious app was able to get all the details necessary to launch fake installs from this device and steal traffic. On App Install (From Google Play): GET /getDlAd Request
34 On App Install (From Google Play): GET /getDlAd Request
35 1. AppX has a long-running background process in the shape of a notification toolbar 2. AppX sends multiple requests upon an app uninstall A. Possibly for re-attribution campaigns. B. Also, so as not to repeat too quickly for multiple user downloads 3. AppX sends all the details of a download-in-progress BEFORE the app finishes downloading to a foreign server Findings
36 Step #3: Static Analysis
37 Step #3: Static Analysis What do we wanna know and how do we do it?
38 What Do We Wanna Know? Many things: But most importantly: ‣ What do the other parameters in GET / getDlAd request mean? ‣ How are the apps in game_list.txt used? ‣ What is the difference between those and the SQLite database? ‣ What other events are there other than install/uninstall that the app reacts to? ‣ What are all the endpoints in the app? ‣ How is AppX sniffing
 in-progress downloads??
39 ‣ Look for traffic sniffing activity (HTTP and Google Play-related keywords) ‣ Access to resources (Content Providers) ‣ Possible exploits (C/C++) How Do We Do It?
40 ‣ But, what’s a Content Provider? Finding: AppX is Observing A Content Provider
41 ‣ Provides an abstract wrapper for apps to access resources (files, databases, etc.) ‣ This allows app developers to focus on development and be able to change the “Data Layer” to another type later on. Android Content Providers
42 ‣ Provides an abstract wrapper for apps to access resources (files, databases, etc.) ‣ This allows app developers to focus on development and be able to change the “Data Layer” to another type later on. ‣ Any access to a resource is usually important Android Content Providers
43 ‣ A content provider that has all the info of an in-progress download What is Being Observed? The “Temp Downloads Content Provider”
44 ‣ Step #1:
 The “Temp Downloads Content Provider” is being observed and a function will trigger when a change occurs. How Is AppX Sniffing In-Progress Downloads?
45 ‣ Step #2: 
 When a change occurs, a query to another “Public” content provider is triggered How Is AppX Sniffing In-Progress Downloads?
46 ‣ Step #3: 
 the query is parsed and the “packageName” of the app being downloaded is extracted. ‣ Step #4: 
 AppX sends the collected details to a foreign server (already observed) How Is AppX Sniffing In-Progress Downloads?
47 Analysis Concluded
48 1. AppX is observing the “Temp Downloads Content Provider” and a function will trigger when a change occurs (Does not provide enough info) 2. AppX is then querying the “Public Downloads Content Provider” for more info on the package 3. AppX parses the query and extracts the name of the app being downloaded 4. AppX fires a request to a server with all the info of the newly downloaded app (confirmed with behavioural analysis) Confirmed Findings
49 Theory Confirmed This app is performing a new way of conducting click injections
50 Mitigations
51 Play Store Referrer API
52 Conclusions
New York Paris São Paulo San Francisco London Berlin Istanbul Moscow Mumbai Beijing Seoul Tokyo Shanghai Singapore Abdullah Obaied SECURITY SPECIALIST
 abdullah@adjust.com ADJUST HQ
 Saarbrücker Str. 37a
 10405 Berlin
 Germany
1 of 53

Stealing Traffic: Analyzing a Mobile Fraud

Download to read offline
Technology

Abdullah Joseph in Bucharest, Romania on November 8-9th 2018 at DefCamp #9. The slides and other presentations can be found on https://def.camp/archive

DefCamp
DefCampDefCamp

Recommended

Hyperic HQ for Cloud Infrastructure Monitoring by
Hyperic HQ for Cloud Infrastructure MonitoringHyperic HQ for Cloud Infrastructure Monitoring
Hyperic HQ for Cloud Infrastructure MonitoringSumit Arora
2.2K views37 slides
A Lap Around Developer Awesomeness in Splunk 6.3 by
A Lap Around Developer Awesomeness in Splunk 6.3A Lap Around Developer Awesomeness in Splunk 6.3
A Lap Around Developer Awesomeness in Splunk 6.3Glenn Block
717 views18 slides
Emily Stark at Stanford ACM Hackathon by
Emily Stark at Stanford ACM HackathonEmily Stark at Stanford ACM Hackathon
Emily Stark at Stanford ACM HackathonMeteorJS
829 views16 slides
DevNet 1056 WIT Spark API and Chat Bot Workshop by
DevNet 1056 WIT Spark API and Chat Bot WorkshopDevNet 1056 WIT Spark API and Chat Bot Workshop
DevNet 1056 WIT Spark API and Chat Bot WorkshopTessa Mero
716 views120 slides
Compliance as Code - Using the Open Source InSpec testing Framework by
Compliance as Code - Using the Open Source InSpec testing FrameworkCompliance as Code - Using the Open Source InSpec testing Framework
Compliance as Code - Using the Open Source InSpec testing FrameworkSonatype
968 views48 slides
Experiences Bringing CD to a DoD Project by
Experiences Bringing CD to a DoD ProjectExperiences Bringing CD to a DoD Project
Experiences Bringing CD to a DoD ProjectGene Gotimer
239 views40 slides

More Related Content

What's hot

Revolutionize Your Workflow with ChatOps by
Revolutionize Your Workflow with ChatOpsRevolutionize Your Workflow with ChatOps
Revolutionize Your Workflow with ChatOpsTessa Mero
1.3K views40 slides
OSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin Parm by
OSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin ParmOSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin Parm
OSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin ParmNETWAYS
2.1K views66 slides
AppSec Pipeline Reference Architecture by
AppSec Pipeline Reference ArchitectureAppSec Pipeline Reference Architecture
AppSec Pipeline Reference ArchitectureAaron Weaver
395 views8 slides
Tests your pipeline might be missing by
Tests your pipeline might be missingTests your pipeline might be missing
Tests your pipeline might be missingGene Gotimer
152 views20 slides
What Is New In TestMaker 6 by
What Is New In TestMaker 6What Is New In TestMaker 6
What Is New In TestMaker 6Clever Moe
1.1K views6 slides
How to be Successful in the DevOps Business by
How to be Successful in the DevOps BusinessHow to be Successful in the DevOps Business
How to be Successful in the DevOps BusinessAtlassian
3.6K views34 slides

What's hot(12)

Revolutionize Your Workflow with ChatOps by Tessa Mero
Revolutionize Your Workflow with ChatOpsRevolutionize Your Workflow with ChatOps
Revolutionize Your Workflow with ChatOps
Tessa Mero1.3K views
OSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin Parm by NETWAYS
OSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin ParmOSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin Parm
OSMC 2015: Monitoring at Spotify-When things go ping in the night by Martin Parm
NETWAYS2.1K views
AppSec Pipeline Reference Architecture by Aaron Weaver
AppSec Pipeline Reference ArchitectureAppSec Pipeline Reference Architecture
AppSec Pipeline Reference Architecture
Aaron Weaver395 views
Tests your pipeline might be missing by Gene Gotimer
Tests your pipeline might be missingTests your pipeline might be missing
Tests your pipeline might be missing
Gene Gotimer152 views
What Is New In TestMaker 6 by Clever Moe
What Is New In TestMaker 6What Is New In TestMaker 6
What Is New In TestMaker 6
Clever Moe1.1K views
How to be Successful in the DevOps Business by Atlassian
How to be Successful in the DevOps BusinessHow to be Successful in the DevOps Business
How to be Successful in the DevOps Business
Atlassian3.6K views
Роман Яворский "Introduction to DevOps" by Anna Shymchenko
Роман Яворский "Introduction to DevOps"Роман Яворский "Introduction to DevOps"
Роман Яворский "Introduction to DevOps"
Anna Shymchenko761 views
DOO-002_Building Automated Tooling for Datacenters by decode2016
DOO-002_Building Automated Tooling for DatacentersDOO-002_Building Automated Tooling for Datacenters
DOO-002_Building Automated Tooling for Datacenters
decode201642 views
In graph we trust: Microservices, GraphQL and security challenges by Mohammed A. Imran
In graph we trust: Microservices, GraphQL and security challengesIn graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challenges
Mohammed A. Imran841 views
AppleWatch_Presentation by Ruptapas Chakraborty
AppleWatch_PresentationAppleWatch_Presentation
AppleWatch_Presentation
Ruptapas Chakraborty242 views
Federating new FIWARE Lab nodes by Fernando Lopez Aguilar
Federating new FIWARE Lab nodesFederating new FIWARE Lab nodes
Federating new FIWARE Lab nodes
Fernando Lopez Aguilar891 views
DevOps AppSec Pipeline Velcocity NY 2015 by Aaron Weaver
DevOps AppSec Pipeline Velcocity NY 2015DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015
Aaron Weaver1K views

Similar to Stealing Traffic: Analyzing a Mobile Fraud

Evilgrade Defcon 18 2010 by
Evilgrade Defcon 18 2010Evilgrade Defcon 18 2010
Evilgrade Defcon 18 2010Francisco Müller Amato
96 views25 slides
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl... by
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...sparkfabrik
27 views48 slides
Using Data Science & Serverless Python to find apartment in Toronto by
Using Data Science & Serverless Python to find apartment in TorontoUsing Data Science & Serverless Python to find apartment in Toronto
Using Data Science & Serverless Python to find apartment in TorontoDaniel Zivkovic
220 views148 slides
Stephanie Vanroelen - Mobile Anti-Virus apps exposed by
Stephanie Vanroelen - Mobile Anti-Virus apps exposedStephanie Vanroelen - Mobile Anti-Virus apps exposed
Stephanie Vanroelen - Mobile Anti-Virus apps exposedNoNameCon
233 views35 slides
Firefox OS Presentation by
Firefox OS PresentationFirefox OS Presentation
Firefox OS PresentationJosé Manuel Cantera Fonseca
108 views35 slides
Android 103 - Firebase and Architecture Components by
Android 103 - Firebase and Architecture ComponentsAndroid 103 - Firebase and Architecture Components
Android 103 - Firebase and Architecture ComponentsKai Koenig
850 views69 slides

Similar to Stealing Traffic: Analyzing a Mobile Fraud(20)

Evilgrade Defcon 18 2010 by Francisco Müller Amato
Evilgrade Defcon 18 2010Evilgrade Defcon 18 2010
Evilgrade Defcon 18 2010
Francisco Müller Amato96 views
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl... by sparkfabrik
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
sparkfabrik27 views
Using Data Science & Serverless Python to find apartment in Toronto by Daniel Zivkovic
Using Data Science & Serverless Python to find apartment in TorontoUsing Data Science & Serverless Python to find apartment in Toronto
Using Data Science & Serverless Python to find apartment in Toronto
Daniel Zivkovic220 views
Stephanie Vanroelen - Mobile Anti-Virus apps exposed by NoNameCon
Stephanie Vanroelen - Mobile Anti-Virus apps exposedStephanie Vanroelen - Mobile Anti-Virus apps exposed
Stephanie Vanroelen - Mobile Anti-Virus apps exposed
NoNameCon233 views
Firefox OS Presentation by José Manuel Cantera Fonseca
Firefox OS PresentationFirefox OS Presentation
Firefox OS Presentation
José Manuel Cantera Fonseca108 views
Android 103 - Firebase and Architecture Components by Kai Koenig
Android 103 - Firebase and Architecture ComponentsAndroid 103 - Firebase and Architecture Components
Android 103 - Firebase and Architecture Components
Kai Koenig850 views
DevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools by Amazon Web Services
DevOps on AWS: Accelerating Software Delivery with the AWS Developer ToolsDevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
DevOps on AWS: Accelerating Software Delivery with the AWS Developer Tools
Amazon Web Services1.5K views
Open Source Security: How to Lay the Groundwork for a Secure Culture by WhiteSource
Open Source Security: How to Lay the Groundwork for a Secure CultureOpen Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure Culture
WhiteSource91 views
Open Source Security: How to Lay the Groundwork for a Secure Culture by DevOps.com
Open Source Security: How to Lay the Groundwork for a Secure CultureOpen Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure Culture
DevOps.com23 views
Automation and Release in Federal by Serena Software
Automation and Release in FederalAutomation and Release in Federal
Automation and Release in Federal
Serena Software691 views
It's What's Inside that Counts! by New Relic
It's What's Inside that Counts!It's What's Inside that Counts!
It's What's Inside that Counts!
New Relic997 views
Monitoring in 2017 - TIAD Camp Docker by The Incredible Automation Day
Monitoring in 2017 - TIAD Camp DockerMonitoring in 2017 - TIAD Camp Docker
Monitoring in 2017 - TIAD Camp Docker
The Incredible Automation Day1.9K views
AWS re:Invent 2016: DevOps on AWS: Accelerating Software Delivery with the AW... by Amazon Web Services
AWS re:Invent 2016: DevOps on AWS: Accelerating Software Delivery with the AW...AWS re:Invent 2016: DevOps on AWS: Accelerating Software Delivery with the AW...
AWS re:Invent 2016: DevOps on AWS: Accelerating Software Delivery with the AW...
Amazon Web Services1.7K views
N-Tier Application with Windows Forms - Deployment and Security by Peter Gfader
N-Tier Application with Windows Forms - Deployment and SecurityN-Tier Application with Windows Forms - Deployment and Security
N-Tier Application with Windows Forms - Deployment and Security
Peter Gfader2.2K views
Develop IoT project with AirVantage M2M Cloud by Crystal Lam
Develop IoT project with AirVantage M2M CloudDevelop IoT project with AirVantage M2M Cloud
Develop IoT project with AirVantage M2M Cloud
Crystal Lam1.5K views
Making Security Agile by Oleg Gryb
Making Security AgileMaking Security Agile
Making Security Agile
Oleg Gryb1.4K views
Web application penetration testing lab setup guide by Sudhanshu Chauhan
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guide
Sudhanshu Chauhan1.2K views
From Duke of DevOps to Queen of Chaos - Api days 2018 by Christophe Rochefolle
From Duke of DevOps to Queen of Chaos - Api days 2018From Duke of DevOps to Queen of Chaos - Api days 2018
From Duke of DevOps to Queen of Chaos - Api days 2018
Christophe Rochefolle611 views
Life of an event - A never ending tool chain by Arnold Van Wijnbergen
Life of an event - A never ending tool chainLife of an event - A never ending tool chain
Life of an event - A never ending tool chain
Arnold Van Wijnbergen351 views
Life of an event - A never ending tool chain by Devoteam
Life of an event - A never ending tool chainLife of an event - A never ending tool chain
Life of an event - A never ending tool chain
Devoteam1.1K views

More from DefCamp

Remote Yacht Hacking by
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht HackingDefCamp
1.7K views89 slides
Mobile, IoT, Clouds… It’s time to hire your own risk manager! by
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!DefCamp
974 views167 slides
The Charter of Trust by
The Charter of TrustThe Charter of Trust
The Charter of TrustDefCamp
558 views24 slides
Internet Balkanization: Why Are We Raising Borders Online? by
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?DefCamp
309 views22 slides
Bridging the gap between CyberSecurity R&D and UX by
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UXDefCamp
260 views13 slides
Secure and privacy-preserving data transmission and processing using homomorp... by
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...DefCamp
470 views102 slides

More from DefCamp(20)

Remote Yacht Hacking by DefCamp
Remote Yacht HackingRemote Yacht Hacking
Remote Yacht Hacking
DefCamp1.7K views
Mobile, IoT, Clouds… It’s time to hire your own risk manager! by DefCamp
Mobile, IoT, Clouds… It’s time to hire your own risk manager!Mobile, IoT, Clouds… It’s time to hire your own risk manager!
Mobile, IoT, Clouds… It’s time to hire your own risk manager!
DefCamp974 views
The Charter of Trust by DefCamp
The Charter of TrustThe Charter of Trust
The Charter of Trust
DefCamp558 views
Internet Balkanization: Why Are We Raising Borders Online? by DefCamp
Internet Balkanization: Why Are We Raising Borders Online?Internet Balkanization: Why Are We Raising Borders Online?
Internet Balkanization: Why Are We Raising Borders Online?
DefCamp309 views
Bridging the gap between CyberSecurity R&D and UX by DefCamp
Bridging the gap between CyberSecurity R&D and UXBridging the gap between CyberSecurity R&D and UX
Bridging the gap between CyberSecurity R&D and UX
DefCamp260 views
Secure and privacy-preserving data transmission and processing using homomorp... by DefCamp
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...
DefCamp470 views
Drupalgeddon 2 – Yet Another Weapon for the Attacker by DefCamp
Drupalgeddon 2 – Yet Another Weapon for the AttackerDrupalgeddon 2 – Yet Another Weapon for the Attacker
Drupalgeddon 2 – Yet Another Weapon for the Attacker
DefCamp269 views
Economical Denial of Sustainability in the Cloud (EDOS) by DefCamp
Economical Denial of Sustainability in the Cloud (EDOS)Economical Denial of Sustainability in the Cloud (EDOS)
Economical Denial of Sustainability in the Cloud (EDOS)
DefCamp254 views
Trust, but verify – Bypassing MFA by DefCamp
Trust, but verify – Bypassing MFATrust, but verify – Bypassing MFA
Trust, but verify – Bypassing MFA
DefCamp323 views
Threat Hunting: From Platitudes to Practical Application by DefCamp
Threat Hunting: From Platitudes to Practical ApplicationThreat Hunting: From Platitudes to Practical Application
Threat Hunting: From Platitudes to Practical Application
DefCamp218 views
Building application security with 0 money down by DefCamp
Building application security with 0 money downBuilding application security with 0 money down
Building application security with 0 money down
DefCamp179 views
Implementation of information security techniques on modern android based Kio... by DefCamp
Implementation of information security techniques on modern android based Kio...Implementation of information security techniques on modern android based Kio...
Implementation of information security techniques on modern android based Kio...
DefCamp215 views
Lattice based Merkle for post-quantum epoch by DefCamp
Lattice based Merkle for post-quantum epochLattice based Merkle for post-quantum epoch
Lattice based Merkle for post-quantum epoch
DefCamp241 views
The challenge of building a secure and safe digital environment in healthcare by DefCamp
The challenge of building a secure and safe digital environment in healthcareThe challenge of building a secure and safe digital environment in healthcare
The challenge of building a secure and safe digital environment in healthcare
DefCamp323 views
Timing attacks against web applications: Are they still practical? by DefCamp
Timing attacks against web applications: Are they still practical?Timing attacks against web applications: Are they still practical?
Timing attacks against web applications: Are they still practical?
DefCamp258 views
Tor .onions: The Good, The Rotten and The Misconfigured by DefCamp
Tor .onions: The Good, The Rotten and The Misconfigured Tor .onions: The Good, The Rotten and The Misconfigured
Tor .onions: The Good, The Rotten and The Misconfigured
DefCamp816 views
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t... by DefCamp
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
DefCamp294 views
We will charge you. How to [b]reach vendor’s network using EV charging station. by DefCamp
We will charge you. How to [b]reach vendor’s network using EV charging station.We will charge you. How to [b]reach vendor’s network using EV charging station.
We will charge you. How to [b]reach vendor’s network using EV charging station.
DefCamp442 views
Connect & Inspire Cyber Security by DefCamp
Connect & Inspire Cyber SecurityConnect & Inspire Cyber Security
Connect & Inspire Cyber Security
DefCamp290 views
The lions and the watering hole by DefCamp
The lions and the watering holeThe lions and the watering hole
The lions and the watering hole
DefCamp225 views

Recently uploaded

ChatGPT and AI for Web Developers by
ChatGPT and AI for Web DevelopersChatGPT and AI for Web Developers
ChatGPT and AI for Web DevelopersMaximiliano Firtman
181 views82 slides
Web Dev - 1 PPT.pdf by
Web Dev - 1 PPT.pdfWeb Dev - 1 PPT.pdf
Web Dev - 1 PPT.pdfgdsczhcet
55 views45 slides
The details of description: Techniques, tips, and tangents on alternative tex... by
The details of description: Techniques, tips, and tangents on alternative tex...The details of description: Techniques, tips, and tangents on alternative tex...
The details of description: Techniques, tips, and tangents on alternative tex...BookNet Canada
121 views24 slides
SAP Automation Using Bar Code and FIORI.pdf by
SAP Automation Using Bar Code and FIORI.pdfSAP Automation Using Bar Code and FIORI.pdf
SAP Automation Using Bar Code and FIORI.pdfVirendra Rai, PMP
19 views38 slides
Attacking IoT Devices from a Web Perspective - Linux Day by
Attacking IoT Devices from a Web Perspective - Linux Day Attacking IoT Devices from a Web Perspective - Linux Day
Attacking IoT Devices from a Web Perspective - Linux Day Simone Onofri
15 views68 slides
Five Things You SHOULD Know About Postman by
Five Things You SHOULD Know About PostmanFive Things You SHOULD Know About Postman
Five Things You SHOULD Know About PostmanPostman
27 views43 slides

Recently uploaded(20)

ChatGPT and AI for Web Developers by Maximiliano Firtman
ChatGPT and AI for Web DevelopersChatGPT and AI for Web Developers
ChatGPT and AI for Web Developers
Maximiliano Firtman181 views
Web Dev - 1 PPT.pdf by gdsczhcet
Web Dev - 1 PPT.pdfWeb Dev - 1 PPT.pdf
Web Dev - 1 PPT.pdf
gdsczhcet55 views
The details of description: Techniques, tips, and tangents on alternative tex... by BookNet Canada
The details of description: Techniques, tips, and tangents on alternative tex...The details of description: Techniques, tips, and tangents on alternative tex...
The details of description: Techniques, tips, and tangents on alternative tex...
BookNet Canada121 views
SAP Automation Using Bar Code and FIORI.pdf by Virendra Rai, PMP
SAP Automation Using Bar Code and FIORI.pdfSAP Automation Using Bar Code and FIORI.pdf
SAP Automation Using Bar Code and FIORI.pdf
Virendra Rai, PMP19 views
Attacking IoT Devices from a Web Perspective - Linux Day by Simone Onofri
Attacking IoT Devices from a Web Perspective - Linux Day Attacking IoT Devices from a Web Perspective - Linux Day
Attacking IoT Devices from a Web Perspective - Linux Day
Simone Onofri15 views
Five Things You SHOULD Know About Postman by Postman
Five Things You SHOULD Know About PostmanFive Things You SHOULD Know About Postman
Five Things You SHOULD Know About Postman
Postman27 views
Spesifikasi Lengkap ASUS Vivobook Go 14 by Dot Semarang
Spesifikasi Lengkap ASUS Vivobook Go 14Spesifikasi Lengkap ASUS Vivobook Go 14
Spesifikasi Lengkap ASUS Vivobook Go 14
Dot Semarang35 views
Igniting Next Level Productivity with AI-Infused Data Integration Workflows by Safe Software
Igniting Next Level Productivity with AI-Infused Data Integration Workflows Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Safe Software225 views
Roadmap to Become Experts.pptx by dscwidyatamanew
Roadmap to Become Experts.pptxRoadmap to Become Experts.pptx
Roadmap to Become Experts.pptx
dscwidyatamanew11 views
Business Analyst Series 2023 - Week 3 Session 5 by DianaGray10
Business Analyst Series 2023 - Week 3 Session 5Business Analyst Series 2023 - Week 3 Session 5
Business Analyst Series 2023 - Week 3 Session 5
DianaGray10209 views
Voice Logger - Telephony Integration Solution at Aegis by Nirmal Sharma
Voice Logger - Telephony Integration Solution at AegisVoice Logger - Telephony Integration Solution at Aegis
Voice Logger - Telephony Integration Solution at Aegis
Nirmal Sharma17 views
1st parposal presentation.pptx by i238212
1st parposal presentation.pptx1st parposal presentation.pptx
1st parposal presentation.pptx
i2382129 views
The Research Portal of Catalonia: Growing more (information) & more (services) by CSUC - Consorci de Serveis Universitaris de Catalunya
The Research Portal of Catalonia: Growing more (information) & more (services)The Research Portal of Catalonia: Growing more (information) & more (services)
The Research Portal of Catalonia: Growing more (information) & more (services)
CSUC - Consorci de Serveis Universitaris de Catalunya73 views
Black and White Modern Science Presentation.pptx by maryamkhalid2916
Black and White Modern Science Presentation.pptxBlack and White Modern Science Presentation.pptx
Black and White Modern Science Presentation.pptx
maryamkhalid291614 views
20231123_Camunda Meetup Vienna.pdf by Phactum Softwareentwicklung GmbH
20231123_Camunda Meetup Vienna.pdf20231123_Camunda Meetup Vienna.pdf
20231123_Camunda Meetup Vienna.pdf
Phactum Softwareentwicklung GmbH28 views
AMAZON PRODUCT RESEARCH.pdf by JerikkLaureta
AMAZON PRODUCT RESEARCH.pdfAMAZON PRODUCT RESEARCH.pdf
AMAZON PRODUCT RESEARCH.pdf
JerikkLaureta15 views
Java Platform Approach 1.0 - Picnic Meetup by Rick Ossendrijver
Java Platform Approach 1.0 - Picnic MeetupJava Platform Approach 1.0 - Picnic Meetup
Java Platform Approach 1.0 - Picnic Meetup
Rick Ossendrijver25 views
Lilypad @ Labweek, Istanbul, 2023.pdf by Ally339821
Lilypad @ Labweek, Istanbul, 2023.pdfLilypad @ Labweek, Istanbul, 2023.pdf
Lilypad @ Labweek, Istanbul, 2023.pdf
Ally3398219 views
Info Session November 2023.pdf by AleksandraKoprivica4
Info Session November 2023.pdfInfo Session November 2023.pdf
Info Session November 2023.pdf
AleksandraKoprivica410 views
Scaling Knowledge Graph Architectures with AI by Enterprise Knowledge
Scaling Knowledge Graph Architectures with AIScaling Knowledge Graph Architectures with AI
Scaling Knowledge Graph Architectures with AI
Enterprise Knowledge24 views

Stealing Traffic: Analyzing a Mobile Fraud

  • 1. BERLIN • NEW YORK • SAN FRANCISCO • SÃO PAULO • PARIS • LONDON • MOSCOW • ISTANBUL SEOUL • SHANGHAI • BEIJING • TOKYO • MUMBAI • SINGAPORE Abdullah Obaied Stealing Traffic: Analyzing Mobile Fraud
  • 2. 2 About me ‣ Security Specialist ‣ Former Software Engineer ‣ Part of Adjust’s Fraud Team ‣ RiverBird.co ‣ @cheese0x02
  • 4. 4 How mobile attribution works Ad impression Click on Ad Media First Open: SDK Initialization App Download initialized Install finished on device App Store Redirect
  • 5. 5 First Version of Click Injection
  • 6. 6 Click Injection 1.0: Abusing Broadcasts ‣ A “Broadcast” is an event that occurs in the system. ‣ Any app can have a “Broadcast Receiver” and listen to system broadcasts
  • 7. 7 Click Injection 1.0: Abusing PACKAGE_ADDED Broadcast
  • 8. 8 Click Injection 1.0: Abusing PACKAGE_ADDED Broadcast Ad Impression Ad store redirect Ad impression Click on Ad Media First Open: SDK Initialization App Download initialized Install finished on device App Store Redirect
  • 10. 10 ‣ “firstInstallTime” allowed us to pinpoint an app’s install timestamp. ‣ Install requests with distorted timestamps are ignored Click Injection 1.0: Mitigation
  • 11. 11 Second Version of Click Injection
  • 12. 12 Click Injection 2.0 Click Injection 2.0: Same game, different time stamp Click on Ad Media App Download initialized Action_Package_Added broadcast First Open: SDK Initialization Click Injection: Content Provider Exploit App Store Redirect Install finished on device Click Injection: Referrer Broadcast Click Injection 1.0
  • 15. 15 ‣ Utility app ‣ +100M downloads | +13M reviews ‣ Beautiful images and animations ‣ It actually does what it says it does Target App: AppX
  • 17. 17 Theory This app is performing a new way of conducting click injections
  • 18. 18 Step #1: Static Properties Findings are purple
  • 19. 19 ‣ What the app is allowed to do in the context of the machine and user data App Permissions
  • 20. 20 ‣ AppX is allowed to extract device data ‣ AppX is allowed to restart itself upon boot ‣ AppX is allowed to monitor/ kill running processes AppX Permissions
  • 21. 21 ‣ AppX is able to receive PACKAGE_ADDED broadcasts AppX Broadcasts Receivers
  • 22. 22 ‣ AppX has a list of ~200 app names in an SQLite DB AppX Hard-coded Databases
  • 23. 23 ‣ AppX has a list of ~3500 app names in SQLite and txt files ‣ Mostly games and paid apps that run heavy ad campaigns AppX Hard-coded Databases
  • 24. 24 1. AppX is allowed to extract device data 2. AppX is allowed to restart itself upon boot 3. AppX is allowed to monitor/kill running processes 4. AppX is able to receive PACKAGE_ADDED broadcasts 5. AppX has a list of ~3500 app names in SQLite and txt files Findings
  • 27. 27 Plan We need to know: ‣ What happens when we open the app? ‣ What happens when we install/uninstall other apps? ‣ Most importantly, what happens when we install an app on Google Play Store?
  • 30. 30 ‣ AppX has a long-running background process in the form of a notification toolbar. ‣ AppX sends device and analytics data to multiple foreign servers (Over HTTP) On AppX Open
  • 31. 31 ‣ AppX sends an “uninstall notification” to a foreign server when the user uninstalls a listed app. On App Uninstall
  • 32. 32 On App Install (From Google Play): Requests upon install
  • 33. 33 ‣ This request occurred before the app finished downloading. The malicious app was able to get all the details necessary to launch fake installs from this device and steal traffic. On App Install (From Google Play): GET /getDlAd Request
  • 34. 34 On App Install (From Google Play): GET /getDlAd Request
  • 35. 35 1. AppX has a long-running background process in the shape of a notification toolbar 2. AppX sends multiple requests upon an app uninstall A. Possibly for re-attribution campaigns. B. Also, so as not to repeat too quickly for multiple user downloads 3. AppX sends all the details of a download-in-progress BEFORE the app finishes downloading to a foreign server Findings
  • 36. 36 Step #3: Static Analysis
  • 37. 37 Step #3: Static Analysis What do we wanna know and how do we do it?
  • 38. 38 What Do We Wanna Know? Many things: But most importantly: ‣ What do the other parameters in GET / getDlAd request mean? ‣ How are the apps in game_list.txt used? ‣ What is the difference between those and the SQLite database? ‣ What other events are there other than install/uninstall that the app reacts to? ‣ What are all the endpoints in the app? ‣ How is AppX sniffing
 in-progress downloads??
  • 39. 39 ‣ Look for traffic sniffing activity (HTTP and Google Play-related keywords) ‣ Access to resources (Content Providers) ‣ Possible exploits (C/C++) How Do We Do It?
  • 40. 40 ‣ But, what’s a Content Provider? Finding: AppX is Observing A Content Provider
  • 41. 41 ‣ Provides an abstract wrapper for apps to access resources (files, databases, etc.) ‣ This allows app developers to focus on development and be able to change the “Data Layer” to another type later on. Android Content Providers
  • 42. 42 ‣ Provides an abstract wrapper for apps to access resources (files, databases, etc.) ‣ This allows app developers to focus on development and be able to change the “Data Layer” to another type later on. ‣ Any access to a resource is usually important Android Content Providers
  • 43. 43 ‣ A content provider that has all the info of an in-progress download What is Being Observed? The “Temp Downloads Content Provider”
  • 44. 44 ‣ Step #1:
 The “Temp Downloads Content Provider” is being observed and a function will trigger when a change occurs. How Is AppX Sniffing In-Progress Downloads?
  • 45. 45 ‣ Step #2: 
 When a change occurs, a query to another “Public” content provider is triggered How Is AppX Sniffing In-Progress Downloads?
  • 46. 46 ‣ Step #3: 
 the query is parsed and the “packageName” of the app being downloaded is extracted. ‣ Step #4: 
 AppX sends the collected details to a foreign server (already observed) How Is AppX Sniffing In-Progress Downloads?
  • 48. 48 1. AppX is observing the “Temp Downloads Content Provider” and a function will trigger when a change occurs (Does not provide enough info) 2. AppX is then querying the “Public Downloads Content Provider” for more info on the package 3. AppX parses the query and extracts the name of the app being downloaded 4. AppX fires a request to a server with all the info of the newly downloaded app (confirmed with behavioural analysis) Confirmed Findings
  • 49. 49 Theory Confirmed This app is performing a new way of conducting click injections
  • 53. New York Paris São Paulo San Francisco London Berlin Istanbul Moscow Mumbai Beijing Seoul Tokyo Shanghai Singapore Abdullah Obaied SECURITY SPECIALIST
 abdullah@adjust.com ADJUST HQ
 Saarbrücker Str. 37a
 10405 Berlin
 Germany