Wtf is happening_inside_my_android_phone_public


Published on

1 Comment
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Wtf is happening_inside_my_android_phone_public

  1. 1. ! Lost in translationWTF is happening inside my AndroidPhone Ok Cancel
  2. 2. 8:30 PMContents Contents Android System Static Analysis Dynamic Analysis Reversing Red Bunny Conclusion Cancel
  3. 3. 8:30 PMAndroid architecture
  4. 4. 8:30 PM DALVIK VM - Register-based virtual machine - It uses its own bytecode, not Java bytecode. - Run on a slow CPU with little RAM.- Run on an operating system without swap space. - Optimized for memory efficiency. - Dex class file format.
  5. 5. 8:30 PMDex file format header string_ids type_ids proto_ids field_idsmethod_ids class_defs data
  6. 6. 8:30 PM Analysis EnvironmentToolsCase-sensitive file system :DAndroid SDKAndroid NDKAndroid source codeEclipseApktool, Dex2jar, JD-GUIAndroid Emulator
  7. 7. 8:30 PM Example .java/jd-gui Compiler dex2jar .java/source .dex/dexdump .smali/baskmalibaskmali
  8. 8. 8:30 PM Anti-analysis Examples:- Easy: Use a.class and A.class as class names: the file willbe hidden on case-insensitive file systems.- Medium: Optimize/ofuscate the code with ProGuard.- Hard: Modify bytecode to break reversing tools (besure that it still runs on Dalvik.) if self.__value_type >= VALUE_SHORTEj: androguard-a1: ... elif self.__value_type == VALUE_ARRAY : ... elif self.__value_type == VALUE_BYTE :Insert value type ...VALUE_ANNOTATION elif self.__value_type == VALUE_NULL : ... elif self.__value_type == VALUE_BOOLEAN : ... else : raise(“oops”)
  9. 9. 8:30 PM Dynamic Analysis Basic:- Create an Android Virtual Device. -> $android (SDK)- $emulator -port 5560 @virtual-device -tcpdump capture.pcap- $adb install app.apk- $adb shell monkey -v -p 700- $adb shell logcat -d && $adb shell logcat -b events -d (radio also)- $adb shell /data/busybox find / -type f -exec /data/busybox md5sum
  10. 10. 8:30 PM Make it more real- Simulate phone events:Send SMS:echo sms send +34656566789 test | nc localhost 5554D/AT ( 32): AT< 00200b914356566687f900001120720274404004e3f0380cSimulate calls:$echo gsm call +34656566789 |nc localhost 5554$echo gsm accept +34656566789 |nc localhost 5554$echo gsm cancel +34656566789 |nc localhost 5554Change GPS coordinates:$echo geo fix -82.411629 28.054553|nc localhost 5554
  11. 11. 8:30 PM Dynamic Analysis Advance:- Create you own system image and modify the java classes to log theprogram flow. Example, framework/base/core/java/android/os/
  12. 12. 8:30 PM Compiling Android Kernel modules$git clone git://$git branch -a$git checkout --track -b android-goldfish-2.6.29 origin/android-goldfish-2.6.29$adb pull /proc/config.gz ./;gunzip config.gz; mv config .configEdit and Add CONFIG_MODULES=y (disable by default onemulator kernel)$emulator -avd armv5y -kernel /tmp/zImage
  13. 13. 8:30 PMSystem-Call Hooking $grep sys_call_table
  14. 14. 8:30 PM Anti-VM- Detecting the emulator is very easy:DEVICE_ID:String id = Settings.Secure.getString(this.getContentResolver(), Settings.Secure.ANDROID_ID);boolean emulator = TextUtils.isEmpty(id);Solution:Change secure->android_id on data/data/ manager = (TelephonyManager)getSystemService(TELEPHONY_SERVICE);String imsi = manager.getSubscriberId(); (00000... on emulator)Solution:Patch the emulator binary (search for +CGSN string) or the emulator source code (external/qemu/telephony/android_modem.c).
  15. 15. 8:30 PM More Anti-VM- LocationManager.NETWORK_PROVIDER -> IllegalArgumentException- Detect ADB stuff.. process, network, debug enabled...- /proc/cpuinfo - > Hardware : Goldfish- vibrator.vibrate(milliseconds) and use SensorListener (sensor data doesn’tchange)(Thanks Ehooo)- Qemu specific detection (Google)Solution:Patch emulator, Qemu, system hooking...
  16. 16. 8:30 PM Alternatives to Android Emulator- . Supports VMware- Use a real phone... Slower
  17. 17. 8:30 PM Attack Vectors- Alternative markets, repacked applications.-SMS, MMS vulnerabilities, Fuzzing!!!.- Wireless, Bluetooth Drivers- NFC- System componentes: Webkit,sound library, Kernel.
  18. 18. 8:30 PM Third party softwareSource:
  19. 19. 8:30 PM ADRD aka Redbunny- "Security Alert 2011-02-14: New Android Trojan ADRD Was Found inthe Wild by Aegislab" ( ) ! Notification- "[…] Today, we found a new Android trojan,we call it "ADRD", which was not reported by any security vendors before.[…]"- Jaime Blasco and Pablo Rincón were working together,analyzing this malware on Feb 2, 2011:* Name: com.beautyfullivewallpaper* Date: Feb. 2, 2011, 1:49 p.m.- Also known as HongTouTou
  20. 20. 8:30 PM Detection- Permission list: * INTERNET, WRITE_EXTERNAL_STORAGE, ACCESS_NETWORK_STATE, READ_PHONE_STATE,RECEIVE_BOOT_COMPLETED, MODIFY_PHONE_STATE, WRITE_APN_SETTINGS..- Cipher module/library calls (DES): * init        Ljavax/crypto/Cipher;    Lcom/xxx/yyy/ddda;    decrypt- Function calls to retrieve the IMSI/IMEI codes: * IMEI:    getDeviceId       Lcom/xxx/yyy/MyService;    onCreate * IMSI:    getSubscriberId     Lcom/xxx/yyy/MyService;    onCreate- HTTP Requests (GET and POST): * String str8 = "" +(String)localObject; *    POST    /index.aspx?im=82a68757db94a88dace3e401a5721b33af757f73d68485eab1244e5dace3ed65910991f4dbd438af
  21. 21. 8:30 PM Detection- Sends http requests through a proxy: * HttpHost localHttpHost = new HttpHost("", 80, "http"); * HttpParams localHttpParams =localDefaultHttpClient.getParams().setParameter("http.route.default-proxy", localHttpHost);- Services: * * .beauty.Beauty- Intents: * android.intent.action.BOOT_COMPLETED **** -> Boots at system startup * android.intent.action.PHONE_STATE *
  22. 22. 8:30 PM Analysis I Service module (MyService): Sets a Proxy for GET/POST and- Sets the preferred apn 1 HTTP specially crafted headers- Runs each 12 hours (UA, MIME types)- Looks for specific APN network : 2 “CMWAP” || “UNIWAP” Cipher data moduleSend data to public static String encrypt/decrypt 3index.aspx?im=%s: Cipher localCipher = Cipher.getInstance("DES/CBC/PKCS5Padding");+ IMEI+ IMSI Loop+ Netway (preferred APN) + Decrypt response+ iversion + Switch(cmd) It depends on the+ oversion 4 + 0 Do nothing + 1 adad.StartGo() adad.StartGo() + 2 ParseO 5Sends + 3 UpdateHelper()+encrypt(IMEI+IMSIParses the big list of ulrs/referersB#1#963a_w1| UpdateHelper installs the updateg.ashx?w=963a_w1 apk 6BBBB.Go() -> Retrieves search lists Send random requests addingBAIDU_WISE_UID and HTTP_HEADERS. ParseO(): parse server response (number, flags, tags..): Sends log data to control servers 6 T213607170863|12345|+ -10086+ abc -597| [ 6
  23. 23. 8:30 PM Analysis II - Following the encryption routines, the DES key is found…: this.kk = "48734154";* UpdateHelper class: public class UpdateHelper { private static String savefilepath = "/myupdate.apk"; private Context ct; private int netway;* Benefit from visits to the content (Baidu) and bandwidth consumption (China Mobile &&Unicom) and also SMS charges.- Server URLs (there are more): We want to know more!!
  24. 24. 8:30 PM Control Servers- from an eagle view:* Microsoft-IIS/6.0* Debug Enabled (Displaying .NET errors and backtraces)* Hidden paths to the .Net/aspx application* ALL is Chinese! (WTF!?!"·$%&/(?)- Possible vector attacks:* HTTP functions + DES key + pyDes = "legal" HTTP Requests (at least for the adrd server)
  25. 25. 8:30 PM Control Servers - First results: Search* Exceptions in chinese. Google Translate is your friend* Errors at .NET (it didnt generate any html list/table, or view to use for data displaying)* We got a successful Sql injection after the last ciphered parameter :D).* User without admin privileges.* Permissions to run Backups + Shared Resources = Timeout * Other possibilities: + 1: Create a temporal db, with just one table each time, dump paginated rows and runbackups. Problem: Complex to do and complex to rebuild the original DB (Also the langdidnt help) + 2: Try to get a shell in any possible way. Problem: time, exploits, noise (our currentattacks were hidden by DES at the http logs, and its not usual to log all the db queries forperformance reason.
  26. 26. 8:30 PM Database Information - All the scheme obtained: list of Tables, Fields, types, stored procedures- IMEI/IMSIs list (at least some of them), logs, keywords, Baidu accounts- The main stored procedure affected by the sql injection retrieves the URL of myupdate.apk, thatpoints to ! * Parameters: @imei varchar(50), @imsi varchar(50), @ip varchar(128), @logs varchar(256), @netwap int* Store procedure: --if (@netwap=2) select T-1|T11 --select T3 --select T213607170863|12345|+ -10086+ abc -597| [ --else --select T013607170863* Looks that they were considering the netwap (based on the mobile operator) as a criteria to sendcommands * TX (where X seems to be a command type) * 13607170863 is a phone number located at Wuhan
  27. 27. 8:30 PM Database Scheme t_baiduHourPercent: autoid, mHour, mPercent t_ : myear, mmonth, mday, mhour, totalt_baidukeyword: keyword, viewcount t_ : way, flagt_baidukeywordflash: keywordt_baiduOrtherKey: keyword, viewcount t_ : keyword, flagt_baidupwd: id, way, username, pwd t_ _wap: keyword, flagt_baiduwayname: way, wayname t_ _wap_back : keyword, flagt_keywordResult: id, keyword, link, head, flagt_androidtemplog: id, imsi, way, result, createtime t_ _wap_back : keyword, flagt_keywordResult20100601: id, keyword, link, head, flag t_ : flagt_keywordResult20101108: id, keyword, link, head, flag t_ : keyword, createtimet_baiduHourPercent20101012: autoid, mHour, mPercentt_androidtemplog_backup: id, imsi, way, result, createtime t_ _wap: keyword, createtimet_androidtemperrlog: id, compresslog, decompresslog, createtime t_ : keyword, createtimet_androidtemplog_backup201101: id, imsi, way, result, createtime t_ _wap: keyword, createtimet_android : id, imei, imsi, logs, ip, createtime, netwayt_android : , , , , createtimet_baidutask: maxmdncount, mdncount, percent, f3percent, createtime, useridt_ : way, maxClick, minClick, leaveTotalClick, leaveEffectClickt_ _wap_20100323: keyword, createtimet_ _wap_20100722 : keyword, createtime
  28. 28. 8:30 PM Myupdate.apk- It uses the main package of the ADRD family xxx.yyy.- The update has other permissions: WRITE_SMS, READ_SMS,RECEIVE_SMS, SEND_SMS..- Looks like a google reader- It adds a local sqlite DB (keyword storage). go_g1_sms: id, keyword, type, flag go_g2_sms: id, keyword, keyword2- SMSObserver: * Replaces keywords on SMS’s. * Sends SMS!
  29. 29. 8:30 PM Samples Package name Md5 Adrd Ver IVercom.beautyfullivewallpaper 4556a687a2845bf4dfac62c594938cf3 6com.yodesoft.yohandcar 6783cee889fa64df68af58a56ff6e362 adrd.zt.2 aa5216da617839e818d83d8185da42b0 adrd.zt.jtj.2 6com.magicwach.rdefense 839c37f3a2c8d31561d28f619a2a712e 6com.tat.livewallpaper.dandelion 5192ad05597e7a148f642be43f6441f6 6com.classicnerds.livewallpaper.HK b72724d8fc0f633194dcc3bd28eec026 7fishnoodle.night_city a01ba26a34e55f71873782348ff5e074 adrd.zt.dxm.6 7com.appspot.swisscodemonkeys.steam cdfca19bf212adf3292e4fe677fe46a6 7kr.mobilesoft.yxplayer e3cc6c7af0d83fe322116254c01cf720 7com.labgency.wallpapers.waves 7d764347a0b0c9d11160d7a7684bf02b adrd.zt.dxm.8 7com.laucass.andromax 627f41c8f8e7ab007641c4a0c1d8ce1b 7com.digitalchocolate.androidrollergapp 71c0a67daa544450d7c620a48cc059b0 7proscio.wallpaper.shamroc e09782d35d72a769dc7454adb6d8e2e9 7 f2596f8f3c52381318f62d1ab161c284 ?? ??
  30. 30. 8:30 PM Infectionsg Geolocation
  31. 31. 8:30 PM Infectionsg Infections by operator +20K different IMSIs Other affected operators: Far EasT one Peoples Telephone Company Hutchison 3G PCCW Mobile Sunday Hong Kong Telecom Smart One Mobile
  32. 32. 8:30 PM Thank You ! Questions? Ok Cancel@jaimeblascob@PabloForThePPL