Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Meet the Potnet
Next generation Privacy botnet
AboutAndroid | Malware Analysis Report
Eran Goldstein
Senior Cyber Security...
GENERAL NOTES:
THE FOLLOWING INFORMATION SUMMERAIZE “POTNETS AND NEXT
GENERATION BOTNET TECHNIQUES” RESEARCH PROCESS AND C...
Table of Contents
Contents
Introduction......................................................................................
Introduction
Cyber Security researchers discovered a new techniques and methodology of privacy botnet that
allows an attac...
Next generation of privacy botnet
Potnet and The Next generation of privacy's botnets are not acting as a banking Trojan o...
Suspicious Activity
In the next example we are going to explain the suspicious activities of a potnet's malware by code
im...
Analysis
AboutAndroid malware, logs the user’s sensors and cellular network data.
Once executed, the malware generates an ...
Malware Sample
The diagram below shows the report of an AboutAndroid malware sample that scanned using the
VirusTotal serv...
Infection
Infection of AboutAndroid can be done in different ways. For example, phishing spam can be used to
lure the vict...
Operation
When the malware’s service starts, it registers a broadcast receiver in the background service and a
SensorEvent...
Command and Control (C&C)
Despite of the fact that a fairly simple command and control protocol is used to send data over ...
Network Impact
In the diagram below we can see the HTTP request that arrives from the victim device and
intercepted in our...
Proof-of-Concept
After we launched one of the malware’s hidden intent (activity - not the main one) we can see how it
look...
2. The victim gets the SMS message
Diagram 3.2: No suspicious activities on the victim device Diagram 3.3: The victim devi...
In diagram 3.4 we can see that the basic information about our victim includes: Cellular network
information, Radio signal...
Conclusions
It seems that running a standard antivirus sweep will not get rid of AboutAndroid or other potnet’s
malwares a...
http://www.zimperium.com
www.zimperium.com, ZIMPERIUM and Zimperium logo are trademarks of ZIMPERIUM Inc. All other tradem...
Upcoming SlideShare
Loading in …5
×

Meet the potnet - AboutAndroid | Malware Analysis Report

2,378 views

Published on

AboutAndroid | Malware Analysis Report by Eran Goldstein | Senior Cyber Security & Malware Researcher at ZIMPERIUM

Published in: Technology
  • Be the first to comment

Meet the potnet - AboutAndroid | Malware Analysis Report

  1. 1. Meet the Potnet Next generation Privacy botnet AboutAndroid | Malware Analysis Report Eran Goldstein Senior Cyber Security & Malware Researcher at ZIMPERIUM
  2. 2. GENERAL NOTES: THE FOLLOWING INFORMATION SUMMERAIZE “POTNETS AND NEXT GENERATION BOTNET TECHNIQUES” RESEARCH PROCESS AND CONTAINS SENSITIVE INFORMATION. THIS PAPER ANALYZES IN DETAILS THE “ABOUTANDROID” ANDROID MALWARE AND BRINGS EVIDENCE THAT MOBILE DEVICES WILL GET MORE AND MORE INFECTED IN A NEAR FUTURE, LEVERAGING SYSTEMS ALREADY USED ON THE FIXED SIDE. WARNING: ABOUTANDROID IS A THREAT FOR BOTH USERS AND ORGANIZATIONS AS IT EXPOSING CLIENT INTO A PRIVACY ISSUES. ALL THE TOOLS AND APPLICATIONS THAT WILL BE DEMONSTRATE IN THIS DOCUMENT DEVELOPED FOR RESEARCH PURPOSES ONLY, IT IS STRONGLY RECOMMENDED THAT YOU DO NOT USE THIS TOOL FOR ILLEGAL PURPOSES. ALL RIGHTS OF THE KEYWORDS “POTNET” AND “POTNETS” AND THEIR DEFINITION ARE REGISTERED AND RESERVED TO THE AUTHOR OF THIS MANUAL. CLARIFICATION: WE WILL NOT BE RESPONSIBLE FOR ANY DAMAGE THAT CAUSED BY USING THE TOOLS, APPLICATION OR TECHNIQUES THAT DEMONSTRATED.
  3. 3. Table of Contents Contents Introduction............................................................................................................................................................4 The next generation of privacy botnet...................................................................................................................5 Suspicious Activity ..................................................................................................................................................6 Analysis ...................................................................................................................................................................7 Malware Sample.............................................................................................................................................8 Infection..........................................................................................................................................................9 Operation......................................................................................................................................................10 Command and Control (C&C) .......................................................................................................................11 Network Impact............................................................................................................................................12 Proof-of-Concept ..................................................................................................................................................13 Conclusions...........................................................................................................................................................16
  4. 4. Introduction Cyber Security researchers discovered a new techniques and methodology of privacy botnet that allows an attacker to gain user’s personal information, detailed location, movement and motion surveillance, area mapping and more. The malware found was designed to work in a stealth mode and running as a receiver behind a system background service. Once the attacker sends an SMS message containing different message body texts (For example: question mark or smiley) to the target device, it will cause the device to send a private information that not required any special permission or dialog's box approval from the victim client. The core functionality and the real advantage of the potnet (or privacy botnet), from an attacker's point of view, is the ability to get different type of data from the victim's device including: cellular network information and other sensor data of the targeted victim. The malware allows an attacker to get an information about the geolocation and the positioning of the target device. This data is calculated on the potnet C&C server and then available to the attacker in order to track the target device's exact motions. Diagram 1.0: Human tracking system
  5. 5. Next generation of privacy botnet Potnet and The Next generation of privacy's botnets are not acting as a banking Trojan or malware and it is not designed to steal your banking credentials, log into your account or transfer your funds to criminals, is the type of malware that’s designed to track your motion, movement and geolocation, so that they can be used for social engineering, advanced positioning and tracking techniques. The Potnet's malware that found essentially doing this by grabbing the victim’s information and send it to certain websites. These websites are pre-specified by the attackers, and they are typically Command and Control (C&C) servers that hosted anonymously in a third-party web hosting service. The data that is collected, then calculated on the server side in order to provide to the attacker an accurate picture about the victim. Utilizing a short processing time on the client side of the malware, data sent to the server minimized, thus reducing the possibility of detection by client side’s defense mechanisms. Using a non-conventional device data allow the attacker to track victims that located at low- connectivity or bad-signal environments like inside buildings and even underground level (according to the cellular data signal). Diagram 1.1: Tracking victims in low-connectivity or bad-signal environments
  6. 6. Suspicious Activity In the next example we are going to explain the suspicious activities of a potnet's malware by code implementation and demonstration of the AboutAndroid.apk malware. The AboutAndroid malware takes the advantage of perfectly legitimate data that can be read without the need for any special permission or dialog approval from the client side, what makes the detection process of potnet's malware to quite difficult. The AboutAndroid malware that analyzed suspicious to the following symptoms and running activities: 1. Ability to obtain a private data from the system without any prior information and without the user’s approval. 2. Ability to obtain a private data from the system without any prior information and without any special permission. 3. Responsible for high energy consumption of the battery. One of the harmful aspects of the potnet's malware family is that when it enters into the target mobile device, it is very difficult to be detected or to know the exact trigger that used in order to send an information or data out from the device. Diagram 1.2: The Cell tower (cellid), Cellphone and the signal
  7. 7. Analysis AboutAndroid malware, logs the user’s sensors and cellular network data. Once executed, the malware generates an incoming broadcast receiver and then waits for a specific SMS text message that contains smiley or question mark as the message text body for example. Once the SMS message arrived, the malware then logs all activities related to a specific sensor data and the cellular network information include the cell id, LAC, MNC, MCC, etc.… and sending them to the potnet C&C server. Sending only a small amount of data to the C&C server at the backend reduces the possibility of detection by client side’s defense mechanisms (like Anti-Viruses or other signature-based protection techniques). This methodology and technique of calculating additional information that related to the victim by correlating the collected data with third-party APIs and other web-services are one of the advantages of potnets and the next generation botnets. Despite of the fact that this kind of attack must use a strong social engineering lure in order to convince the user to click on a malicious link or hope that the user will be tricked into installing an app. Once this is done, the AboutAndroid malware will stay persistent on the victim device and can be triggered via SMS message. Diagram 1.3: Triangulation is calculated according to the signal of every base-station (cell tower)
  8. 8. Malware Sample The diagram below shows the report of an AboutAndroid malware sample that scanned using the VirusTotal service by 56 different antivirus engines and found as clean. In an attempt to looks as not malicious software the AboutAndroid malware is using the namespace of “com.google.aboutandroid”. Diagram 1.4: VirusTotal scan report
  9. 9. Infection Infection of AboutAndroid can be done in different ways. For example, phishing spam can be used to lure the victim to an infected web site, where an embedded <iframe> causes the browser to automatically download a file called AboutAndroid.apk (or any other file). The user must then install it by clicking on the downloaded file and follow the manual installation process. Other techniques can be implemented by using mobile application markets, 3rd party websites or Trojan-Downloaders. Trojan-Downloaders are often distributed as part of the payload of another malware, such as a Trojan-Dropper. Trojan-Downloaders may also be distributed as a file attachment to spam e-mails, you get an e-mail that seems to come from a high-profile company with an attached invoice (for example) in the form of a .doc or a .pdf document. The invoice looks innocuous enough, but here's the catch: It can run a PDF reader exploits or macros in Microsoft Word in order to install the malware. Once installed, there is no application icon on the screen or any user interface to interact with. This is because our malware has installed itself as a background service that only start when the screen is unlocked by the user or when the device is re-booted. The malware service listens for the ON_BOOT or USER_PRESENT intents. The only evidence that the malware is installed is through the “Manage Applications” section of “Settings”. This will show that an application called “com.google.aboutandroid” is running. You can get rid of the infection by uninstalling the application. Diagram 2.0: Installation of AboutAndroid Malware POC
  10. 10. Operation When the malware’s service starts, it registers a broadcast receiver in the background service and a SensorEventListener. Diagram 2.1: The malware register a sensor event listener Once SMS message that contains ":-)" as body text arrived to the device, the app logs the infected device’s sensor values and cellular network's information and then opens up a TCP connection to the primary potnet C&C server. Diagram 2.2: check if the SMS message contains ":-)" as body text
  11. 11. Command and Control (C&C) Despite of the fact that a fairly simple command and control protocol is used to send data over an HTTP connection. The potnet C&C Server compensates and predominantly used to access different API and web services in order to calculate additional information about the physical environment of the victim device and perform a triangulation of the cellid and neighbors network information. Diagram 2.3: The C&C server’s IP address In addition, In order to translate the victim device data into an accurate motion tracking’s valuable information, the C&C server is performing a geometric calculation that correlated with the sensor data that collected. Diagram 2.4: Assign the parameter values and prepare the http request to the C&C server The sensors' data that's collected contains data from more than 7 different sensors includes Barometer Sensor, Proximity Sensor, Linear Acceleration Sensor, Gyroscope Sensor, Temperature Sensor, Gravity Sensor, Light Sensor and more.
  12. 12. Network Impact In the diagram below we can see the HTTP request that arrives from the victim device and intercepted in our burp proxy. We can observe the different parameters that the app sending, For example: client = the client mobile device phone number. cid = the cell id that the mobile device connected to. lac = Local Area Code of the cellular network provider. mnc = Network Code of the cellular base station antenna provider. mcc = Country Code of the cellular base station antenna. signal = the signal of the mobile device from the cellular base station antenna (in dBm). cell_lon = the longitude of the cellular base station antenna (Before triangulation). cell_lat = the latitude of the cellular base station antenna (Before triangulation). Diagram 2.5: Intercepting the request from the victim device to the C&C server
  13. 13. Proof-of-Concept After we launched one of the malware’s hidden intent (activity - not the main one) we can see how it looks at the diagram below. AboutAndroid Malware POC installed on the victim device and we are ready to begin with our simple scenario. Diagram 3.0: AboutAndroid Malware POC – an activity intent launched (not in hidden mode) 1. In order to track the victim, the attacker sends an SMS message with the text of “” to the victim device. Diagram 3.1: The attacker is sending the SMS message
  14. 14. 2. The victim gets the SMS message Diagram 3.2: No suspicious activities on the victim device Diagram 3.3: The victim device getting the SMS message 3. The attacker is able now to browse to the AboutAndroid potnet C&C server GUI console and to get all the relevant and valuable information about the victim. Diagram 3.4 AboutAndroid potnet C&C server – part 1: basic information, indicators and the Motion Detection module We can’t observe any suspicious activity on the victim device
  15. 15. In diagram 3.4 we can see that the basic information about our victim includes: Cellular network information, Radio signal related data, the calculation of the device location, “Inside building” indicator, Floor level indicator, etc.… In addition, we can see the Motion Detection module (at the right bottom corner). The Motion Detection module still showing us every exact motion of the victim device, triggered by any new movement of our human target. TIP: It is recommended to search on the internet for the full scenario's movie clip of this proof of concept demonstration in order to see the full features list of this AboutAndroid malware. In diagram 3.5 we can see the calculated data of the victim include triangulation data, base-station measurements and the estimated location of the victim device. Diagram 3.5 AboutAndroid potnet C&C server – part 2: calculated data of the victim
  16. 16. Conclusions It seems that running a standard antivirus sweep will not get rid of AboutAndroid or other potnet’s malwares and since the program doesn't really make its presence known, you may be in trouble if you find that you're already infected with it. If you think you may have become infected by potnet malware, YOU should uninstall any suspicious app that you are not familiar with, otherwise wipe your device and perform a “Factory reset”. In my opinion, potnet malware trying to get an advantage of a victim device by implementation of an incoming broadcast receiver, sensors listeners and other non-conventional techniques’ data, what allows the malware to run in a quite stealth mode as well to get an information from the victim device without any user's interruption or the need for dialog's approval from the client’s side. The AboutAndroid malware runs in the background as a service and its operation is not noticeable to the user. However, it will likely consume considerable battery power when active, which will raise suspicions. On the other hand, users with a capped data plan will not notice to almost any charges changes on their bill. Once a specific app has been detected and signed, most mobile anti-virus products will be able to detect and remove the threat by uninstalling the malicious app. Notes for Android Developers and Google Security Team Giving applications direct access to hardware is dangerous. It is better if permissions will need to address sensor access. In addition, hardware should not provide more than what applications require and provide only an abstractions, not raw data.
  17. 17. http://www.zimperium.com www.zimperium.com, ZIMPERIUM and Zimperium logo are trademarks of ZIMPERIUM Inc. All other trademarks are the property of their respective owners. The information presented is subject to change without notice. ZIMPERIUM assumes no responsibility for inaccuracies contained herein. Copyright © 2015 ZIMPERIUM Inc. All rights reserved.

×