In this presentation Stephan will discuss some recent research that emerged he was asked to build malicious applications that bypassed custom security controls. He will walk through some of the basics of reversing malicious apps for android as well as common android malware techniques and methodologies. From the analysis of the wild android malware, he will discuss techniques and functionality to include when penetration testing against 3rd-party android security controls.
BIO
Stephan Chenette is the Director of Security Research and Development at IOActive where he conducts ongoing research to support internal and external security initiatives within the IOActive Labs. Stephan has been in involved in security research for the last 10 years and has presented at numerous conferences including: Blackhat, CanSecWest, RSA, EkoParty, RECon, AusCERT, ToorCon, SecTor, SOURCE, OWASP, B-Sides and PacSec. His specialty is in writing research tools for both the offensive and defensive front as well as investigating next generation emerging threats. He has released public analyses on various vulnerabilities and malware. Prior to joining IOActive, Stephan was the head security researcher at Websense for 6 years and a security software engineer for 4 years working in research and product development at eEye Digital Security.
Android is a Linux based operating system used for smart phone devices. Since 2008, Android devices gained huge market share due to its open architecture and popularity. Increased popularity of the Android devices and associated primary benefits attracted the malware developers. Rate of Android malware applications increased between 2008 and 2016. In this paper, we proposed dynamic malware detection approach for Android applications. In dynamic analysis, system calls are recorded to calculate the density of the system calls. For density calculation, we used two different lengths of system calls that are 3 gram and 5 gram. Furthermore, Naive Bayes algorithm is applied to classify applications as benign or malicious. The proposed algorithm detects malware using 100 real world samples of benign and malware applications. We observe that proposed method gives effective and accurate results. The 3 gram Naive Bayes algorithm detects 84 malware application correctly and 14 benign application incorrectly. The 5 gram Naive Bayes algorithm detects 88 malware application correctly and 10 benign application incorrectly. Mr. Tushar Patil | Prof. Bharti Dhote "Malware Detection in Android Applications" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-3 | Issue-5 , August 2019, URL: https://www.ijtsrd.com/papers/ijtsrd26449.pdfPaper URL: https://www.ijtsrd.com/engineering/computer-engineering/26449/malware-detection-in-android-applications/mr-tushar-patil
Discusses how to perform malware analysis on Android devices. Initially presented at BSidesDE 2011 (in a much more fun format), the version here is as-presented at Rochester Security Summit 2011.
Reading Group Presentation: Why Eve and Mallory Love AndroidMichael Rushanan
This presentation contains multiple pointers to academic research pertaining to Android and its security model. I presented these works to a weekly Security and Privacy reading group.
The academic proceeding can be found here:
www2.dcsec.uni-hannover.de/files/android/p50-fahl.pdf
Android is a Linux based operating system used for smart phone devices. Since 2008, Android devices gained huge market share due to its open architecture and popularity. Increased popularity of the Android devices and associated primary benefits attracted the malware developers. Rate of Android malware applications increased between 2008 and 2016. In this paper, we proposed dynamic malware detection approach for Android applications. In dynamic analysis, system calls are recorded to calculate the density of the system calls. For density calculation, we used two different lengths of system calls that are 3 gram and 5 gram. Furthermore, Naive Bayes algorithm is applied to classify applications as benign or malicious. The proposed algorithm detects malware using 100 real world samples of benign and malware applications. We observe that proposed method gives effective and accurate results. The 3 gram Naive Bayes algorithm detects 84 malware application correctly and 14 benign application incorrectly. The 5 gram Naive Bayes algorithm detects 88 malware application correctly and 10 benign application incorrectly. Mr. Tushar Patil | Prof. Bharti Dhote "Malware Detection in Android Applications" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-3 | Issue-5 , August 2019, URL: https://www.ijtsrd.com/papers/ijtsrd26449.pdfPaper URL: https://www.ijtsrd.com/engineering/computer-engineering/26449/malware-detection-in-android-applications/mr-tushar-patil
Discusses how to perform malware analysis on Android devices. Initially presented at BSidesDE 2011 (in a much more fun format), the version here is as-presented at Rochester Security Summit 2011.
Reading Group Presentation: Why Eve and Mallory Love AndroidMichael Rushanan
This presentation contains multiple pointers to academic research pertaining to Android and its security model. I presented these works to a weekly Security and Privacy reading group.
The academic proceeding can be found here:
www2.dcsec.uni-hannover.de/files/android/p50-fahl.pdf
Video at http://mrkn.co/andsec
With Android activations reaching a million devices per day, it is no surprise that security threats against our favorite mobile platform have been on the rise.
In this session, you will learn all about Android's security model, including application isolation (sandboxing) and provenance (signing), its permission system and enforcement, data protection features and encryption, as well as enterprise device administration.
Together, we will dig into Android's own internals to see how its security model is applied through the entire Android stack - from the Linux kernel, to the native layers, to the Application Framework services, and to the applications themselves.
Finally, you’ll learn about some of the weaknesses in the Android's model (including rooting, tap-jacking, malware, social-engineering) as well as what can be done to mitigate those threats, such as SE-Linux, memory protection, anti-malware, firewall, and developer best practices.
By the end of this session you will have a better understanding of what it takes to make Android a more trusted component of our personal and professional lives.
A Large-Scale Empirical Study on the Effects of Code Obfuscations on Android ...Mahmoud Hammad
The Android platform has been the dominant mobile platform in recent years resulting in millions of apps and security threats against those apps. Anti-malware products aim to protect smartphone users from these threats, especially from malicious apps. However, malware authors use code obfuscation on their apps to evade detection by anti-malware products. To assess the effects of code obfuscation on Android apps and anti-malware products, we have conducted a large-scale empirical study that evaluates the effectiveness of the top anti-malware products against various obfuscation tools and strategies. To that end, we have obfuscated 3,000 benign apps and 3,000 malicious apps and generated 73,362 obfuscated apps using 29 obfuscation strategies from 7 open-source, academic, and commercial obfuscation tools. The findings of our study indicate that (1) code obfuscation significantly impacts Android anti-malware products; (2) the majority of anti-malware products are severely impacted by even trivial obfuscations; (3) in general, combined obfuscation strategies do not successfully evade anti-malware products more than individual strategies; (4) the detection of anti-malware products depend not only on the applied obfuscation strategy but also on the leveraged obfuscation tool; (5) anti-malware products are slow to adopt signatures of malicious apps; and (6) code obfuscation often results in changes to an app’s semantic behaviors.
This presentation done for my MSc studies @ UOM. The presentation is related to the paper "Understanding Android Security" by William Enck, Machigar Ongtang, and Patrick McDaniel. Pennsylvania State University on 2009
DELDroid: Determination & Enforcement of Least Privilege Architecture in AnDroidMahmoud Hammad
Android is widely used for the development and deployment of autonomous and smart systems, including software targeted for IoT and mobile devices. Security of such systems is an increasingly important concern.
Android relies on a permission model to secure the system's resources and apps. In Android, since the permissions are granted at the granularity of apps, and all components in an app inherit those permissions, an app's components are over-privileged, i.e., components are granted more privileges than they actually need. Systematic violation of least-privilege principle in Android is the root cause of many security vulnerabilities. To mitigate this issue, we have developed DELDroid, an automated system for determination of least privilege architecture in Android and its enforcement at runtime. A key contribution of DELDroid is the ability to limit the privileges granted to apps without modifying them. DELDroid utilizes static analysis techniques to extract the exact privileges each component needs. A Multiple-Domain Matrix representation of the system's architecture is then used to automatically analyze the security posture of the system and derive its least-privilege architecture. Our experiments on hundreds of real-world apps corroborate DELDroid's ability in effectively establishing the least-privilege architecture and its benefits in alleviating the security threats.
Video at http://mrkn.co/andsec
With Android activations reaching a million devices per day, it is no surprise that security threats against our favorite mobile platform have been on the rise.
In this session, you will learn all about Android's security model, including application isolation (sandboxing) and provenance (signing), its permission system and enforcement, data protection features and encryption, as well as enterprise device administration.
Together, we will dig into Android's own internals to see how its security model is applied through the entire Android stack - from the Linux kernel, to the native layers, to the Application Framework services, and to the applications themselves.
Finally, you’ll learn about some of the weaknesses in the Android's model (including rooting, tap-jacking, malware, social-engineering) as well as what can be done to mitigate those threats, such as SE-Linux, memory protection, anti-malware, firewall, and developer best practices.
By the end of this session you will have a better understanding of what it takes to make Android a more trusted component of our personal and professional lives.
A Large-Scale Empirical Study on the Effects of Code Obfuscations on Android ...Mahmoud Hammad
The Android platform has been the dominant mobile platform in recent years resulting in millions of apps and security threats against those apps. Anti-malware products aim to protect smartphone users from these threats, especially from malicious apps. However, malware authors use code obfuscation on their apps to evade detection by anti-malware products. To assess the effects of code obfuscation on Android apps and anti-malware products, we have conducted a large-scale empirical study that evaluates the effectiveness of the top anti-malware products against various obfuscation tools and strategies. To that end, we have obfuscated 3,000 benign apps and 3,000 malicious apps and generated 73,362 obfuscated apps using 29 obfuscation strategies from 7 open-source, academic, and commercial obfuscation tools. The findings of our study indicate that (1) code obfuscation significantly impacts Android anti-malware products; (2) the majority of anti-malware products are severely impacted by even trivial obfuscations; (3) in general, combined obfuscation strategies do not successfully evade anti-malware products more than individual strategies; (4) the detection of anti-malware products depend not only on the applied obfuscation strategy but also on the leveraged obfuscation tool; (5) anti-malware products are slow to adopt signatures of malicious apps; and (6) code obfuscation often results in changes to an app’s semantic behaviors.
This presentation done for my MSc studies @ UOM. The presentation is related to the paper "Understanding Android Security" by William Enck, Machigar Ongtang, and Patrick McDaniel. Pennsylvania State University on 2009
DELDroid: Determination & Enforcement of Least Privilege Architecture in AnDroidMahmoud Hammad
Android is widely used for the development and deployment of autonomous and smart systems, including software targeted for IoT and mobile devices. Security of such systems is an increasingly important concern.
Android relies on a permission model to secure the system's resources and apps. In Android, since the permissions are granted at the granularity of apps, and all components in an app inherit those permissions, an app's components are over-privileged, i.e., components are granted more privileges than they actually need. Systematic violation of least-privilege principle in Android is the root cause of many security vulnerabilities. To mitigate this issue, we have developed DELDroid, an automated system for determination of least privilege architecture in Android and its enforcement at runtime. A key contribution of DELDroid is the ability to limit the privileges granted to apps without modifying them. DELDroid utilizes static analysis techniques to extract the exact privileges each component needs. A Multiple-Domain Matrix representation of the system's architecture is then used to automatically analyze the security posture of the system and derive its least-privilege architecture. Our experiments on hundreds of real-world apps corroborate DELDroid's ability in effectively establishing the least-privilege architecture and its benefits in alleviating the security threats.
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Ajin Abraham
Mobile Security Framework (MobSF) is an intelligent, all-in-one open source mobile application (Android/iOS) automated pen-testing framework capable of performing static and dynamic analysis. It can be used for effective and fast security analysis of Android and iOS Applications and supports both binaries (APK & IPA) and zipped source code. MobSF can also perform Web API Security testing with it's API Fuzzer that can do Information Gathering, analyze Security Headers, identify Mobile API specific vulnerabilities like XXE, SSRF, Path Traversal, IDOR, and other logical issues related to Session and API Rate Limiting.
I will be giving this presentation on IT Security, for healthcare professionals, at the Health Sciences Learning Center, University of Wisconsin-Madison, School of Medicine and Public Health, tomorrow morning, at 11:00 CST. It will be held in room #1325 and is open to the public. I hope to see you there.
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Ajin Abraham
Samsung’s first Tizen-based devices are set to launch in the middle of 2015. This paper presents the research outcome on the security analysis of Tizen OS and it’s underlying security architecture. The paper begins with a quick introduction to Tizen architecture and explains the various components of Tizen OS. This will be followed by Tizen’s security model where application sandboxing and resource access control will be explained. Moving on, an overview of Tizen’s Content Security Framework which acts as an in-built malware detection API will be covered.
Various vulnerabilities in Tizen will be discussed including issues like Tizen WebKit2 address spoofing and content injection, Tizen WebKit CSP bypass and issues in Tizen’s memory protection (ASLR and DEP).
Security from both sides of the fence – a discussion of techniques, such as fuzzing, to reduce the likelihood of an attacker
discovering exploits on smartphones and PCs;
plus a demonstration of approaches hackers may use to weaponize and exploit vulnerabilities.
Abusing Google Apps and Data API: Google is My Command and Control CenterAjin Abraham
This presentation is about abusing Google Apps to implement various attacks that ranges from Hostless Phishing to setting up a Botnet’s Command & Control Center.
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAjin Abraham
Mobile Application market is growing like anything and so is the Mobile Security industry. With lots of frequent application releases and updates happening, conducting the complete security analysis of mobile applications becomes time consuming and cumbersome. In this talk I will introduce an extendable, and scalable web framework called Mobile Security Framework (https://github.com/ajinabraham/YSO-Mobile-Security-Framework) for Security analysis of Mobile Applications. Mobile Security Framework is an intelligent and automated open source mobile application (Android/iOS) pentesting and binary/code analysis framework capable of performing static and dynamic analysis. It supports Android and iOS binaries as well as zipped source code. During the presentation, I will demonstrates some of the issues identified by the tool in real world android applications. The latest Dynamic Analyzer module will be released at OWASP AppSec. Attendees Benefits * An Open Source framework for Automated Mobile Security Assessment. * One Click Report Generation and Security Assessment. * Framework can be deployed at your own environment so that you have complete control of the data. The data/report stays within the organisation and nothing is stored in the cloud. * Supports both Android and iOS Applications. * Semi Automatic Dynamic Analyzer for intelligent application logic based (whitebox) security assessment.
Being popular is not always a good thing and here’s why: As mobile devices grow in popularity, so do the incentives for attackers. Mobile malware and threats are clearly on the rise, as attackers experiment with new business models by targeting mobile phones. The threat to mobile devices, however, is not limited to rogue versions of popular apps and adware. Threat actors are also pouncing on mobile users’ banking transactions. Android continues to be a primary target for malware attacks due to its market share and open source architecture.
Nowadays, several behaviour-based malware analysis and detection techniques for mobile threats have been proposed for mobile devices but only about 30 percent of all Android smart phones and tablets have security apps installed.
At DeepSec 2013 Jaime Sanchez (@segofensiva) will present AndroIDS, a signature-based intrusion detection system (IDS) and intrusion prevention system (IPS) that protects your mobile phone by examining headers and contents of all packets entering or leaving it. It will raise alerts or will drop packets when it sees suspicious headers or payloads.
This open source network-based intrusion detection/protection system is being presented as a solution that will provide a high return on investment based on visibility, control, and uptime.
It has the ability to perform real-time traffic analysis and packet logging on networks, featuring:
Protocol analysis, focusing on the examination of values within IP, TCP, UDP and ICMP headers
Content searching & matching, by analyzing every incoming packet against a database of rules; each rule represents the signature of a security exploit.
The framework architecture consists of:
Sensor: runs continuously without human supervision and is capable of analyzing traffic in real time (imposing minimal overhead), sending push alerts to the Android device in order to warn the user about the threat and reports to the Logging Server.
Server: runs inside a Linux Box, and receives all the messages the sensor is sending. It’s also responsible for sending updated signatures to remote devices, storing events in the database, detecting statistical anomalies and for real-time analysis.
The IDS rule language is powerful enough to represent current and future security exploits accurately and very precisely. With the help of custom build signatures, the framework can also be used to detect all kind of attacks designed for mobile devices like the USSD exploit, Webkit remote code execution exploits, DoS attacks or the meterpreter module for Android. IDS rule language converts Snort-like rules to an AndroIDS friendly format. It has also some interesting modules that let users cheat the operating system fingerprinting attempts by sending up to 16 TCP, UDP, and ICMP responses to nmap’s probes or changing the TCP header fields to avoid pof’s detection engine.
Android mobile users should start taking security seriously…
Smart Bombs: Mobile Vulnerability and ExploitationTom Eston
Kevin Johnson, John Sawyer and Tom Eston have spent quite a bit of time evaluating mobile applications in their respective jobs. In this presentation they will provide the audience an understanding of how to evaluate mobile applications, examples of how things have been done wrong and an understanding of how you can perform this testing within your organization.
This talk will work with applications from the top three main platforms; iOS, Android and Blackberry. Kevin, Tom and John have used a variety of the top 25 applications for each of these platforms to provide real world examples of the problems applications face.
These slides were presented at GDG MeetUp in Bangalore which was held on 21st September 2013. Uploading the slides to help the people who wanted the slide Deck
Unique.! This is professional, clean, creative, simple presentation template..Buddy Prescinton
This is Powerpoint Presentation Template for you that you need unique, professional, clean, creative, simple presentation template. All slides designed using great style. All element easy to edit and you can easily change the color to match it with your personal or company brand. Mevo has 100 unique slide (team, portfolio, chart, infographics, map, table, timeline, etc)
Null Mumbai Meet_Android Reverse Engineering by Samrat Dasnullowaspmumbai
Android Reverse Engineering by Samrat Das
Abstract
• Intro to Reverse Engineering
• Short walkthough with Windows RE
• Introduction to Mobile Security Assessments
• Dalvik Virtual Machine vs JVM
• APK Walkthrough
• Components of Android
• Steps of Reverse Engineering Android Applications
• Hands-on demos on manual reversing of android apps
• Introduction to APPuse VM for droid assessments
• Detecting developer backdoors
• Creating Infected Android Applications
• Anti-Reversing | Obfuscation
This slide deck covers the automated & manual static code discovery of Android Application using opensource tools, Reverse engineering of apk file and Secure code review
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Márcio Rosa
Nessa apresentação falamos do estudo de caso da fintech VC+, abordamos o que fizemos para nos proteger e as principais lições aprendidas, assim como abordaremos o que não fazer. Demonstraremos também um Account Hijacking em um dos aplicativos mais conhecidos do mercado (anonimizado)
JSCONF 2018 - Baking security into DevOps - a tale of hunting down bugs befor...Wouter Bloeyaert
Do you know that 90% of all vulnerabilities can be prevented by introducing security in every step of your software development lifecycle (SDLC)? Get ready to join Wouter on his journey on how he introduced security into the SDLC at a company.
During his talk, Wouter will introduce you to how development, operations and security can be fitted together into “SecDevOps”.
The talk uses practical examples so that you will be able to experiment with “SecDevOps” yourself and know what you should pay attention to when implementing this into your own SDLC.
Security Vulnerabilities in Mobile Applications (Kristaps Felzenbergs)TestDevLab
A presentation about security of mobile apps by our senior quality assurance engineer Kristaps Felzenbergs. It was presented at TAPOST 2017 software testing conference.
The DevSecOps Builder’s Guide to the CI/CD PipelineJames Wickett
All organizations want to go faster and decrease friction in their cloud software delivery pipeline. Infosec has an opportunity to change their classic approach from blocker to enabler. This talk will discuss hallmarks of CI/CD and some practical examples for adding security testing across different organizations. The talk will cover emergent patterns, practices and toolchains that bring security to the table.
Presented at LASCON 2018, in Austin, TX.
2012 B-Sides and ToorCon Talk Offensive Defense
Blog Post - http://blog.ioactive.com/2013/01/offensive-defense.html
Cyber-criminals have had back-end infrastructures equivalent to Virus Total to test if malware and exploits are effective against AV scanners for many years, thus showing that attackers are proactively avoiding detection when building malware. In this day of age malicious binaries are generated on demand by server-side kits when a victim visits a malicious web page, making reliance solely on hash based solutions inadequate. In the last 15 years detection techniques have evolved in an attempt to keep up with attack trends. In the last few years security companies have looked for supplemental solutions such as the use of machine learning to detect and mitigate attacks against cyber criminals. Let's not pretend attackers can't bypass each and every detection technique currently deployed. Join me as I present and review current detection methods found in most host and network security solutions found today. We will re-review the defense in depth strategy while keeping in mind that a solid security strategy consists of forcing an attacker to spend as much time and effort while needing to know a variety of skills and technologies in order to successfully pull off the attack. In the end I hope to convince you that thinking defensively requires thinking offensively.
Script Fragmentation - Stephan Chenette - OWASP/RSA 2008Stephan Chenette
ERA 2008 - Stephan Chenette, Presentation on Script Fragmentation attack
Abstract: This presentation will introduce a new web-based attack vector which utilizes client-side scripting to fragment malicious web content.
This involves distributing web exploits in a asynchronous manner to evade signature detection. Similar to TCP fragmentation attacks, which are still an issue in current IDS/IPS products, This attack vector involves sending any web exploit in fragments and uses the already existing components within the web browser to reassemble and execute the exploit.
Our presentation will discuss this attack vector used to evade both gateway and client side detection. We will show several proof of concepts containing common readily available web exploits.
Watchtowers of the Internet - Source Boston 2012Stephan Chenette
Watchtowers of the Internet: Analysis of Outbound Malware Communication, Stephan Chenette, Principal Security Researcher, (@StephanChenette) & Armin Buescher, Security Researcher
With advanced malware, targeted attacks, and advanced persistent threats, it’s not IF but WHEN a persistant attacker will penetrate your network and install malware on your company’s network and desktop computers. To get the full picture of the threat landscape created by malware, our malware sandbox lab runs over 30,000 malware samples a day. Network traffic is subsequently analyzed using heuristics and machine learning techniques to statistically score any outbound communication and identify command & control, back-channel, worm-like and other types of traffic used by malware.
Our talk will focus on the setup of the lab, major malware families as well as outlier malware, and the statistics we have generated to give our audience an exposure like never before into the details of malicious outbound communication. We will provide several tips, based on our analysis to help you create a safer and more secure network.
Stephan Chenette is a principal security researcher at Websense Security Labs, specializing in research tools and next generation emerging threats. In this role, he identifies and implements exploit and malcode detection techniques.
Armin Buescher is a Security Researcher and Software Engineer experienced in strategic development of detection/prevention technologies and analysis tools. Graduated as Dipl.-Inf. (MSc) with thesis on Client Honeypot systems. Interested in academic research work and published author of security research papers.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Welcome to the first live UiPath Community Day Dubai! Join us for this unique occasion to meet our local and global UiPath Community and leaders. You will get a full view of the MEA region's automation landscape and the AI Powered automation technology capabilities of UiPath. Also, hosted by our local partners Marc Ellis, you will enjoy a half-day packed with industry insights and automation peers networking.
📕 Curious on our agenda? Wait no more!
10:00 Welcome note - UiPath Community in Dubai
Lovely Sinha, UiPath Community Chapter Leader, UiPath MVPx3, Hyper-automation Consultant, First Abu Dhabi Bank
10:20 A UiPath cross-region MEA overview
Ashraf El Zarka, VP and Managing Director MEA, UiPath
10:35: Customer Success Journey
Deepthi Deepak, Head of Intelligent Automation CoE, First Abu Dhabi Bank
11:15 The UiPath approach to GenAI with our three principles: improve accuracy, supercharge productivity, and automate more
Boris Krumrey, Global VP, Automation Innovation, UiPath
12:15 To discover how Marc Ellis leverages tech-driven solutions in recruitment and managed services.
Brendan Lingam, Director of Sales and Business Development, Marc Ellis
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
2. Who am I?
• Stephan Chenette
• About Me:
•Director of R&D @ IOActive
•eEye, SAIC, Websense [13+yrs]
•Breaking technology to expose weakness
•Building technology / innovation
•Offensive Defense Series
2
3. About this presentation
This presentation is an overview
of my experience and methodology
black box penetration testing a
android security control
3
4. Format
import time
...
start = time.time()
end = start + (60*75)
while True:
Present()
if Raise_Your_Hand() == True:
Try_To_Answer()
now = time.time()
if now >= end:
print(“Presentation Over!")
break
4
5. The goal we were given
• Test today’s In The Wild (ITW) malware techniques and
methodologies against a particular security control
• Create and/or use existing malicious android applications and get them
past the security control (test review/controls NOT security in phone)
• Suggest improvements to the security control
5
Security
Control
Android App User’s Phone
6. Why?
• Important to focus on Individual Security Controls/Process
•Mobile Device Management, Gateway AV,
Desktop AV, Application Stores, etc.
• Compartmentalizing “security tests”
(from ITW malware) (non contrived/theoretical)
• Systematically/Structurally attempt to bypass a security control
• Improvement in technology
• Improvement in education for the developer
• Help in determining and/or exposing risks to current
boundaries of a product/technology
6
7. Previous Presentations
Previous Known Work:
“Dissecting the Android Bouncer”
Jon Oberheide, Charlie Miller
http://jon.oberheide.org/files/summercon12-
bouncer.pdf
7
8. Agenda
• Approach to Accomplishing our Goal
• **Introduction to Android – Q&A**
• Reversing Android Applications – Q&A
• Defensive Technologies – Q&A
• Building Custom Android Malware – Q&A
• Philosophical Rant on “What is Malware?”
• Techniques/Methodologies
• Conclusion
8
9. Agenda
• Approach to Accomplishing our Goal
• **Introduction to Android – Q&A**
• Reversing Android Applications – Q&A
• Getting to know Defensive Technologies – Q&A
• Building Custom Android Malware – Q&A
• Philosophical Rant on “What is Malware?”
• Techniques/Methodologies
• Conclusion
9
10. Approach to Accomplishing our Goal
Given the goal of duplicating ITW techniques:
• Understand the Android Platform
• Studied Defensive Technology e.g. how would you detect malicious apps.
• Analyzed ITW Malware
• Categorized the Malware
• Functionality
• Class
• Duplicated individual functionality
• Made Alternative versions (building on prev. defensive tech. knowledge)
10
11. Agenda
• Approach to Accomplishing our Goal
• **Introduction to Android – Q&A**
• Reversing Android Applications – Q&A
• Goal/Approach
• Defensive Technologies – Q&A
• Building Custom Android Malware – Q&A
• Philosophical Rant on “What is Malware?”
• Techniques/Methodologies
• Conclusion
11
13. What is Android?
Android is a mostly open source operating system that runs on small devices. It is built on top of Linux
and runs a VM called Dalvik, similar to the Java VM, but optimized for speed.
From top to bottom, the stack looks like this:
13
Applications written in Java
A framework called the Android SDK
C++ Libraries and the Dalvik Virtual
Machine
Linux
15. Android SDK
Android SDK - Framework for developing applications:
• Like the .NET Framework
• APIs you can call to access key features of Android
15
16. Android NDK
• The Android Native Development Kit (NDK) is a toolset that allows you to
implement parts of your app using native-code languages such as C and
C++
• If you write native code, your applications are still packaged
into an .apk file and they still run inside of a virtual machine
on the device.
• Native code is no different from Java code running under the
Dalvik VM. All security in Android is enforced at the kernel
level through processes and uids
16
19. Java Virtual Machine (stack based) much slower
Dalvik Virtual Machine (register based) much faster
Dalvik VM
The applications built for Android are run on top the Dalvik Virtual Machine.
This is a Process Virtual Machine, like the Java Virtual Machine or the .NET Runtime
The Dalvik virtual machine (DVM)
• register-based machine which executes
Dalvik bytecode instructions.
• different from a JVM, hence its bytecode is different
from Java bytecode.
19
20. Android Linux
Linux - Underlying OS that runs the Dalvik VM
• Very lightly modified version of linux kernel
• But user space wholly unlike that of any other linux system.
• File IO
• Process Management
• Drivers for:
•Display
•Camera, Audio, Video
•Keypad
•WiFi and other networking resources
•Inter-process Communication
20
21. Developing an APK in Android
1. Android programmers write android apps in java.
Native apps can be included and written in native languages
e.g. C++ and are compiled for the native architecture
(ARM/MIPS, etc.)
2. The IDEs like eclipse use the JDK to generate .class files which
are then converted to .dex files (dalvik executable). AAPT is
then use to build the APK
3. The dalvik virtual machine (dalvikvm) in Android can
then run these dalvik executables by translating them
to native instructions.
21
22. Agenda
• Approach to Accomplishing our Goal
• **Introduction to Android – Q&A**
• Reversing Android Applications – Q&A
• Where to download Android Malware (research)
• Getting to know Defensive Technologies – Q&A
• Building Custom Android Malware – Q&A
• Philosophical Rant on “What is Malware?”
• Techniques/Methodologies
• Conclusion
22
27. Decompiling an Android APK File
27
unzip
AXML-
Printer2
dex2jar
or ded
Android
Manifest
XML
classes
dex
Text
Version
XML
jd-gui
classes
jar
.java
unzip
classes
jar
classes
jar
classes
.class
jad
.java
.java
Android
APK
Sony Ericon has a tool that does all of the above in a graphic layout APKAnalyzer
http://developer.sonymobile.com/knowledge-base/tools/analyze-your-apks-with-apkanalyzer/
28. Decompiling an Android APK File
28
JEB
Android
APK
Text
Version
XML
.java
.java
.java
res
res
res
assets
assets
assets
This is my preferred
method
29. Android Reversing Tool Bag
• The Android SDK, of course, and Eclipse
• Android APK Tool - for reverse engineering 3rd party, closed,
binary Android apps
• dex2jar, which converts Android’s Dalvik
executables into normal Java jar files.
• JD-GUI, which decompiles jar files into java source file
• ADB service (the Android Debug Bridge) – for debugging apps
• JEB – if you’re serious about reversing and can spend the $$$
http://www.android-decompiler.com/
29
32. Executable Source
• Dalvik bytecode is different from Java bytecode, Hence, Java decompilers cannot
decompile it.
• To overcome this issue is to use bytecode-to-bytecode compilers like
•DED (JED better version)
•dex2jar
• to transform the Dalvik bytecode into Java bytecode and then to use a regular Java
decompiler
•jd-gui
•dava
• Such a method is prone to errors that may exist in the conversion of the bytecode,
resulting erroneous source code.
32
33. Executable Source
• dex files dalvik opcode
• To convert.dex files to a more
understandable form we can
convert it to smali
representation
• Dalvik opcodes to smali
(intermediate/assembly based
language and is a direct
mapping.
33
34. Executable Source (sort-of)
• smali can't be used to completely reconstruct java source code
• Java is a very developed language
• smali is more of an assembly based language.
• Doesn’t have necessary information to be translated to Java
• …Just use JEB =] http://www.android-decompiler.com/
34
35. Agenda
• Approach to Accomplishing our Goal
• Introduction to Android – Q&A
• Getting to know Defensive Technologies – Q&A
• Building Custom Android Malware – Q&A
• Philosophical Rant on “What is Malware?”
• Techniques/Methodologies
• Conclusion
35
40. Approach/Methodology
Research In The Wild
(ITW) Android Malware
• Techniques
• Methodologies
40
Research Defensive
Security Controls
• Techniques
• Methodologies
1. Probe Environment (RECON)
2. Upload and test ITW Malware (Test barrier to entry)
3. Regroup
4. Upload “trojaned” apps / altered versions of ITW Malware
5. Regroup
6. Upload unit-tests (real-world/fabricated samples)
7. Mix, max and combine unit-based tests into samples
41. 41
Where do we start?
• What is malware?
• What are the different malware categories?
• Methodology/Techniques
42. 42
What is Malware?
Malware
• Not always easy to define [ start philosophical rant]
• Anything that breaks the security model (without the users consent)
• Deceptive/hide true intent
• bad for user / good for attacker e.g. surveillance, collecting passwords, etc.
• Applications that are detrimental to the user running the device.
• Harms a user
• Financial
• Privacy
• Personal information – location (surveillance) ,
• Stealing resources – cracking, botnets – processing power
•Breaks Network policy
•Example of malware vs.. useful tool: not-compatible.
•1964 Jacob Elllis V.S. Ohio - How do you define P0rn? …“You know it when you see it”
46. 46
Android Malware Analysis
Infection Vector - How it installed on the device
Entry Point – How the malicious behavior is initiated
Elevated Privileges – if and how it gained root privileges
Payload – it’s Purpose and functionality
Hosting – does it contain embedded apps
48. Top Threats
48
Infection Vector DroidDream hid the malware in seemingly legitimate applications to trick
unsuspecting users into downloading the malware (more than 50 apps on the Android App
Store were found to contain Droid Dream)
Entry Point Requires user to launch application. Post-Launch malware will start a service
then launch the host application’s primary activity
Elevated Privileges 1) “exploid” to attempt to exploit a vulnerability in udev event
handling in Android’s init. If “exploid” fails… 2) “rageagainstthecage”, leveraging a
vulnerability in adbd’s attempt to drop its privileges.
Payload Sends device information to C&C e.g. IMEI, IMSI and device model and SDK
version, Checks if already infected, by checking package
com.android.providers.downloadsmanager is installed. If this package is not found it will
install the second payload, which is bundled as sqlite.db. This part of the malware will be
copied to the /system/app/ directory, installing itself as DownloadProviderManager.apk.
Copying the file using this method, to this directory will silently install the APK file, and not
prompt user to grant permissions as in a standard app installation process.
Droid Dream
49. Top Threats
49
Entry Point triggered by Intents it listens for on the device.
• receiver for BOOT_COMPLETED and PHONE_STATE intents
• single service:
Payload DownloadManageService controls a timer-scheduled task
Gather information and send to C&C and install:
• ProductID – Specific to the DroidDream variant
• Partner – Specific to the DroidDream variant
• IMSI
• IMEI
• Model & SDK value
• Language
• Country
• UserID – Though this does not appear to be fully implemented
Powerful zombie agent that can install any payload silently and execute code with root
privileges at will.
Droid Dream
52. Top Threats
52
Source: https://blog.lookout.com/wp-content/uploads/2011/06/GGTracker-Teardown_Lookout-Mobile-Security.pdf
GGTracker
Entry Point
When installing, the user is prompted with a list of
permissions the application requires:
android.permission.ACCESS_WIFI_STATE
android.permission.CHANGE_WIFI_STATE
android.permission.CHANGE_NETWORK_STATE
android.permission.ACCESS_NETWORK_STATE
android.permission.RECEIVE_BOOT_COMPLETED
android.permission.INTERNET
android.permission.READ_PHONE_STATE
android.permission.READ_SMS
android.permission.RECEIVE_SMS
android.permission.SEND_SMS
• This malware will either start
itself after receiving an SMS or
having the application launched.
• On the first launch, it
communicates with the tracking
server, ggtrack.org.
Payload
• The app posts the phone
number to the GGTracker
remote server, where the
malware starts to subscribe the
device to premium services.
53. Top Threats + 1000s Other Apps
53
Source: https://www.lookout.com/resources/top-threats
54. Most Sophisticated Malware Yet
OBAD
• Installs as device admin app (permissions)
• Very difficult to uninstall
• Heavily Obfuscated
• Send SMS to Premium numbers
• Download other malware
• Remote command execution
• Calles API methods via reflection
• Took advantages of bugs in DEX2JAR to break
manual/automated analysis if using DEX2JAR
(will break analysis only if using DEX2JAR)
54
56. Obfuscation
• ProGuard / DexGuard
• Used at compile time
• API Reflection
• Used by desktop Java malware for years
• Reflection can allow a program to create a “method pointer” (a
rough analogy for better understanding) and invoke the target
method by using it.
• Uses this feature to deceive any casual static code analysis module
which tries to detect whether a sample is calling the method that
sends SMS messages. (e.g.:sendTextMessage())
• Encrypted Network Communication
• Encrypted Files
56
58. Methodology
• Define the target and objectives
• Profile target
• Determine environment
• Determine detection capabilities
•Upload ITW Malware
• Determine what gets caught and what doesn’t
• “Rinse and Repeat”
•Create Alternative Versions (Private)
• Decompile/Obfuscate/Re-Write
• Recompile
• Upload
•Merge with legitimate applications
•Fabricate Android Malware
58
59. Target
59
• Reviewer
• End detection engine
• End user
• Internal resource that is adjacent to
the android device (e.g. internal
network)
• Etc.
60. Probes – Determine Environment
60
What’s the first thing you’d do if you go explore a new universe?
Send out a few probes to gather information, right?
No Different here.
61. Probes – Determine Environment
Red Pill/Blue Pill Test - Running in an emulator??
61
if (android.os.Build.MODEL.equals(“google_sdk”)) {
// emulator
} else {
//not emulator
}
63. Probes – Determine Environment
• Device info
• IMEI, Device Model/Make etc.
• GEO Location help determine language to write app in
• IP Address / 3G/4G or on wifi network?
• Scan for available blue-tooth devices
• Egress filtering? ports open, etc.
63
64. Probes – Determine Environment
64
• Record Audio
• Take Video
• Take Photos
• Send Existing Photos
65. Probes – Determine Environment
65
• Other Processes/Apps on device
• Other permissions/intents of installed apps
• Info-leak in error messages?
67. Build Common Scenarios
67
Scenario Description
Android Premium Service Abusers Premium service abusers subscribe users to various "services"
that add to their phone bill at the end of the month
Android Adware Android apps that use abusive advertising tactics
Android Data Stealers Android data stealers often bilk users of information such as their
operating system version, product ID, International Mobile
Equipment Identity (IMEI) number and other information that
could be used in future attacks
Malicious Android Downloaders Once a malicious downloader has infected a
victim's Android device, it is designed to contact a
remote server to await instructions or download
additional Android malware
68. Android App Entry Point
Unlike other programming paradigms in which apps are launched
with a main() method, the Android system initiates code in
an Activity instance by invoking specific callback methods that
correspond to specific stages of its lifecycle.
• Services which start at broadcast receiver callback
• Callbacks which correspond to a user action
• Actions start immediately (service, thread, etc.)
• Actions which start based on a timer
68
69. Android App Entry Point
69
Layout/activity_main.xml:
<?xml version="1.0" encoding="utf-8"?> <LinearLayout
xmlns:android="http://schemas.android.com/apk/res/android"
android:layout_width="match_parent" android:layout_height="match_parent"
android:orientation="vertical" > <Button android:id="@+id/button1"
android:layout_width="wrap_content" android:layout_height="wrap_content"
android:onClick="onClick" android:text="Button" /> </LinearLayout>
A broadcast receiver (short receiver) is an Android component which allows you to register for
system or application events. All registered receivers for an event will be notified by the
Android runtime once this event happens.
For example applications can register for the ACTION_BOOT_COMPLETED system event
which is fired once the Android system has completed the boot process.
A receiver can be registered via the AndroidManifest.xml file.
Alternatively to this static registration, you can also register a broadcast receiver dynamically
via theContext.registerReceiver() method.
The Broadcast receiver can then start a service to perform any number of actions.
75. Build functionality
75
Functionality
Autostart on boot
Get phone number, IMSI, IMEI, …
Send information to C&C
WiFi connection-aware ( run when phone
charging)
Hide application icon
Log SMS/Send SMS
Etc.
77. Build Custom Scenarios
77
Scenario Description
Vulnerable Lib Build an android app that uses a vulnerable version of libcurl
(why? – because then the client will be exploitable)
ALL Intents Build an android app that asked for ALL POSSIBLE permission
(why? – this will help us determine if they are filtering by
permission)
Various NDK Examples Same functionality but as a native library
Can call any static Java API from the NDK going through JNI as
long as you’re running in a library instead of an application and
instead the dalvik vm
78. Android Exploitation Space
78
ASHMEM
The ASHMEM custom shared
memory allocator written by
Google has a nasty bug that allows
your device to be easily rooted.
Maybe they should have stuck with
POSIX SHM, but the bad guys
aren't complaining.
Exploid
Nearly identical to a vulnerability
fixed in the Linux udev daemon in
2009, Exploid impacts Android's
init daemon by forgetting to check
whether Netlink messages are
coming from the trusted kernel ...
or a malicious app.
Gingerbreak
A commonly-abused vulnerability
in the wild by Android malware,
Gingerbreak affects the Android
volume manager (vold) via, you
guessed it, the same Netlink issue
as Exploid. Badness ensues.
Levitator
Malicious apps will undoubtedly be
“levitating” their privileges using
this vulnerability that affects the
PowerVR kernel module used for
3D graphics on all S-series devices
and allows unfettered access to
kernel memory.
Mempodroid
Inherited from the upstream Linux
kernel, a vulnerability in the
/proc/pid/mem interface allows for
writing arbitrary memory in the
address space of a setuid process.
It's about as complicated as it
sounds, but attackers are smart
like that.
Wunderbar
Another crossover from the Linux
kernel, this NULL pointer
dereference was one of the first
privilege escalation vulnerabilities
exploited on the Android platform,
thanks to faulty mmap_min_addr
protection on ARM.
ZergRush
No, it has nothing to do with
StarCraft, sorry. The ZergRush
vulnerability in Android's libsysutils
allows an attacker to overwhelm
the system with command
arguments, not zerglings, and take
full control of your device.
Zimperlich
Always check return values.
Android's Zygote process, from
which all new apps are spawned,
forgets this important rule and fails
to check the return value of
setuid(2), leading to plentiful root
shells!
Source: http://www.xray.io/#vulnerabilities
79. Android Exploitation Space
• Android Master Key – one of the most recent and exploit
• It lets you get at system-android-app-level permissions, not full-out root, but that's enough to do some
serious harm (read text messages without permissions, etc.) Might be in a different class than the full-
out root exploits, though.
“The Android platform is a complicated system that consists of not only the Linux kernel,
but also the entire Android framework with more than 90 open-source libraries includingWebKit, SQLite,
and OpenSSL. The complexity naturally introduces software vulnerabilities that can be potentially exploited
for privilege escalation.”
“among 1260 samples in our dataset, 463 of them (36.7%) embed at least one root exploit”
79
Source: “A Survey of Android Malware”, Xuxian Jiang, Yajin Zhou
80. Considerations
80
• Store
• Set time of Application release to some date in the future (to make sureit’s not downloaded
• Gateway/Desktop AV
• Setup entire end-to-end test
• Behavior Analysis Engine
• None =]
81. Agenda
• Approach to Accomplishing our Goal
• Introduction to Android – Q&A
• Getting to know Defensive Technologies – Q&A
• Building Custom Android Malware – Q&A
• Philosophical Rant on “What is Malware?”
• Techniques/Methodologies
• Conclusion
81
82. Conclusion
82
• Malware is a matter of perspective
• Trivial to get “malware” onto a system
• Custom malware
• almost guaranteed to get through
• because majority detection techniques are focused on
known-bad (signatures/clustering)
83. Conclusion
83
• Hashes work (on known samples)
• Focus for detect engines should be apps that
break the security model (e.g. exploitation root)
• Apps that conform to security model but deceive users can have
dangerous permissions highlighted for users
• App reviewers should thoroughly verify what an app does and what it’s
supposed to do before being downloaded to a user, auto-deny on key
permissions, and ask for more details
• App review process should involve running apps and reviewing code
coverage
• App review process should involve using any and all dynamic information
to help catch “known malicious artifacts” to consolidate ‘deep-review
bucket”
• App review process should have way to determine if good app has been
“trojanized” use certificates for known good and known bad