- The document discusses changing dynamics in Android APT malware including how they are distributed through social media and popular apps, the types of data they target like SMS, contacts and social media, and countermeasures like restricting accessibility permissions and verifying downloaded code. Specific malware campaigns discussed include Glance Love, Dark Caracal, SkyGoFree and RedDawn which targeted users in different regions through social engineering and exploited Android vulnerabilities.
The landscape of open source malware analysis tools improves every day. A malware analysis lab can be thought of as a set of entry points into a tool chain. The main entry points are a file, a URL, a network traffic capture, and a memory image. This talk is an examination of the major open source tools that satisfy the analysis requirements for each of these entry points. Each tool’s output can potentially feed into another tool for further analysis. The linking of one tool to the next in a tool chain allows one to build a comprehensive automated malware analysis lab using open source software.
For file analysis, the three major versions of Cuckoo Sandbox will be examined. To analyze a potentially malicious URL, the low-interaction honeyclient, Thug, will be covered. Next, if one has a network capture (PCAP) to analyze, the Bro Network Security Monitor is a great option, and will be covered. Finally, if the analysis target is a memory image, the Volatility Framework will be examined. Each of the inputs and outputs of the tools will be reviewed to expose ways that they can be chained together for the purpose of automation.
The document is a report from G DATA on mobile malware trends in Q2 2015. Some key points:
- G DATA analyzed over 560,000 new Android malware samples in Q2 2015, a 27% increase from Q1. On average, over 6,100 new samples were found daily.
- For the first time, over 1 million new Android malware samples were found in the first half of 2015 alone. G DATA predicts over 2 million new samples for all of 2015.
- Monitoring apps that secretly track users are a growing threat. One app disguised itself as Google Drive but was actually monitoring app.
- Pre-installed malware has been found on over 26 mobile device models from various brands. Middle
Livecast: API Usability & Developer ExperienceNordic APIs
In this LiveCast, we feature Abhinav Asthana of Postman and Fokke Zandbergen of Zapier on the topics of API Usability and Developer Experience. Learn how to design APIs that don't suck, empowered by the shared knowledge of integrating over 1,000 APIs.
Artifacts Are for Archaeologists: Why Hunting for Malware Isn't Enough
Spoiler Alert: It's because attackers can (and do) abuse legitimate software, administrative tools, and scripting environments which are considered benign and not caught by traditional antivirus software. Since attackers can use legitimate software to conduct their nefarious behavior, how do you catch them? It’s simple: Look for the behavior.
LightCyber's Behavioral Attack Detection platform detects and highlights the network behaviors of attackers that have penetrated the perimeter. This provides visibility that allows security teams to locate and eradicate network intruders quickly, regardless of what tools the attackers are using to achieve their goals. With LightCyber's Network-to-Process Association technology, attacker behaviors can be tracked back to the exact process that originated the behavior.
We will discuss the top tools that have been detected and associated with attacker behavior inside of LightCyber customer environments, all of which are legitimate software. There will also be an overview of how LightCyber Magna works.
Mark Overholser has been a lifelong technology enthusiast, and made his passion his career. After working for many years at a multi-billion-dollar medical supply manufacturer and distributor using technology to achieve business goals, he started to wonder about what sorts of controls were in place to help make sure technology would only do good, not harm. One thing led to another, and he then was one of the first members of the new information security team. After working hard to grow the team and build the information security practice, he left to take a breather and now is working to help information security teams everywhere understand threats and get the most out of their defensive technologies.
"I haz you and pwn your maal" by Harsimran Walia @b44nz0r at c0c0n - International Cyber Security and Policing Conference http://is-ra.org/c0c0n/speakers.html
There's an App for That: Digital Forensic Realities for Mobile App Evidence, ...Cellebrite
Attorneys are often shocked at how much deeply probative evidence, both live and deleted, can be data mined from today’s smart phones and tablets. With the surging adoption of mobile apps for communications, commerce, navigation, and other capabilities, new issues with data security and privacy are developing. This session will explore new evidence modalities, relevance, admissibility, and topical issues with mobile apps that impact investigations and litigation.
Harsimran Walia presents information on analyzing Android malware. He discusses how the Android platform has become very popular for attackers due to its large market share and less restrictive development environment compared to iOS. He outlines different types of Android malware like data stealers and rooting malware. The paper also provides details on setting up a malware analysis lab and introduces both static and dynamic analysis tools. It then demonstrates the analysis process on a real premium SMS sending malware sample, showing how to decompile, modify, and test the malware.
Presentation given by Sungwook Yoon, MapR Data Scientist
Topics Covered:
Advanced Persistent Threat (APT)
Big Data + Threat Intelligence
Hadoop + Spark Solution
Example Detection Algorithm Development Scenarios (most of them are still open problems)
The landscape of open source malware analysis tools improves every day. A malware analysis lab can be thought of as a set of entry points into a tool chain. The main entry points are a file, a URL, a network traffic capture, and a memory image. This talk is an examination of the major open source tools that satisfy the analysis requirements for each of these entry points. Each tool’s output can potentially feed into another tool for further analysis. The linking of one tool to the next in a tool chain allows one to build a comprehensive automated malware analysis lab using open source software.
For file analysis, the three major versions of Cuckoo Sandbox will be examined. To analyze a potentially malicious URL, the low-interaction honeyclient, Thug, will be covered. Next, if one has a network capture (PCAP) to analyze, the Bro Network Security Monitor is a great option, and will be covered. Finally, if the analysis target is a memory image, the Volatility Framework will be examined. Each of the inputs and outputs of the tools will be reviewed to expose ways that they can be chained together for the purpose of automation.
The document is a report from G DATA on mobile malware trends in Q2 2015. Some key points:
- G DATA analyzed over 560,000 new Android malware samples in Q2 2015, a 27% increase from Q1. On average, over 6,100 new samples were found daily.
- For the first time, over 1 million new Android malware samples were found in the first half of 2015 alone. G DATA predicts over 2 million new samples for all of 2015.
- Monitoring apps that secretly track users are a growing threat. One app disguised itself as Google Drive but was actually monitoring app.
- Pre-installed malware has been found on over 26 mobile device models from various brands. Middle
Livecast: API Usability & Developer ExperienceNordic APIs
In this LiveCast, we feature Abhinav Asthana of Postman and Fokke Zandbergen of Zapier on the topics of API Usability and Developer Experience. Learn how to design APIs that don't suck, empowered by the shared knowledge of integrating over 1,000 APIs.
Artifacts Are for Archaeologists: Why Hunting for Malware Isn't Enough
Spoiler Alert: It's because attackers can (and do) abuse legitimate software, administrative tools, and scripting environments which are considered benign and not caught by traditional antivirus software. Since attackers can use legitimate software to conduct their nefarious behavior, how do you catch them? It’s simple: Look for the behavior.
LightCyber's Behavioral Attack Detection platform detects and highlights the network behaviors of attackers that have penetrated the perimeter. This provides visibility that allows security teams to locate and eradicate network intruders quickly, regardless of what tools the attackers are using to achieve their goals. With LightCyber's Network-to-Process Association technology, attacker behaviors can be tracked back to the exact process that originated the behavior.
We will discuss the top tools that have been detected and associated with attacker behavior inside of LightCyber customer environments, all of which are legitimate software. There will also be an overview of how LightCyber Magna works.
Mark Overholser has been a lifelong technology enthusiast, and made his passion his career. After working for many years at a multi-billion-dollar medical supply manufacturer and distributor using technology to achieve business goals, he started to wonder about what sorts of controls were in place to help make sure technology would only do good, not harm. One thing led to another, and he then was one of the first members of the new information security team. After working hard to grow the team and build the information security practice, he left to take a breather and now is working to help information security teams everywhere understand threats and get the most out of their defensive technologies.
"I haz you and pwn your maal" by Harsimran Walia @b44nz0r at c0c0n - International Cyber Security and Policing Conference http://is-ra.org/c0c0n/speakers.html
There's an App for That: Digital Forensic Realities for Mobile App Evidence, ...Cellebrite
Attorneys are often shocked at how much deeply probative evidence, both live and deleted, can be data mined from today’s smart phones and tablets. With the surging adoption of mobile apps for communications, commerce, navigation, and other capabilities, new issues with data security and privacy are developing. This session will explore new evidence modalities, relevance, admissibility, and topical issues with mobile apps that impact investigations and litigation.
Harsimran Walia presents information on analyzing Android malware. He discusses how the Android platform has become very popular for attackers due to its large market share and less restrictive development environment compared to iOS. He outlines different types of Android malware like data stealers and rooting malware. The paper also provides details on setting up a malware analysis lab and introduces both static and dynamic analysis tools. It then demonstrates the analysis process on a real premium SMS sending malware sample, showing how to decompile, modify, and test the malware.
Presentation given by Sungwook Yoon, MapR Data Scientist
Topics Covered:
Advanced Persistent Threat (APT)
Big Data + Threat Intelligence
Hadoop + Spark Solution
Example Detection Algorithm Development Scenarios (most of them are still open problems)
Malware on Smartphones and Tablets - The Inconvenient TruthAGILLY
De nombreux entreprises, à travers leurs responsables informatiques et DSI ne reconnaissent toujours pas les logiciels malveillants mobiles comme une menace imminente. Selon une étude de Duo Security, un tiers des utilisateurs mobiles Android n'utilisent ne verrouillent pas l'écran de leurs appareils à l'aide d'un Mot de Passe, et la plupart ne prennent aucunes mesures de sécurité. En outre, les responsables informatiques et DSI déploient de nouvelles applications vers leurs clients et employés sans y intégrer de mesure de sécurité favorisant l'authentification et la mitigation des menaces.
Cependant, les logiciels malveillants mobiles ont évolué au fil des dernières années et constituent aujourd'hui des menaces réelle. Business Insider a noté que ces menaces sont désormais équivalentes à celles des PC en terme de distribution et de niveau de risque.
This document summarizes mobile malware and security issues in Android apps. It discusses identifying malware at app stores rather than on devices. It also describes a study that analyzed over 1 million Android apps from the Google Play store, finding that 85% used web interfaces and many were vulnerable. Additionally, it covers how outdated Android apps may disable security patches by targeting older Android versions and behaving in riskier default ways.
2015 cemented the saying “No one is immune to hacking” and the high profile breaches of Ashley Madison, LastPass and others was proof of that. Quick Heal detected close to 1.4 billion malware samples in 2015 and this number simply shows how widespread and lucrative cyber-attacks have now become. In this webinar, we will look back at some of the notable highlights from malware attacks in 2015, and then chart the way forward for 2016 and provide our listeners with a heads up on what kind of malware threats to expect. The webinar will cover the following points:
1. Malware detection statistics and highlights from 2015
2. Platform statistics for Windows and Android vulnerabilities
3. Insight into Ransomware and Exploit Kits in 2015
4. A look ahead at the cyber security predictions for 2016 and how we can help you
This document discusses emerging security challenges in an increasingly mobile, social, and cloud-based computing landscape. It notes that traditional perimeter-based security is ineffective as computing becomes more ubiquitous and decentralized. Mobile applications and social networks provide fertile ground for malware propagation. Cloud services mean data can take complex, indirect paths outside of a user's control. Passwords are often trivial to guess. Code from third parties and libraries may introduce vulnerabilities. A new security paradigm is needed to address these challenges, as permissions alone will not suffice. Users must think differently about security in this new environment.
Building Native Apps With Titanium MobileBrendan Lim
This talk was given at the MobileX Conference in Nashville. This goes over how to build native iPhone and Android apps with JavaScript using Appcelerator's Titanium Mobile platform.
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...NCCOMMS
This document discusses metadata and its uses and implications. It defines metadata as "data that describes and gives information about other data." It then covers different types of metadata including website, document, cloud, smartphone, photo, app, and IoT device metadata. It describes how each type of metadata is generated and can be used, and also discusses some of the controversies around metadata and mass surveillance.
The document provides an overview of the Android operating system. It discusses that Android is an open source, Linux-based operating system designed primarily for touchscreen mobile devices like smartphones and tablets. It also covers the key aspects of Android including its architecture, software stack, applications, SDK, compatibility requirements and some other platforms based on Android like Google TV.
This document discusses technology options for small businesses, focusing on mobile apps for meetings. It provides an overview of the growth of mobile devices and apps. Meeting apps can improve attendee engagement, allow real-time information distribution, and be more environmentally friendly. Options discussed include web apps, native apps, multi-purpose apps, and do-it-yourself app builders. Specific DIY app builders like Bizzabo, Bloodhound, Guidebook, Yapp, and Twoppy are showcased. The document also covers responsive websites, presentation tools, polling apps, organization apps, travel apps, and photography apps for small businesses.
ESA - Hacking the aerospace industry - should we worry ? Jakub Kałużny
This more entertaining than technical presentation aims to raise security awareness of scientists and astronomers in European Space Agency. Presented in ESAC, Madrid, 16.11.2015
Forum Eventos 2013 Mobile Technology in Meeting Planningjoeclo
This document discusses how mobile technology can benefit meeting planners. It outlines the growth of mobile device and app usage globally. Meeting planners can utilize mobile apps and responsive websites to improve attendee engagement, distribute information in real-time, and make events more environmentally friendly. The document compares web apps to native apps and discusses do-it-yourself app builders that meeting planners can use to create custom mobile solutions for their events.
17 марта 2016 года в московском офисе Яндекса состоялась очередная встреча OWASP Russia Meetup — встреча сообщества специалистов по информационной безопасности. Основной темой этой встречи стала безопасность мобильных приложений. На встрече выступили эксперты, которые рассказали о различных аспектах этой темы и поделились примерами из реальной жизни и личного опыта.
В мероприятии участвовал Юрий Чемёркин, эксперт-исследователь «Перспективного мониторинга» с докладом «Безопасность мобильных приложений и утёкшие данные». Он рассказал, насколько не защищены многие популярные мобильные приложения и что нужно сделать, чтобы повысить их уровень защищённости.
Why You'll Care More About Mobile Security in 2020tmbainjr131
This document discusses emerging trends in mobile security and provides steps to improve mobile security. It notes that mobile threats are becoming more sophisticated and pervasive as mobile adoption increases in enterprises. Common mobile exploits like StageFright and FakeToken are outlined along with their impacts. The document recommends seven steps to tackle mobile security, starting with assessing risks, examining BYOD challenges, and determining appropriate access controls and roles.
Why You’ll Care More About Mobile Security in 2020 - Tom BainEC-Council
What is “mobile security?” Seriously, what is it? Is it hardening controls, policy enforcement, knowing how to test mobile apps, mobile antivirus? And how do I map mobile security into an enterprise security strategy?
A year later, it’s still as ubiquitous as it has ever been. However with the sophistication of device-based attacks and with the sheer volume of mobile malware exploding, mobile security maintains its status as a major pain point and a critical element you have to consider when building a security program.
Given the research available and the increasing threatscape, mobile security preparedness predicated on managing the strategy is a better option than reactionary measures. What’s new in 2015 is there is more sufficient evidence that mobile attacks will further penetrate enterprise systems based on the increase of mobile device ‘involvement’ in many major hacks (not necessarily root cause traced to devices or compromised mobile apps)
This presentation will discuss the key trends impacting mobile security and will lay out an updated set of building blocks to produce a holistic mobile security model: from BYOD to mobile policy development to MDM; common and emerging exploits and targeted malware; the myriad of possible mitigations; and the notion of trusted software vs device-specific consideration.
Additionally, before we look at policy implementation best practices, we’ll look at a few key use cases and review a few sample enterprise models to learn how some of top organizations are managing mobile security. Finally, the presentation will take a five-year look outward to determine what impact mobile security will have long-term.
This is the presentation from Null/OWASP/g4h Bangalore December MeetUp by Vandana Verma.
technology.inmobi.com/events/null-owasp-g4h-december-meetup
Outline:
Security news from November and December 2014.
The document summarizes an Android security workshop that took place on February 24th, 2016 in Poland. The workshop included sessions on Android fundamentals, application component security, and the OWASP top 10 mobile risks. It also covered reverse engineering and malware analysis. The document provides an agenda and summaries of the topics discussed in each session, including details on Android architecture, security features in Android 6.0, application permissions and components, and common mobile risks. It aims to provide attendees with a basic understanding of Android security concepts and methodologies for analyzing mobile applications for security issues.
Discusses how to perform malware analysis on Android devices. Initially presented at BSidesDE 2011 (in a much more fun format), the version here is as-presented at Rochester Security Summit 2011.
The document discusses various technology trends and opportunities in areas like mobility, cloud computing, big data, analytics and information management. It highlights challenges around fragmented data sources and the need for integrated solutions. Dell's information management portfolio is positioned to help customers address these challenges by breaking down data silos, managing different data types, and enabling discovery and insights across all data through intuitive tools.
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
This document discusses mobile code mining for discovery and exploits. It introduces the speaker, Hemil Shah, and provides an overview of mobile infrastructure, apps, and changes in the mobile environment compared to web. It then discusses several mobile attacks including insecure storage, insecure network communication, UI impersonation, activity monitoring, and system modification. It also covers decompiling Android apps and analyzing app code for security issues.
More Related Content
Similar to Hide and Seek: An Investigation into changing dynamics of Android APT’s
Malware on Smartphones and Tablets - The Inconvenient TruthAGILLY
De nombreux entreprises, à travers leurs responsables informatiques et DSI ne reconnaissent toujours pas les logiciels malveillants mobiles comme une menace imminente. Selon une étude de Duo Security, un tiers des utilisateurs mobiles Android n'utilisent ne verrouillent pas l'écran de leurs appareils à l'aide d'un Mot de Passe, et la plupart ne prennent aucunes mesures de sécurité. En outre, les responsables informatiques et DSI déploient de nouvelles applications vers leurs clients et employés sans y intégrer de mesure de sécurité favorisant l'authentification et la mitigation des menaces.
Cependant, les logiciels malveillants mobiles ont évolué au fil des dernières années et constituent aujourd'hui des menaces réelle. Business Insider a noté que ces menaces sont désormais équivalentes à celles des PC en terme de distribution et de niveau de risque.
This document summarizes mobile malware and security issues in Android apps. It discusses identifying malware at app stores rather than on devices. It also describes a study that analyzed over 1 million Android apps from the Google Play store, finding that 85% used web interfaces and many were vulnerable. Additionally, it covers how outdated Android apps may disable security patches by targeting older Android versions and behaving in riskier default ways.
2015 cemented the saying “No one is immune to hacking” and the high profile breaches of Ashley Madison, LastPass and others was proof of that. Quick Heal detected close to 1.4 billion malware samples in 2015 and this number simply shows how widespread and lucrative cyber-attacks have now become. In this webinar, we will look back at some of the notable highlights from malware attacks in 2015, and then chart the way forward for 2016 and provide our listeners with a heads up on what kind of malware threats to expect. The webinar will cover the following points:
1. Malware detection statistics and highlights from 2015
2. Platform statistics for Windows and Android vulnerabilities
3. Insight into Ransomware and Exploit Kits in 2015
4. A look ahead at the cyber security predictions for 2016 and how we can help you
This document discusses emerging security challenges in an increasingly mobile, social, and cloud-based computing landscape. It notes that traditional perimeter-based security is ineffective as computing becomes more ubiquitous and decentralized. Mobile applications and social networks provide fertile ground for malware propagation. Cloud services mean data can take complex, indirect paths outside of a user's control. Passwords are often trivial to guess. Code from third parties and libraries may introduce vulnerabilities. A new security paradigm is needed to address these challenges, as permissions alone will not suffice. Users must think differently about security in this new environment.
Building Native Apps With Titanium MobileBrendan Lim
This talk was given at the MobileX Conference in Nashville. This goes over how to build native iPhone and Android apps with JavaScript using Appcelerator's Titanium Mobile platform.
CSF18 - Through a Mirror Darkly- a journey to the dark side of metadata - Sas...NCCOMMS
This document discusses metadata and its uses and implications. It defines metadata as "data that describes and gives information about other data." It then covers different types of metadata including website, document, cloud, smartphone, photo, app, and IoT device metadata. It describes how each type of metadata is generated and can be used, and also discusses some of the controversies around metadata and mass surveillance.
The document provides an overview of the Android operating system. It discusses that Android is an open source, Linux-based operating system designed primarily for touchscreen mobile devices like smartphones and tablets. It also covers the key aspects of Android including its architecture, software stack, applications, SDK, compatibility requirements and some other platforms based on Android like Google TV.
This document discusses technology options for small businesses, focusing on mobile apps for meetings. It provides an overview of the growth of mobile devices and apps. Meeting apps can improve attendee engagement, allow real-time information distribution, and be more environmentally friendly. Options discussed include web apps, native apps, multi-purpose apps, and do-it-yourself app builders. Specific DIY app builders like Bizzabo, Bloodhound, Guidebook, Yapp, and Twoppy are showcased. The document also covers responsive websites, presentation tools, polling apps, organization apps, travel apps, and photography apps for small businesses.
ESA - Hacking the aerospace industry - should we worry ? Jakub Kałużny
This more entertaining than technical presentation aims to raise security awareness of scientists and astronomers in European Space Agency. Presented in ESAC, Madrid, 16.11.2015
Forum Eventos 2013 Mobile Technology in Meeting Planningjoeclo
This document discusses how mobile technology can benefit meeting planners. It outlines the growth of mobile device and app usage globally. Meeting planners can utilize mobile apps and responsive websites to improve attendee engagement, distribute information in real-time, and make events more environmentally friendly. The document compares web apps to native apps and discusses do-it-yourself app builders that meeting planners can use to create custom mobile solutions for their events.
17 марта 2016 года в московском офисе Яндекса состоялась очередная встреча OWASP Russia Meetup — встреча сообщества специалистов по информационной безопасности. Основной темой этой встречи стала безопасность мобильных приложений. На встрече выступили эксперты, которые рассказали о различных аспектах этой темы и поделились примерами из реальной жизни и личного опыта.
В мероприятии участвовал Юрий Чемёркин, эксперт-исследователь «Перспективного мониторинга» с докладом «Безопасность мобильных приложений и утёкшие данные». Он рассказал, насколько не защищены многие популярные мобильные приложения и что нужно сделать, чтобы повысить их уровень защищённости.
Why You'll Care More About Mobile Security in 2020tmbainjr131
This document discusses emerging trends in mobile security and provides steps to improve mobile security. It notes that mobile threats are becoming more sophisticated and pervasive as mobile adoption increases in enterprises. Common mobile exploits like StageFright and FakeToken are outlined along with their impacts. The document recommends seven steps to tackle mobile security, starting with assessing risks, examining BYOD challenges, and determining appropriate access controls and roles.
Why You’ll Care More About Mobile Security in 2020 - Tom BainEC-Council
What is “mobile security?” Seriously, what is it? Is it hardening controls, policy enforcement, knowing how to test mobile apps, mobile antivirus? And how do I map mobile security into an enterprise security strategy?
A year later, it’s still as ubiquitous as it has ever been. However with the sophistication of device-based attacks and with the sheer volume of mobile malware exploding, mobile security maintains its status as a major pain point and a critical element you have to consider when building a security program.
Given the research available and the increasing threatscape, mobile security preparedness predicated on managing the strategy is a better option than reactionary measures. What’s new in 2015 is there is more sufficient evidence that mobile attacks will further penetrate enterprise systems based on the increase of mobile device ‘involvement’ in many major hacks (not necessarily root cause traced to devices or compromised mobile apps)
This presentation will discuss the key trends impacting mobile security and will lay out an updated set of building blocks to produce a holistic mobile security model: from BYOD to mobile policy development to MDM; common and emerging exploits and targeted malware; the myriad of possible mitigations; and the notion of trusted software vs device-specific consideration.
Additionally, before we look at policy implementation best practices, we’ll look at a few key use cases and review a few sample enterprise models to learn how some of top organizations are managing mobile security. Finally, the presentation will take a five-year look outward to determine what impact mobile security will have long-term.
This is the presentation from Null/OWASP/g4h Bangalore December MeetUp by Vandana Verma.
technology.inmobi.com/events/null-owasp-g4h-december-meetup
Outline:
Security news from November and December 2014.
The document summarizes an Android security workshop that took place on February 24th, 2016 in Poland. The workshop included sessions on Android fundamentals, application component security, and the OWASP top 10 mobile risks. It also covered reverse engineering and malware analysis. The document provides an agenda and summaries of the topics discussed in each session, including details on Android architecture, security features in Android 6.0, application permissions and components, and common mobile risks. It aims to provide attendees with a basic understanding of Android security concepts and methodologies for analyzing mobile applications for security issues.
Discusses how to perform malware analysis on Android devices. Initially presented at BSidesDE 2011 (in a much more fun format), the version here is as-presented at Rochester Security Summit 2011.
The document discusses various technology trends and opportunities in areas like mobility, cloud computing, big data, analytics and information management. It highlights challenges around fragmented data sources and the need for integrated solutions. Dell's information management portfolio is positioned to help customers address these challenges by breaking down data silos, managing different data types, and enabling discovery and insights across all data through intuitive tools.
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
This document discusses mobile code mining for discovery and exploits. It introduces the speaker, Hemil Shah, and provides an overview of mobile infrastructure, apps, and changes in the mobile environment compared to web. It then discusses several mobile attacks including insecure storage, insecure network communication, UI impersonation, activity monitoring, and system modification. It also covers decompiling Android apps and analyzing app code for security issues.
Similar to Hide and Seek: An Investigation into changing dynamics of Android APT’s (20)
Mobile code mining for discovery and exploits nullcongoa2013
Hide and Seek: An Investigation into changing dynamics of Android APT’s
1. Hide n Seek: An Investigation
into changing Dynamics of
Android APT’s
Jagadeesh Chandraiah
Threat Researcher
AVAR 2018
2. Who am I
• Threat Researcher at Sophos, UK
• Windows, Mobile Malware Analysis
• @jag_chandra
AVAR 2018
3. Agenda
AVAR 2018
• Android Malware State
• APT malware
• Infection vector and Targeted Data
• Changing Dynamics
4. Mobile OS market share
AVAR 2018
Source-https://www.statista.com/statistics/266136/global-market-share-held-by-smartphone-operating-systems/
Android – 88%
https://danluu.com/android-updates/
Out of date devices
Mobile OS share
5. Google play malware -2017
MilkydoorFeb
2017 2017Jan Mar Apr May Jun Jul Aug Sep
Humming
Bad
52
wks
Phase
I
Charger
Fake
apps
Stealer
Iframes
HiddenAd
Instealy
Fake
Minecraft
FlashLight
BankBot
FalseGuide
Milkydoor
FakeApp
BrainTest
XavirAd
Axent
MarsDae
SMS Stealer
Lipizzan
BankBot
Spyware
BankBot
Judy
Clicker
Expensive
Wall
DU Antivirus
WireX
BankBot
Oct
Flashlight
Feb
Sockbot
AVAR 2018
FakeApp
Miners
Nov
Fake
Whatsapp
BankBot
App
Lockers
Expensive
Wall
Dropper
Tizi
6. Google play malware -2018
Downloaders SMS Fraud Ad Clickers Fake Banking
Bankbots Coin Miners Stealers Rogueware Fake apps
21. Dark Caracal
• Targeted spyware campaign
• Trojanised applications
• Both Mobile and Desktop component
AVAR 2018
22. Dark Caracal – Infection Vector
AVAR 2018
Download these apps to
communicate
Facebook Group Link
http://secureandroid<dot>info/a
ndroidapps/telegram+.html
WhatsApp message
Image courtesy - https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf
31. SkyGoFree
AVAR 2018
• Multi Stage and Multicomponent spyware
• Targets Social Media extensively
• Has device filter/Self protection
• Uses Exploits to gain privileges
32. SkyGoFree – Distribution
AVAR 2018
• Third Party Sites pretending to be Mobile
operators.
• Social Engineering to download Configuration
update
Image Courtesy- https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/
35. SkyGoFree – Commands
AVAR 2018
• Rubrica - get Contacts
• registro_chiamate – Call logs
• Reverse - reverse shell module
• wifi - Add new Wi-Fi configuration
• listapp – get apps list
• Social - Get Social media database
• whatsapp – get WhatsApp data
• history - Steal Browser history
• Install_apk -Install apk
• Camera – Get Photo/Video
42. RedDawn
• Campaigns targeting Korean users
• Both Google play and outside
• Distributed as health care, utility, Food ingredients and prayer
applications
• Cloud service used to upload data
AVAR 2018
48. How are they getting on Device ?
AVAR 2018
• Popular social media apps used for Distribution
o Facebook groups , Twitter
o WhatsApp , KaKao , Facebook Messenger
o Stolen Profiles, Social Engineering
• User Interests and Popular Trends
o Fitness Apps, World Cup
• Innocuous Utility Apps on Google Play
o Cleaners
o Backup
49. Changing Dynamics – How are they getting Data ?
AVAR 2018
• Publicly available exploits
o Android rooting tools framework
Malware on Android OS versions
Android OS Distribution
50. Changing Dynamics – Data targeted
AVAR 2018
• SMS
• Call Logs
• Contacts
• Location
• Social Media (Regional)
o Whatsapp/Facebook/Viber
o LinkedIn
o Kakao
• Images
• Installed Apps
• Wifi
• Credentials
• Text
• Installed apps
• Device Information
• Emails
• Messenger/VoIP
51. Downloaders and Accessibility Service
AVAR 2018
• Downloaders and Droppers Achilles heel of Google
play store security
• Used by Bankbots and other popular malware
• Continued abuse of Accessibility service
52. Counter Measures
AVAR 2018
• Downloaded data and code loaded at runtime
should be verified
• Social media vigilance
• Accessibility abuse should be restricted
• Push vendors to reduce Fragmentation
• Be cautious when granting permissions
• Alert about apps from non standard and non
reputable sources