Harsimran Walia presents information on analyzing Android malware. He discusses how the Android platform has become very popular for attackers due to its large market share and less restrictive development environment compared to iOS. He outlines different types of Android malware like data stealers and rooting malware. The paper also provides details on setting up a malware analysis lab and introduces both static and dynamic analysis tools. It then demonstrates the analysis process on a real premium SMS sending malware sample, showing how to decompile, modify, and test the malware.
"I haz you and pwn your maal" by Harsimran Walia @b44nz0r at c0c0n - International Cyber Security and Policing Conference http://is-ra.org/c0c0n/speakers.html
Reading Group Presentation: Why Eve and Mallory Love AndroidMichael Rushanan
This presentation contains multiple pointers to academic research pertaining to Android and its security model. I presented these works to a weekly Security and Privacy reading group.
The academic proceeding can be found here:
www2.dcsec.uni-hannover.de/files/android/p50-fahl.pdf
Slides for a college course at City College San Francisco. Based on "Hacking Exposed Mobile: Security Secrets & Solutions", by Bergman, Stanfield, Rouse, Scambray, Geethakumar, Deshmukh, Matsumoto, Steven and Price, McGraw-Hill Osborne Media; 1 edition (July 9, 2013) ISBN-10: 0071817018.
Instructor: Sam Bowne
Class website: https://samsclass.info/128/128_S17.shtml
"I haz you and pwn your maal" by Harsimran Walia @b44nz0r at c0c0n - International Cyber Security and Policing Conference http://is-ra.org/c0c0n/speakers.html
Reading Group Presentation: Why Eve and Mallory Love AndroidMichael Rushanan
This presentation contains multiple pointers to academic research pertaining to Android and its security model. I presented these works to a weekly Security and Privacy reading group.
The academic proceeding can be found here:
www2.dcsec.uni-hannover.de/files/android/p50-fahl.pdf
Slides for a college course at City College San Francisco. Based on "Hacking Exposed Mobile: Security Secrets & Solutions", by Bergman, Stanfield, Rouse, Scambray, Geethakumar, Deshmukh, Matsumoto, Steven and Price, McGraw-Hill Osborne Media; 1 edition (July 9, 2013) ISBN-10: 0071817018.
Instructor: Sam Bowne
Class website: https://samsclass.info/128/128_S17.shtml
Breaking Secure Mobile Applications - Hack In The Box 2014 KLiphonepentest
Dominic Chell presents "Breaking Secure Mobile Applications" at Hack In The Box 2014.
This presentation details common vulnerabilities that can be found in supposedly secure applications, including BYOD and MDM apps. It also provides an overview of the binary protections that can be implemented to complicate these types of attacks.
Video at http://mrkn.co/andsec
With Android activations reaching a million devices per day, it is no surprise that security threats against our favorite mobile platform have been on the rise.
In this session, you will learn all about Android's security model, including application isolation (sandboxing) and provenance (signing), its permission system and enforcement, data protection features and encryption, as well as enterprise device administration.
Together, we will dig into Android's own internals to see how its security model is applied through the entire Android stack - from the Linux kernel, to the native layers, to the Application Framework services, and to the applications themselves.
Finally, you’ll learn about some of the weaknesses in the Android's model (including rooting, tap-jacking, malware, social-engineering) as well as what can be done to mitigate those threats, such as SE-Linux, memory protection, anti-malware, firewall, and developer best practices.
By the end of this session you will have a better understanding of what it takes to make Android a more trusted component of our personal and professional lives.
Slides for a college course at City College San Francisco. Based on "Hacking Exposed Mobile: Security Secrets & Solutions", by Bergman, Stanfield, Rouse, Scambray, Geethakumar, Deshmukh, Matsumoto, Steven and Price, McGraw-Hill Osborne Media; 1 edition (July 9, 2013) ISBN-10: 0071817018.
Instructor: Sam Bowne
Class website: https://samsclass.info/128/128_S17.shtml
This slide briefs about various tools & techniques used to extract unprotected data from iOS apps. You can extract resource files, database files, get data in runtime using various methods. In my next slides I will brief about the ways to secure your iOS apps.
Breaking Secure Mobile Applications - Hack In The Box 2014 KLiphonepentest
Dominic Chell presents "Breaking Secure Mobile Applications" at Hack In The Box 2014.
This presentation details common vulnerabilities that can be found in supposedly secure applications, including BYOD and MDM apps. It also provides an overview of the binary protections that can be implemented to complicate these types of attacks.
Video at http://mrkn.co/andsec
With Android activations reaching a million devices per day, it is no surprise that security threats against our favorite mobile platform have been on the rise.
In this session, you will learn all about Android's security model, including application isolation (sandboxing) and provenance (signing), its permission system and enforcement, data protection features and encryption, as well as enterprise device administration.
Together, we will dig into Android's own internals to see how its security model is applied through the entire Android stack - from the Linux kernel, to the native layers, to the Application Framework services, and to the applications themselves.
Finally, you’ll learn about some of the weaknesses in the Android's model (including rooting, tap-jacking, malware, social-engineering) as well as what can be done to mitigate those threats, such as SE-Linux, memory protection, anti-malware, firewall, and developer best practices.
By the end of this session you will have a better understanding of what it takes to make Android a more trusted component of our personal and professional lives.
Slides for a college course at City College San Francisco. Based on "Hacking Exposed Mobile: Security Secrets & Solutions", by Bergman, Stanfield, Rouse, Scambray, Geethakumar, Deshmukh, Matsumoto, Steven and Price, McGraw-Hill Osborne Media; 1 edition (July 9, 2013) ISBN-10: 0071817018.
Instructor: Sam Bowne
Class website: https://samsclass.info/128/128_S17.shtml
This slide briefs about various tools & techniques used to extract unprotected data from iOS apps. You can extract resource files, database files, get data in runtime using various methods. In my next slides I will brief about the ways to secure your iOS apps.
Les bonnes pratiques pour passer de la présence à la visibilité sur InternetXavier Derégel
Etre présent sur Internet c'est bien, y être visible, c'est mieux. Quelles sont les raisons qui font qu'un site Internet apporte des réponses qui seront proposées dans les premiers résultats des moteurs de recherche ? Xavier DERÉGEL vous propose un tour d'horizon des bonnes pratiques pour optimiser votre présence web : côté adéquation des contenus, en hiérarchisant les constituants des pages et en qualifiant le contenu des balises html, et côté popularité, en favorisant le trafic et en développant votre espace web.
Cette conférence a été enregistrée le 29 mars 2013, lors du 3e Carrefour de l'Air. Elle est à destination des musées et associations aéronautiques qui souhaitent optimiser leur solution de publication sur internet, en vue d'accroitre la visibilité de leurs actions auprès d'un plus large public.
Le Carrefour de l'Air rassemble depuis quelques années, des acteurs de la conservation du patrimoine aéronautique. Ils se retrouvent au Musée de l'Air et de l'Espace de Paris - Le Bourget, autour d'un fly'in de machines anciennes, mais aussi lors de conférences et tables rondes sur le thème "Collecter, conserver et valoriser le patrimoine aéronautique".
Discusses how to perform malware analysis on Android devices. Initially presented at BSidesDE 2011 (in a much more fun format), the version here is as-presented at Rochester Security Summit 2011.
Cracking the Mobile Application Code by Sreenarayan A. at c0c0n - International Cyber Security and Policing Conference http://is-ra.org/c0c0n/speakers.html
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoShakacon
Since 2014, fifteen new malware or riskware families successfully attacked non-jailbroken iOS devices (e.g., WireLurker, Oneclickfraud, XcodeGhost, InstaAgent, ZergHelper, AceDeceiver), affected thousands of iOS apps and tens of millions users around the world. Ten of them even bypassed Apple’s code vetting and occurred at App Store. In this presentation, we will systematically study how could these malware, riskware and some Proof-of-Concepts infect non-jailbroken devices via practical vectors and approaches including abusing development certificates, bypassing code review by obfuscation, performing FairPlay MITM attack, abusing MDM solution, abusing private APIs, exploiting design flaws or app level vulnerabilities, and stealing privacy data. For each topic, we will introduce its implementation, explore real world cases, analyze its risky and consequences, explain Apple’s countermeasures, and discuss why some problems will still exist in near future. We will also share some stories of how we discovered those interesting iOS malware. Through this topic, audiences could make more effective policies to protect iOS devices in their organizations, build their own systems/tools to evaluate security risks in iOS apps, and hunt more iOS malware in the future.
Recent trends in 2014-15 in the IT field. Big shots from the major companies, including rumours of shift in focus to car manufacturing. Seamless integration between devices etc.
This slide deck covers the automated & manual static code discovery of Android Application using opensource tools, Reverse engineering of apk file and Secure code review
Grab the Secure Mobile Application Development Reference here - http://www.denimgroup.com/know_artic_secure_mobile_application_development_reference.html
Are you looking to build a program to ensure maximum mobile security coverage?
If you are tasked with putting together a security testing program to address risk with internally developed mobile applications, there is no shortage of technical and process factors to consider. It is also critical to balance the security with a positive end-user experience, helping propel the overall brand forward - safely. Without proper mobile security, one significant loss can quickly destroy the trust foundation your company has worked years to craft.
This webinar will provide the security leader an overview of the challenges associated with mobile testing, certain technologies that one can use to identify mobile application vulnerabilities, and repeatable process strategies that will help build the foundation for a recurring testing program.
The session will provide attendees a broad understanding of mobile technologies, as well as a mobile testing launch checklist that will help your organization go from ground floor to a fully-functioning testing program in 30 days.
The session will also include:
An overview of the major mobile technologies and their defining attributes
An overview of how iOS and Android handle certain security issues differently via the Denim Group Mobile Development Reference Guide
An overview of a typical mobile application architecture and how it differs from a web application environment
How important web services are to a typical mobile architecture
The limitations of automated testing and how to augment security reviews to overcome testing gaps
How to make a program repeatable and economically feasible without disrupting the software development process
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
2. #WhoamI
• Research Scientist @ McAfee
• Expertise: Malware Analysis, Exploit
development and Vulnerability Analysis
• Twitter: b44nz0r
• Email: walia.harsimran@gmail.com
• Previous papers: Reversing Microsoft Patches
to Reveal Vulnerable code @ NullCon,2011
3. Disclaimer
• The research and views presented here are
solely mine and nothing to do with any of the
current and previous organizations, I work for
or associated with in any form
• The presentation is for educational purposes
only and no one can be held responsible for
any harm caused in any form due to use or
misuse of information presented here
4. Access Data?
• Use of smartphones, tablets, mobile devices
• No longer need to stay in one place
• Information on the go
• But,
5. Danger!
• Create a larger attack vector
• Treasure trove for attackers
• Hot targets for attackers and data thieves
• Ease of attack
• Vast amount of information
6. Attacks
• Most reliable attack is via malware
• Malware can
1. penetrate a host
2. extract information
3. stay hidden
4. send data to the attacker
• Attackers created smartphone malware
• Delivered as smartphone applications
7. Platforms
• Many smartphone platform
– Apple’s iOS
– Android
– Symbian
– Blackberry
• Android by far most popular with attackers
10. Why Android?
Starting development
of Iphone OS apps
needs
• Mac Computer
• Sign-in Dev Program
• Wait for verification
• Pay fees
11. Why Android?
• Not only user share, sales are much above
any other platform
• Huge user base i.e. victims ;)
• Ease of malware development and hosting on
google play
• Have led to:
12. Headlines
• Android OS the “worst platform for malware”. - TG Daily August’11
• Android threats leapt 76% during the Q2-2011 - McAfee
• Most attacked mobile OS overtaking Symbian OS
• The most popular target for mobile malware developers
• Increasing target for cybercriminals
13. Malware Analysis
Windows Vs Android
• 2 methods, dynamic and static • Same, dynamic and static
• Virtual machine or sandbox is • Virtual machine with
used
android SDK
• Static analysis - reverse
engineer the • In many cases static analysis
application/malware reveals the malware
using tools and techniques to behavior and very little
re-create the actual code and
algorithm
dynamic analysis is required
• Have to debug through • Can be decompiled into
assembly code to understand readable java code
the algorithm
14. What to expect?
• Lab setup, a VM with android SDK
installation.
• Tools required for the analysis
• Static Analysis
• Dynamic Analysis
• Patching the malware to own it
15. What not to expect?
• How to write an android malware
• How to spread it
• How to hack Android
17. Types of Android Malware
• Mobile Device Data Stealers
– most common
– aim to acquire different info from the infected
device
• OS version
• product ID
• International Mobile Equipment Identity (IMEI)
number
• International Mobile Subscriber Identity (IMSI)
number
– This stolen device info is encrypted and sent via
HTTP POST to the attacker, can be used for future
attacks .
18. • Rooting-capable
– malware infect to gain so-called root
privileges
– remote users access to files and the devices’
flash memory
– With rooting malware drop copies of
themselves onto their flash memory
– they can’t be detected and consequently
deleted by antivirus products
19. • Premium Service Abusers
– hard coded predetermined premium numbers
– sends text messages
– affected users being charged for sms services
• Mobile Device Spies
– secretly monitor info stored on infected devices
• GPS location
• save text and email messages
• Like data stealers, sends stolen data to specific URLs via HTTP
POST.
• focus more on gathering personal data
21. Android One-click Billing Fraud
• Mostly active on p0rn and gamer video sites
• Trying to view a video triggers a pop-up asking the user to
download a malicious app.
• Gets the Android user account information, and sends them to
the cybercriminals.
• Displays a pop-up showing the message
– “We haven’t received your payment. Therefore, based on our
policy, we will have to charge you if you have not paid yet.”
• Also displays the information it stole in order to build credibility
for it self, and better convince the victim to pay the amount.
• The pop-up is set to show every few minutes and keeps eating
your money.
23. • Malware Analysis,
– important part of antimalware companies’ work.
• Mobile malware analysis is now equally important.
• Effective analysis can be used by law enforcement
agencies to catch law breakers
– i.e malware authors and attackers
• For fun, when you can pwn someone else’s malware
and control it.
• You get yourself full-blown malware without writing it.
25. Tools - Static analysis
• Mobile Sandbox: provides static analysis of malware images
• IDA pro: Supports Android bytecode in version 6.1 and later
• APKInspector: Powerful GUI tool for analyzing Android applications.
• Dex2jar: For converting Android’s .dex format to Java’s .class format
• Jd-gui: A standalone graphical utility that displays Java source codes of .class files.
• Androguard: Reverse engineering and Malware analysis of Android applications.
• JAD: Java Decompiler
• Dexdump: Java .dex file format decompiler
• Smali: smali/baksmali is an assembler/disassembler for the dex format used by dalvik, Android’s Java VM
implementation.
26. Tools – Dynamic analysis
• Droidbox: An Android Application Sandbox for Dynamic
Analysis
• The Android SDK: “A software development kit that enables
developers to create applications for the Android platform.
Using the Android SDK we can create a virtual android device
almost identical in functionality and capabilities of an android
telephone and using that virtual device as secure environment
we can execute the malware and observe the behaviour of it.
• AndroidAuditTools: Dynamic Android analysis tools
28. • Traditional malware analysis includes a Virtual Machine
• We need a one as well
• Android SDK installed in VM
• Well documented installation details can be found here
http://developer.android.com/sdk/installing.html
• Would highlight one thing during installation
29. • Must select atleast one
version of the API
• API versions to develop
applications for different
android versions
• Separate SDK for
malwares targeted for a
particular version
• Demo
– android 2.3 (gingerbread)
31. Android Malware Acquisition
• Contagio MiniDump
(http://contagiominidump.blogspot.in/)
• Community driven
• Anyone can submit a sample
• It is made available to others
• Demo
– Voodoo SimpleCarrierIQDetector
– supposed to detect presence of the Carrier IQ mobile
diagnostic software on the system
– Chosen based on the ease of understanding
33. Mobile-sandbox.com
• Submit the apk to mobile-sandbox.com for analysis
• Report generated can be viewed at
http://mobilesandbox.org/xml_report_static/?q=176
• Important information from report
Requested Permissions from Android Manifest: android.permission.READ_LOGS
android.permission.SEND_SMS
sendSMS
Potentially dangerous Calls: Execution of native code
getPackageInfo
34. Extraction
• Start our manual analysis
• Need to extract the apk to get its contents
• apk file is a zip file formatted package.
• Extraction done with win-rar or win-zip
• File of interest is classes.dex
35. dex2jar
• C:> dex2jar.bat classes.dex
– Output: classes.dex classes_dex2jar.jar
• Converts classes.dex file extracted from the
apk to jar file
36. JD-GUI
• To read the code from the .class file in the jar
• Open the jar file with JD-GUI
37. • Four .class files
– Detect.class
• Code is trying to make out if CarrierIQ software is installed on the
system based on some checks.
– R.class
• Every android application contains this class file. Here it is used to
declare few variables
– Utils.class
• Contains few utility method definitions like findFiles.
getCommandOutput etc
– Main.class
• This is the most interesting class as it actually contains the malicious
code.
• The code looks like this
38.
39. Code Analysis
• Four same command to send SMS to the number
“81168” with four different SMS texts
– AT37
– MC49
– SP99
– SP93
• A Google search on the number shows that it a
premium rate sms number that costs almost € 9/SMS
• This is how hackers make money with mobile malware
40. • Some malware listens to incoming messages
• Deletes them even before a user can read it if
• They are from the service providers which
would inform users about their balance or
billing charges.
41. I haz you
• I know the premium rate phone number
• Know the text message being sent
• If interested in catching the crooks,
– find the country and the operator whom the number
belongs to
– persuade them to disclose the information on the
attacker/malware author
– Google helps a lot with substantial information available
publically regarding the same
• If you get the police involved, chances of catching
the hax0r are big
42. Scam
• On Google I found a funny but very interesting Facebook scam
around this
• Like other scam Facebook applications,
– a user gets messages from his friends on Facebook asking him to
vote for his friend on some “Miss and Mister” contest giving an
infected web link
– Following the link actually hacks the Facebook account rendering it
unusable for the user
– Attacker then calls him/her up telling him that his account has been
blocked for so and so reason
– Hence he has to send an SMS to the mentioned number “81168”
with any of the 4 texts
– He will receive a code that has to be given to the caller(who is the
hacker) to unlock his Facebook account.
44. • Finished with the analysis
• Extracted information on malware author
• Lets own the malware and making it dance to
our tunes
• Following technique explains the process to
own the malware we just analyzed
– can be fairly generalized
45. Baksmali
• Program used to disassemble the dex files
• Disassembles the .dex file to .smali files
• Names similar to the .class files
• Can be opened in any text-editor
• C:> baksmali-0.93.jar –o smali-out classes.dex
46. • File containing the malicious code
– main$1.smali
– From main.class, figured out in analysis phase
– Open in a text editor
47. • Change the destination number of the sms
– i.e first argument to sendTextMessage function
• Set it to your mobile number or any other
• Save the file
• Demo
– changing it to the port number of my android
emulator
48. Smali
• Used to compile the .smali files back to .dex file
• After making the desired changes to the smali file
• Save it, compile all the .smali files together to
classes.dex using
• C:> smali-0.93.jar smali-out –o classes.dex
49. Packing
• Delete the META-INF folder
– contains the SHA1 of the classes.dex
– will not match the changed classes.dex file
– apk signing information
– has to be changed
• Private key of original author not available
• Have to sign the apk with our private key
• With modified classes.dex, pack the files back to
a .zip file using any packer utility
• Change extension from .zip to .apk
50. Signing
• Mandated by Google for an application (apk) to be
signed by the owner/author’s private key
• Cannot install on an emulator or a device, if it is not
signed
• Can use self-signed certificates to sign applications
• No certificate authority is needed
• To sign we need,
– Keytool
– Jarsigner
51. Keytool
• Comes as a part of jdk installation
• Used to create private key for signing
• C:> keytool -genkey -v -keystore my-personal-
key.keystore -alias alias_name -keyalg RSA -
keysize 2048 -validity 10000
– prompts for passwords for the keystore and key
– and the Distinguished Name fields
52. Jarsigner
• Comes as a part of jdk installation
• Used to sign the apk with created keystore
• C:> jarsigner -verbose -sigalg MD5withRSA -
digestalg SHA1 -keystore my-release-
key.keystore carrieriq.apk alias_name
– modifies the APK in-place
– creates META_INF folder with the signing details
– APK is now signed
53. • To verify if the apk is signed
• C:> jarsigner –verify -verbose my_ carrieriq.apk
alias_name
• If signed properly, it outputs “JAR verified”
• Voila!
• Got ourselves a malware
55. • Install apk (malware) on the android SDK
• To verify the behavior that we modified
• Open two instances of the android emulator
• Install the new malware on one of them
• sms num modified should be the port
number of emulator other than with
malware install.
56. • Install and run the app
• As soon uninstall button is clicked
• SMS gets sent to the other emulator
57. I pwn your maal
• I modified your malware
• Customized it to my need
• Now I pwn you maal
• It will serve me now
• (evil grin)
59. • Overview of how android smartphone OS has
become the most popular target for attackers
• Describes different types of malware being
created for the android platform
• Attempts to explain
– the lab setup
– tools required
– the static and dynamic malware analysis
– practically analyzing a real premium SMS sending
malware
60. • After analysis
– Origin of malware is known
– We know how to own the malware
• In short
“I haz you and pwn your maal”.