TetCon Saigon 2015 presentation, Analyze Code4HK Android Malware aka mRat In this presentation, I present how I reverse engineer, deobfuscate and analyze ProGuard obfuscated Code4HK Android Malware from Hong Kong Code4HK malware campaign with JEB.
Android workshop to prepare for 48hacks (http://www.ntuventures.com/events/48hacks/index.html), organized by NTU Venture.
Covers basic Android application programming, and connectivity to Arduino board via Bluetooth.
Android workshop to prepare for 48hacks (http://www.ntuventures.com/events/48hacks/index.html), organized by NTU Venture.
Covers basic Android application programming, and connectivity to Arduino board via Bluetooth.
Based on "The Mobile Application Hacker's Handbook 1st Edition", by Dominic Chell
Instructor: Sam Bowne
More info: https://samsclass.info/128/128_S19.shtml
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...FFRI, Inc.
Table of Contents
• Background • Use case and Weave
• Android Things Security Considerations
• Android Things Version Information
• File system information • Firewall setting
• ADB port setting
• SELinux setting
• Conclusions
• Reference
Null Mumbai Meet_Android Reverse Engineering by Samrat Dasnullowaspmumbai
Android Reverse Engineering by Samrat Das
Abstract
• Intro to Reverse Engineering
• Short walkthough with Windows RE
• Introduction to Mobile Security Assessments
• Dalvik Virtual Machine vs JVM
• APK Walkthrough
• Components of Android
• Steps of Reverse Engineering Android Applications
• Hands-on demos on manual reversing of android apps
• Introduction to APPuse VM for droid assessments
• Detecting developer backdoors
• Creating Infected Android Applications
• Anti-Reversing | Obfuscation
This slide deck covers the automated & manual static code discovery of Android Application using opensource tools, Reverse engineering of apk file and Secure code review
Android application Pentesting with DIVA. This Course is Divided into three main sections:
1) Prepare your envirnment (Setup Kali Linux and Andriod Emulator)
2) Infomation Gathering (Attack surface)
3) Exploitation
Tools used:
1. Adb
2. Apktool
3. unzip
4. Dex2jar
5. JD-GUI
6. sqlitebrowser
7. Drozer
8. Cutter
I hope you find this session interesting. Thanks for joining !!
This talk presents apkfile, a library for extracting machine learning features from Android apps as well as describing several interesting, high-value features for malware detection such as compiler fingerprinting, anti-vm detection, and Markov models for detecting unusual strings. Additionally, it provides tips for improving model performance with data preparation, feature selection, model tuning, and model blending.
Android Training in Chandigarh | Industrial Training in Android Apps DevelopmentBig Boxx Animation Academy
Android Training in Chandigarh. We at Big Boxx Academy is the best android training institute in Chandigarh providing 100% job oriented industrial Training in android application development in Chandigarh
Slides for a college course at City College San Francisco. Based on "Hacking Exposed Mobile: Security Secrets & Solutions", by Bergman, Stanfield, Rouse, Scambray, Geethakumar, Deshmukh, Matsumoto, Steven and Price, McGraw-Hill Osborne Media; 1 edition (July 9, 2013) ISBN-10: 0071817018.
Instructor: Sam Bowne
Class website: https://samsclass.info/128/128_S17.shtml
TOPS Technologies offer Professional Android Training in Ahmedabad.
Ahmedabad Office (C G Road)
903 Samedh Complex,
Next to Associated Petrol Pump,
CG Road,
Ahmedabad 380009.
http://www.tops-int.com/live-project-training-android.html
Most experienced IT Training Institute in Ahmedabad known for providing Android course as per
Industry Standards and Requirement.
This presentation, created by Syed Faiz ul Hassan, explores the profound influence of media on public perception and behavior. It delves into the evolution of media from oral traditions to modern digital and social media platforms. Key topics include the role of media in information propagation, socialization, crisis awareness, globalization, and education. The presentation also examines media influence through agenda setting, propaganda, and manipulative techniques used by advertisers and marketers. Furthermore, it highlights the impact of surveillance enabled by media technologies on personal behavior and preferences. Through this comprehensive overview, the presentation aims to shed light on how media shapes collective consciousness and public opinion.
More Related Content
Similar to TetCon Saigon 2015 presentation, Analyze Code4HK's campaign Android Malware aka mRat
Based on "The Mobile Application Hacker's Handbook 1st Edition", by Dominic Chell
Instructor: Sam Bowne
More info: https://samsclass.info/128/128_S19.shtml
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...FFRI, Inc.
Table of Contents
• Background • Use case and Weave
• Android Things Security Considerations
• Android Things Version Information
• File system information • Firewall setting
• ADB port setting
• SELinux setting
• Conclusions
• Reference
Null Mumbai Meet_Android Reverse Engineering by Samrat Dasnullowaspmumbai
Android Reverse Engineering by Samrat Das
Abstract
• Intro to Reverse Engineering
• Short walkthough with Windows RE
• Introduction to Mobile Security Assessments
• Dalvik Virtual Machine vs JVM
• APK Walkthrough
• Components of Android
• Steps of Reverse Engineering Android Applications
• Hands-on demos on manual reversing of android apps
• Introduction to APPuse VM for droid assessments
• Detecting developer backdoors
• Creating Infected Android Applications
• Anti-Reversing | Obfuscation
This slide deck covers the automated & manual static code discovery of Android Application using opensource tools, Reverse engineering of apk file and Secure code review
Android application Pentesting with DIVA. This Course is Divided into three main sections:
1) Prepare your envirnment (Setup Kali Linux and Andriod Emulator)
2) Infomation Gathering (Attack surface)
3) Exploitation
Tools used:
1. Adb
2. Apktool
3. unzip
4. Dex2jar
5. JD-GUI
6. sqlitebrowser
7. Drozer
8. Cutter
I hope you find this session interesting. Thanks for joining !!
This talk presents apkfile, a library for extracting machine learning features from Android apps as well as describing several interesting, high-value features for malware detection such as compiler fingerprinting, anti-vm detection, and Markov models for detecting unusual strings. Additionally, it provides tips for improving model performance with data preparation, feature selection, model tuning, and model blending.
Android Training in Chandigarh | Industrial Training in Android Apps DevelopmentBig Boxx Animation Academy
Android Training in Chandigarh. We at Big Boxx Academy is the best android training institute in Chandigarh providing 100% job oriented industrial Training in android application development in Chandigarh
Slides for a college course at City College San Francisco. Based on "Hacking Exposed Mobile: Security Secrets & Solutions", by Bergman, Stanfield, Rouse, Scambray, Geethakumar, Deshmukh, Matsumoto, Steven and Price, McGraw-Hill Osborne Media; 1 edition (July 9, 2013) ISBN-10: 0071817018.
Instructor: Sam Bowne
Class website: https://samsclass.info/128/128_S17.shtml
TOPS Technologies offer Professional Android Training in Ahmedabad.
Ahmedabad Office (C G Road)
903 Samedh Complex,
Next to Associated Petrol Pump,
CG Road,
Ahmedabad 380009.
http://www.tops-int.com/live-project-training-android.html
Most experienced IT Training Institute in Ahmedabad known for providing Android course as per
Industry Standards and Requirement.
This presentation, created by Syed Faiz ul Hassan, explores the profound influence of media on public perception and behavior. It delves into the evolution of media from oral traditions to modern digital and social media platforms. Key topics include the role of media in information propagation, socialization, crisis awareness, globalization, and education. The presentation also examines media influence through agenda setting, propaganda, and manipulative techniques used by advertisers and marketers. Furthermore, it highlights the impact of surveillance enabled by media technologies on personal behavior and preferences. Through this comprehensive overview, the presentation aims to shed light on how media shapes collective consciousness and public opinion.
This presentation by Morris Kleiner (University of Minnesota), was made during the discussion “Competition and Regulation in Professions and Occupations” held at the Working Party No. 2 on Competition and Regulation on 10 June 2024. More papers and presentations on the topic can be found out at oe.cd/crps.
This presentation was uploaded with the author’s consent.
0x01 - Newton's Third Law: Static vs. Dynamic AbusersOWASP Beja
f you offer a service on the web, odds are that someone will abuse it. Be it an API, a SaaS, a PaaS, or even a static website, someone somewhere will try to figure out a way to use it to their own needs. In this talk we'll compare measures that are effective against static attackers and how to battle a dynamic attacker who adapts to your counter-measures.
About the Speaker
===============
Diogo Sousa, Engineering Manager @ Canonical
An opinionated individual with an interest in cryptography and its intersection with secure software development.
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...Orkestra
UIIN Conference, Madrid, 27-29 May 2024
James Wilson, Orkestra and Deusto Business School
Emily Wise, Lund University
Madeline Smith, The Glasgow School of Art
Acorn Recovery: Restore IT infra within minutesIP ServerOne
Introducing Acorn Recovery as a Service, a simple, fast, and secure managed disaster recovery (DRaaS) by IP ServerOne. A DR solution that helps restore your IT infra within minutes.
Have you ever wondered how search works while visiting an e-commerce site, internal website, or searching through other types of online resources? Look no further than this informative session on the ways that taxonomies help end-users navigate the internet! Hear from taxonomists and other information professionals who have first-hand experience creating and working with taxonomies that aid in navigation, search, and discovery across a range of disciplines.
5. ● Hong Kong activists receive
Whatsapp phishing
messages from an unknown
phone number containing a
link to download and install
app
● Phishing message: “Check
out this Android app
designed by CODE4HK, for
the coordination of
OCCUPYCENTRAL!”.
How was fake Code4HK
Distributed?
6. Fake Code4HK Installation
Process
● An .apk file is downloaded to device after
victim presses the link in the Whatsapp
phishing message
● If the victim select to install the apk, a list of
sensitive permissions is requested to proceed
the installation.
● A new prompt to install second apk from the
app is presented to victim with the message
“Application is updated, please click to install.”
8. What Can fake Code4HK Get from
the Device?
● Contacts: name, contact id, phones, emails
● SMS messages
● Call logs: number, name, type of call (incoming,
outgoing, missed), date, duration
● Geographic location (networkId, systemId,
baseStationId, latitude, longitude), Mac address
● Email accounts (email provider, username,
password) and email contents (display name,
sender, recipient, sending time, subject, email
body)
9. What Can fake Code4HK Get from
the Device?
● Browser bookmarks
● Telephone: phone number, device ID, telephone
provider (China Mobile, China Unicom, China
Telecom), max CPU frequency, network state
(connected, connecting), SIM serial number,
Mac address, IP address, total memory)
● Wifi passwords: SSID Name, WPA Passphrase,
Encryption Type, priority
10. What Other Capabilities does fake
Code4HK Possess?
● LIST_DIR: Get tree of files, directories and size of files in a directory
● DO_REMARK: write to log file
● DO_TOAST: show a quick little message for the user
● DO_CALL: call a phone number
● DO_SHELL: execute commands from CnC server
● DO_SET_MONITORNUM: set phone number to monitor
● DO_DOWNFILE: Download file to victim device
● DO_DELETEFILE: delete file from victim device
● DO_UPLOADFILE: upload file from victim host to CnC server
● DO_DELAY_RECORD: delay audio recording time
11. What Other Capabilities does fake
Code4HK Possess?
● DO_START_RECORD: start recording audio
● DO_STOP_RECORD: stop recording audio
● DO_XSHELL: create a thread to receive, execute commands
and send back results to CnC server
● DO_GET_ROOT_FILE: get content of a file in victim device,
save file to /data/data/com.v1/ and send back to CnC server
● DO_SAVE_ALL: get all the data Code4HK could steal from
victim device
● DO_GET_SDCARD: Get tree of files, directories in sdcard
13. JEB
● Disassembler
● Decompiler
● Resource viewer
● Interactive features to analyse protected
Android applications and Android malware
● JEB = IDA + Hex-Rays for Android with some
limitations
16. Reverse Engineering Strategies with
JEB
● Using manifest viewer to know the essential information the app
present itself to the Android system: permission, package, names of
application/activities/services/receivers and corresponding intent-
filters,...
● Start from the main activity to traverse the app, renaming variables,
methods and classes to meaningful names
● Utilize cross-references to know how an object is used in a class and
how a method is used across the application
● Use Strings window to quickly search for interesting references while
reading the code
● Study Android APIs used in the app with the corresponding used
prototype: http://developer.android.com/reference/packages.html
17. Empty methods in JEB and IDA
● When Android app loadLibrary from native Android libraries to
use external methods, JEB doesn't know the content of the
methods. We get empty methods inside classes.
● Solution: Apktool d target.apk
: get the native libraries used in the app (in directory /lib)
● Map library: MyLibrary turned into libMyLibrary.so
● Research exported functions of Android native libraries with
IDA and Hex-Rays ARM
22. Digital Certificate
Type: X.509
Version: 1
Serial Number: 0xc481b832c80b4239
Issuer: EMAILADDRESS=2safeweb@gmail.com,
CN=maerts, OU=itsc, O=qq.com, L=GZ, ST=JX, C=zh
Validity: from = Mon Mar 10 13:51:27 ICT 2014
to = Thu Jul 25 13:51:27 ICT 2041
Subject: EMAILADDRESS=2safeweb@gmail.com,
CN=maerts, OU=itsc, O=qq.com, L=GZ, ST=JX, C=zh
23. Required Permission
android.permission.CHANGE_NETWORK_STATE (change network connectivity)
android.permission.ACCESS_MOCK_LOCATION (mock location sources for testing)
android.permission.PROCESS_OUTGOING_CALLS (intercept outgoing calls)
android.permission.ACCESS_COARSE_LOCATION (coarse (network-based) location)
android.permission.INTERNET (full Internet access)
android.permission.ACCESS_FINE_LOCATION (fine (GPS) location)
android.permission.INTERACT_ACROSS_USERS_FULL ()
android.permission.ACCESS_NETWORK_STATE (view network status)
android.permission.WRITE_CALL_LOG (write (but not read) the user's contacts
data.)
android.permission.GET_TASKS (retrieve running applications)
android.permission.READ_CALL_LOG (read the user's call log.)
com.android.browser.permission.READ_HISTORY_BOOKMARKS (read browser's history
and bookmarks)
android.permission.WRITE_EXTERNAL_STORAGE (modify/delete SD card contents)
android.permission.RECORD_AUDIO (record audio)
24. Required Permission
android.permission.RECEIVE_BOOT_COMPLETED (automatically start at boot)
android.permission.VIBRATE (control vibrator)
android.permission.PERMISSION_NAME (Unknown permission from android reference)
android.permission.WRITE_SETTINGS (modify global system settings)
android.permission.READ_PHONE_STATE (read phone state and identity)
android.permission.MOUNT_UNMOUNT_FILESYSTEMS (mount and unmount file systems)
android.permission.READ_SMS (read SMS or MMS)
com.android.email.permission.ACCESS_PROVIDER (Unknown permission from android
reference)
android.permission.ACCESS_WIFI_STATE (view Wi-Fi status)
android.permission.CHANGE_WIFI_STATE (change Wi-Fi status)
android.permission.RECEIVE_SMS (receive SMS)
android.permission.READ_CONTACTS (read contact data)
android.permission.MODIFY_AUDIO_SETTINGS (change your audio settings)
25. Infection flow
1.) Open “qq.xml” from the Assets directory.
2.) Create a new directory, “/sdcard/.qq/”
3.) Read the contents of “qq.xml” and create a file,
“/sdcard/.qq/temp.apk”
4.) Start StreamService (this will run after reboot)
5.) Display Update message
Code4hk.apk
Create /sdcard/.qq/
2
Start SteamService
4
Create /sdcard/.qq/temp.apk
3
26. qq.xml & temp.apk
qq.xml is a minor version of Code4HK which
was extracted, renamed to temp.apk and copied
to /sdcard/.qq/temp.apk on the first run.
This file will execute if victim clicks “Update” button
when the app first run.
40. Prevention and Mitigation
● Don't download and install applications from
third-party Android stores or unknown sources.
● Look for homepages, information and reviews
of the application before you install it to make
sure it's legitimate and it only asks for
necessary permissions.
● Use an up-to-date antivirus software.
41. Conclusion
● Malware targets Hong Kong protesters.
● Include many specific malware features, some
of them are not implemented.
● Android users should read carefully
permissions needed while installing apps,
compare to the functionalities of the app. When
in doubt, submit the apk to Android sandbox or
reverse engineers for application audit.