anti virus and security apps
play

ANTI-VIRUS AND SECURITY APPS Stephan Huber, Siegfried Rasthofer, - PowerPoint PPT Presentation

Aug 23, 2022 •135 likes •636 views

(IN-)SECURITY OF SMARTPHONE ANTI-VIRUS AND SECURITY APPS Stephan Huber, Siegfried Rasthofer, Steven Arzt, Michael Trger, Andreas Wittmann, Philipp Roskosch, Daniel Magin, Joseph Varghese 1 Who are we Stephan Siegfried Mobile Security

  1. (IN-)SECURITY OF SMARTPHONE ANTI-VIRUS AND SECURITY APPS Stephan Huber, Siegfried Rasthofer, Steven Arzt, Michael Tröger, Andreas Wittmann, Philipp Roskosch, Daniel Magin, Joseph Varghese 1

  2. Who are we Stephan Siegfried • Mobile Security Researcher at • 4th year PhD Student at TU Fraunhofer SIT Darmstadt/ Fraunhofer SIT • Enjoys teaching students in • Static and Dynamic Code Android Hacking Analysis • @teamsik • @teamsik 2

  3. 3

  4. Security App Features on Mobile 4

  5. Security App Features on Mobile Secure Browsing 5

  6. Security App Features on Mobile Secure Browsing Signature Update 6

  7. Security App Features on Mobile Secure Browsing Signature Update Realtime Monitoring 7

  8. Security App Features on Mobile Secure Browsing Signature Update Premium Features Realtime Monitoring 8

  9. Security App Features on Mobile Secure Browsing Theft Protection Signature Update Premium Features Realtime Monitoring 9

  10. Security App Features on Mobile SPAM Protection SPAM Secure Browsing Theft Protection Signature Update Premium Features Realtime Monitoring 10

  11. Outline • Analyzed Apps • Excerpt of Implementation Flaws and Attack Types • Business Model • Local Denial of Service • Man-in-the-Middle Attacks • Overview of All Findings • Our Experiences during the Responsible Disclosure Process • Summary 11

  12. Analyzed Android Apps App GooglePlay Downloads AndroHelm 1-5m Malwarebytes 5-10m ESET 5-10m Avira 10-50m Kaspersky 10-50m McAfee 10-50m CM Security 100-500m 12

  13. Bussines Model Attack 13

  14. 14

  15. Client Side License Verification … this.toast("Thank you for upgrading to PRO!"); //shared pref value set to true this. prefs.putBoolean (" isPro ", true ); … 15

  16. Client Side License Verification … this.toast("Thank you for upgrading to PRO!"); //shared pref value set to true this. prefs.putBoolean (" isPro ", true ); … write value to .xml file <?xml version='1.0' encoding='utf-8' standalone='yes' ?> <map> <int name="dialogShowTimes" value="1" /> <boolean name="hasDatabase" value="true" /> <string name="lastFragment"></string> <boolean name=" isPro " value=" true " /> </map> 16

  17. Client Side License Verification … this.toast("Thank you for upgrading to PRO!"); //shared pref value set to true this. prefs.putBoolean (" isPro ", true ); … write value to .xml file <?xml version='1.0' encoding='utf-8' standalone='yes' ?> <map> <int name="dialogShowTimes" value="1" /> <boolean name="hasDatabase" value="true" /> <string name="lastFragment"></string> <boolean name=" isPro " value=" true " /> Every user can set this value ! </map> 17

  18. Local Denial of Service 18

  19. Inter App Communication Intent Intent Key: Value Key: Value Intent-Filter App A App B Android System 19

  20. Realtime Monitoring Attacker App Security App 20

  21. Realtime Monitoring Intent Attacker App Security App 21

  22. Realtime Monitoring CRASHED ! Attacker App Security App Log output: Java.lang.RuntimeException: Unable to start receiver com.androhelm.antivirus.receivers.SMSMonitor: java.lang.NullPointerException … com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:793) E/AndroidRuntime(16060): at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:560) E/AndroidRuntime(16060): Caused by: java.lang.NullPointerException com.androhelm.antivirus.receivers.SMSMonitor.onReceive(SMSMonitor.java:31)E/AndroidRuntime(16060): at E/AndroidRuntime(16060): ... 10 more 22

  23. Implementation Faults • Missing checks of intent payload , cause exceptions • Missing exception handling will crash whole application 24

  24. Implementation Faults • Missing checks of intent payload , cause exceptions • Missing e xception handling will crash whole application • Example: null-Intent 1)public void onReceive(Context c, Intent intent) { 2) //missing check if intent is null 3) Bundle bundle = intent.getExtras (); 4) if(bundle != null) { 5) Object o = bundle.get("pdus"); 25

  25. Man-in-the-Middle Attacks 26

  26. Man-in-the-Middle Attacks • Smartphone is a wireless medium mitm attacker • Communication over HTTP • No authentication • Broken self-made integrity protection security app update server • Broken self-made encryption • Communication over HTTPS • Broken certificate validation 27

  27. Rogue GSM Hotspot • Cost: ~ 300 $ nuand bladeRF SDR Powerbank (portable system) Pi for controlling and sniffing 28

  28. Mitm WI-FI Hotspot • Cost: ~60$ OR 29

  29. Arp-Spoofing • Cost: arpspoof , iptables and (mitm)-proxy are for free ! 30

  30. Remote Code Injection Example 31

  31. Special zip Entry /tmp$ unzip -l zipfile.zip Archive: zipfile.zip Length Date Time Name --------- ---------- ----- ---- 22 2016-06-28 13:49 ../../../tmp/dir2/badfile.txt 24 2016-06-28 13:43 file1.txt --------- ------- 46 2 files 32

  32. Unzip /tmp$ unzip zipfile.zip -d ./ dir1 / Archive: zipfile.zip warning: skipped "../" path component(s ) in ../../../tmp/dir2/badfile.txt extracting: ./dir1/tmp/ dir2 /badfile.txt extracting: ./dir1/file1.txt 33

  33. Unzip /tmp$ unzip zipfile.zip -d ./ dir1 / Archive: zipfile.zip warning: skipped "../" path component(s ) in ../../../tmp/dir2/badfile.txt extracting: ./dir1/tmp/ dir2 /badfile.txt extracting: ./dir1/file1.txt /tmp$ find /tmp/dir1/ /tmp/ dir1 / /tmp/ dir1 /file1.txt /tmp/ dir1 /tmp /tmp/ dir1 /tmp/dir2 /tmp/ dir1 /tmp/dir2/badfile.txt /tmp$ 34

  34. No escaping /tmp$ unzip -: zipfile.zip -d ./dir1/ Archive: zipfile.zip extracting: ./dir1/../../../tmp/dir2/ badfile.txt extracting: ./dir1/file1.txt 35

  35. No escaping /tmp$ unzip -: zipfile.zip -d ./dir1/ Archive: zipfile.zip extracting: ./dir1/../../../tmp/dir2/ badfile.txt extracting: ./dir1/file1.txt /tmp$ ls /tmp/dir1/ file1.txt /tmp$ ls /tmp/dir2/ badfile.txt 36

  36. Observed Update Traffic update process update process HTTP-traffic HTTP-traffic 37

  37. Observed Update Traffic update process update process HTTP-traffic HTTP-traffic GET-Requests of Application: … http://downloads7.xxxxxxxx-labs.com/bases/upd/upd-0607g.xml http://ipm.xxxxxxxx.com/600eb07a-2926-4407-b014-d3e8c77b0086.zip http://ipm. xxxxxxxx.com/eeea9321-5eac-4709-9046-8475ee951c82.zip http://downloads7.xxxxxxxx-abs.com/bases/mobile/ksrm//rootdetector.jar … 38

  38. Observed Update Traffic update process update process HTTP-traffic HTTP-traffic replace .zip file with attack file GET-Requests of Application: … http://downloads7.xxxxxxxx-labs.com/bases/upd/upd-0607g.xml http://ipm.xxxxxxxx.com/600eb07a-2926-4407-b014-d3e8c77b0086.zip http://ipm.xxxxxxxx.com/eeea9321-5eac-4709-9046-8475ee951c82.zip http://downloads7.xxxxxxxx-abs.com/bases/mobile/ksrm//rootdetector.jar … 39

  39. Content of the Attack File unzip -l 600eb07a-2926-4407-b014-d3e8c77b0086.zip Archive: 600eb07a-2926-4407-b014-d3e8c77b0086.zip Length Date Time Name --------- ---------- ----- ---- 16 2015-09-15 18:57 ../../../../../../../../../../../../../ ../../../../../../../../../data/data/com.kms.free/app_bases/pdm.jar 4042 2015-08-28 18:49 1000_768.css 6078 2015-08-28 18:49 AntiVirus_Premium.html 335 2015-08-28 18:49 [Content_Types].xml Payload 867 2015-08-28 18:49 meta.xml 3216 2015-08-28 18:49 respond.min.js 41

  40. Structure of Target App Folder ./app_bases/pdm.cfg ./app_bases/ pdm.jar . . contains classes.dex . (executable) . ./some_other_files . . . 42

  41. Unzip Received File ./app_bases/pdm.cfg ./app_bases/ pdm.jar . . contains classes.dex . (executable) . . ./app_ipm/600eb07a-2926-4407-b014-d3e8c77b0086/respond.min.js ./app_ipm/600eb07a-2926-4407-b014-d3e8c77b0086/[Content_Types].xml ./app_ipm/600eb07a-2926-4407-b014-d3e8c77b0086/1000_768.css ./app_ipm/600eb07a-2926-4407-b014-d3e8c77b0086/KISA_EN_Trial.html ./../../../../../../../../../../data/data/com.kms.free/app_bases/pdm.jar Advertisement files + attacker code extracted from zip archive ! 43

  42. Overwrite Original File ./app_bases/pdm.cfg Break out of source folder and overwrite original target file ! ./app_bases/ pdm.jar . . contains classes.dex . (executable) . . ./app_ipm/600eb07a-2926-4407-b014-d3e8c77b0086/respond.min.js ./app_ipm/600eb07a-2926-4407-b014-d3e8c77b0086/[Content_Types].xml ./app_ipm/600eb07a-2926-4407-b014-d3e8c77b0086/1000_768.css ./app_ipm/600eb07a-2926-4407-b014-d3e8c77b0086/KISA_EN_Trial.html ./../../../../../../../../../../data/data/com.kms.free/app_bases/pdm.jar Advertisement files + attacker code extracted from zip archive ! 44

  43. Injected Code ./app_bases/pdm.cfg ./app_bases/ pdm.jar Injected File with attacker code ! . . contains classes.dex . with injected code . . ./app_ipm/600eb07a-2926-4407-b014-d3e8c77b0086/respond.min.js ./app_ipm/600eb07a-2926-4407-b014-d3e8c77b0086/[Content_Types].xml ./app_ipm/600eb07a-2926-4407-b014-d3e8c77b0086/1000_768.css ./app_ipm/600eb07a-2926-4407-b014-d3e8c77b0086/KISA_EN_Trial.html Advertisement files transfered by a zip archive ! 45

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Security Analysis of Anti-Theft Solutions by Android Mobile Anti-Virus Apps Laurent Simon

Security Analysis of Anti-Theft Solutions by Android Mobile Anti-Virus Apps Laurent Simon

Security Analysis of Anti-Theft Solutions by Android Mobile Anti-Virus Apps Laurent Simon lmrs2@cam.ac.uk https://www.cl.cam.ac.uk/~lmrs2/ Talk outline Background Mobile Anti Virus (MAV) sample Lock Wipe 21/05/15 Laurent

481 views • 28 slides
anti-virus and anti-anti-virus 1 logistics: TRICKY HW assignment out infecting an

anti-virus and anti-anti-virus 1 logistics: TRICKY HW assignment out infecting an

anti-virus and anti-anti-virus 1 logistics: TRICKY HW assignment out infecting an executable 2 anti-virus techniques last time: signature-based detection regular expression-like matching snippets of virus(-like) code heuristic

1.79k views • 139 slides
Self-Protection Strategies Tunneling, Armored, and Retro Viruses CS4400/7440 Anti-anti-virus

Self-Protection Strategies Tunneling, Armored, and Retro Viruses CS4400/7440 Anti-anti-virus

Self-Protection Strategies Tunneling, Armored, and Retro Viruses CS4400/7440 Anti-anti-virus Techniques } Virus writers have devised numerous methods of resisting anti-virus software and making life difficult for anti-virus researchers }

554 views • 53 slides
anti-anti-virus (continued) 1 logistics: TRICKY HW assignment out infecting an executable

anti-anti-virus (continued) 1 logistics: TRICKY HW assignment out infecting an executable

anti-anti-virus (continued) 1 logistics: TRICKY HW assignment out infecting an executable 2 last time anti-virus: heuristic: malware messing up executables? key idea: wrong segment of executable? switching segments of the executable?

1.14k views • 102 slides
COMPUTER-INTERNET SECURITY How am I vulnerable? 1 COMPUTER-INTERNET SECURITY Virus

COMPUTER-INTERNET SECURITY How am I vulnerable? 1 COMPUTER-INTERNET SECURITY Virus

COMPUTER-INTERNET SECURITY How am I vulnerable? 1 COMPUTER-INTERNET SECURITY Virus Worm Trojan Spyware Adware Messenger Service 2 VIRUS VIRUS A virus must meet two A computer virus is a small criteria:

525 views • 23 slides
Awareness: An Anti-virus Program for Humans Gretchen Morris, CISSP DB Consulting Group, Inc.

Awareness: An Anti-virus Program for Humans Gretchen Morris, CISSP DB Consulting Group, Inc.

Awareness: An Anti-virus Program for Humans Gretchen Morris, CISSP DB Consulting Group, Inc. Integrated Awareness Efforts Website u News Articles u Security Tips u Calendar(s) u Newsletters u Posters u Webinars u Lunch and Learns

371 views • 19 slides
53-74% Average anti-virus effectiveness against new threats* * RAP Proactive 400 New threats

53-74% Average anti-virus effectiveness against new threats* * RAP Proactive 400 New threats

53-74% Average anti-virus effectiveness against new threats* * RAP Proactive 400 New threats every minute* * Merrill Lynch ...Causing $3T USD in costs, and expected to double by 2021* * CyberSecurity Ventures (2015) Todays threat

508 views • 35 slides
CONCEPT Standard Model CAPACI TY 9K, 12K, 18K &amp; 24K BTU Launched in 2011 The Concept

CONCEPT Standard Model CAPACI TY 9K, 12K, 18K &amp; 24K BTU Launched in 2011 The Concept

CONCEPT Standard Model CAPACI TY 9K, 12K, 18K &amp; 24K BTU Launched in 2011 The Concept Appealing Design to all consumers Anti-virus Filter Full High density anti-virus filters Triple Protectors Quality Protection Good Sleep I I

612 views • 26 slides
An introduction to the EU BULLY apps A blended approach to changing bullying behaviour 2 apps

An introduction to the EU BULLY apps A blended approach to changing bullying behaviour 2 apps

An introduction to the EU BULLY apps A blended approach to changing bullying behaviour 2 apps developed as resources to support anti-bullying programmes with young people in school and at home: 1. A multiple choice quiz 2. An online survey

257 views • 12 slides
INJECTING SECURITY INTO WEB APPS AT RUNTIME AJIN ABRAHAM SECURITY ENGINEER #WHOAMI

INJECTING SECURITY INTO WEB APPS AT RUNTIME AJIN ABRAHAM SECURITY ENGINEER #WHOAMI

INJECTING SECURITY INTO WEB APPS AT RUNTIME AJIN ABRAHAM SECURITY ENGINEER #WHOAMI Security Engineering @ Research on Runtime Application Self Defence Authored MobSF, Xenotix and NodeJSScan Teach Security: opsecx.com

906 views • 55 slides
KunYu Chen JunWei Song Security Researcher , Security Researcher Founder of Quark Engine

KunYu Chen JunWei Song Security Researcher , Security Researcher Founder of Quark Engine

Europython 2020 So, You Want to Build an Anti-Virus Engine? KunYu Chen JunWei Song Security Researcher , Security Researcher Founder of Quark Engine CoFounder of Quark Engine 2 Outline #1: Introduction of Malware Scoring System #2: Design

1.17k views • 53 slides
Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts,

Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts,

Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard Lion Team September 1, 2017 1 Cryptowall 2 This one? 3 Prevalence: Global ransomware Global Ransomware IPS Hits - February

647 views • 49 slides
Small Business Apps WHAT ARE MOBI LE APPS ? W h a t are mob i le apps ? A little bit of

Small Business Apps WHAT ARE MOBI LE APPS ? W h a t are mob i le apps ? A little bit of

WELCOME Small Business Apps WHAT ARE MOBI LE APPS ? W h a t are mob i le apps ? A little bit of information An App is a piece of so ware (a program) that needs to be installed on Mobile Apps are device specific, meaning that an App that runs

268 views • 12 slides
Technology Toolkit 4 Key Pillars Security Training Maximize Your Technology Impact Web Site

Technology Toolkit 4 Key Pillars Security Training Maximize Your Technology Impact Web Site

Technology Toolkit 4 Key Pillars Security Training Maximize Your Technology Impact Web Site Anti-Virus Administrators Desktops/Tablets Email Telephone (VOIP-Land Lines) Firewall Daily Staff Wireless Business Cards Web Policy

210 views • 8 slides
viruses 3 / anti-virus 1 Changelog Corrections made in this version not in fjrst posting: 8 Feb

viruses 3 / anti-virus 1 Changelog Corrections made in this version not in fjrst posting: 8 Feb

viruses 3 / anti-virus 1 Changelog Corrections made in this version not in fjrst posting: 8 Feb 2017: slide 31: visible space after negative foo example 8 Feb 2017: slide 35: [a-zA-Z]*ing instead of [a-zA-Z]ing 8 Feb 2017: slide 56: correct

1.32k views • 116 slides
Kernel Security Anti-Patterns: Low Hanging Fruit http://outflux.net/slides/2013/lss/fruit.pdf

Kernel Security Anti-Patterns: Low Hanging Fruit http://outflux.net/slides/2013/lss/fruit.pdf

Kernel Security Anti-Patterns: Low Hanging Fruit http://outflux.net/slides/2013/lss/fruit.pdf gholzer Linux Security Summit, New Orleans 2013 Kees Cook &lt;keescook@google.com&gt; (pronounced Case) Overview Anti-pattern awareness

254 views • 10 slides
Anti-Kickback Request for Information 1 Agenda + Introductions + Context for the RFI +

Anti-Kickback Request for Information 1 Agenda + Introductions + Context for the RFI +

Anti-Kickback Request for Information 1 Agenda + Introductions + Context for the RFI + Overview of AKS and Beneficiary Inducement Statute + Differentiating AKS from Stark + Impact on value-based models + Crafting your RFI response 2 About

463 views • 22 slides
Quantitative invertibility of random matrices: a combinatorial perspective Vishesh Jain

Quantitative invertibility of random matrices: a combinatorial perspective Vishesh Jain

Quantitative invertibility of random matrices: a combinatorial perspective Vishesh Jain Massachusetts Institute of Technology Stanford Combinatorics Seminar October 31, 2019 Vishesh Jain (MIT) Quantitative invertibility of random matrices

1.35k views • 96 slides
Anti-Combining for MapReduce Alper Okcan Mirek Riedewald Northeastern University, Boston, USA

Anti-Combining for MapReduce Alper Okcan Mirek Riedewald Northeastern University, Boston, USA

Anti-Combining for MapReduce Alper Okcan Mirek Riedewald Northeastern University, Boston, USA SIGMOD 2014 ICT MapReduce Overview Shuffle ICT Shuffle is always the bottleneck of a MR job execution large amounts of data are grouped,

359 views • 23 slides
CS 293S Parallelism and Dependence Theory Yufei Ding Reference Book: Optimizing Compilers for

CS 293S Parallelism and Dependence Theory Yufei Ding Reference Book: Optimizing Compilers for

CS 293S Parallelism and Dependence Theory Yufei Ding Reference Book: Optimizing Compilers for Modern Architecture by Allen &amp; Kennedy Slides adapted from Louis-Nol Pouche, Mary Hall End of Moore's Law necessitate parallel computing

469 views • 46 slides
Analyzing Malware Detection Effectiveness with Multiple Anti- Malware Programs Jose A. Morales

Analyzing Malware Detection Effectiveness with Multiple Anti- Malware Programs Jose A. Morales

Analyzing Malware Detection Effectiveness with Multiple Anti- Malware Programs Jose A. Morales Shouhuai Xu Ravi Sandhu SEI @ CMU CS @ UTSA ICS @ UTSA Roadmap Motivation Experimental Methodology Experimental Results Summary

560 views • 16 slides
A Multitumor Regional Symposium Focused on the Application of Emerging Research Information to the

A Multitumor Regional Symposium Focused on the Application of Emerging Research Information to the

A Multitumor Regional Symposium Focused on the Application of Emerging Research Information to the Care of Patients with Common Cancers Saturday, January 11, 2020, 8:00 AM 4:00 PM Houston, Texas Faculty Tanios Bekaii-Saab, MD Mark Levis,

1.27k views • 111 slides
Continuous Dynamical Systems Florence Hubert florence.hubert@univ-amu.fr Charlotte Perrin

Continuous Dynamical Systems Florence Hubert florence.hubert@univ-amu.fr Charlotte Perrin

Continuous Dynamical Systems Florence Hubert florence.hubert@univ-amu.fr Charlotte Perrin charlotte.perrin@univ-amu.fr Master CMB-BIO, 2019-2020 Practical information schedule lectures + exercises 12h computer sessions (language

528 views • 42 slides
Hierarchical Bayes models for Perfusion Imaging Volker J Schmid Department of Statistics,

Hierarchical Bayes models for Perfusion Imaging Volker J Schmid Department of Statistics,

Hierarchical Bayes models for Perfusion Imaging Volker J Schmid Department of Statistics, Bioimaging group LMU Munich Statistics and Neuroimaging Berlin, November 24, 2011 Perfusion Imaging Interest in imaging blood perfusion in vivo

601 views • 26 slides

More recommend