blowing the cover hands on analysis of handcrafted
play

BLOWING THE COVER: HANDS-ON ANALYSIS OF HANDCRAFTED ANDROID MALWARE - PowerPoint PPT Presentation

Jan 11, 2024 •343 likes •663 views

BLOWING THE COVER: HANDS-ON ANALYSIS OF HANDCRAFTED ANDROID MALWARE Alex Reshetniak | September 26 2018 About Me Senior Security Researcher @ Lookout B.S. in Information Security More than 5 years working in Information Security

  1. BLOWING THE COVER: HANDS-ON ANALYSIS OF HANDCRAFTED ANDROID MALWARE Alex Reshetniak | September 26 2018

  2. About Me Senior Security Researcher @ Lookout • B.S. in Information Security • More than 5 years working in Information Security • Experience includes incident response, forensics, malware analysis • 2

  3. APK File Structure Application name, version, permissions, components, AndroidManifest.xml .... Actual compiled code in dex format - classes.dex the core of the app Resources.arsc, res/ Layouts, strings, color definitions, .... ANDROID APPLICATION assets/ (optional) Images, audio, video, fonts, html files, ... PACKAGE /lib (optional) Compiled native code META-INF Components metadata, package signature info Any file? Since apk is ‘almost’ a zip archive

  4. Glossary Why obfuscate? What I am talking about • Malware family - a group of malicious • Protect Intellectual Property (IP) applications that are common in code • Complicate Reverse Engineering structure, functionality, and are usually • Prevent tampering associated with the same threat actor • Obfuscation - a process of deliberately making Why decompile code? the code of a program harder to read and understand • Decompiler - a reverse engineering tool used • Much easier to read decompiled Java-like to convert a compiled executable program into code than disassembled Smali instructions (pseudo) source code 4

  5. Common obfuscation techniques Often used by malware authors Trivial (repackaging the apk, renaming the • package, resigning) Insertion of dead code blocks • Insertion intermediate operations • Encrypting/Encoding strings • Encrypting payloads - dex files or native libraries • Usage of reflection •

  6. Sample 1 Cosiloon

  7. Cosiloon malware family Quick reference info Type: Adware/App Dropper What it does: Shows advertisement on the device screen. Can silently download and install additional applications.

  8. Cosiloon - opened in JEB decompiler The apk content suggests there might be some hidden executable code classes.dex $ file assets/* assets/d.zip: data assets/small.ttf: data assets/ti.ttf: data

  9. Cosiloon payload decoding Decoding d.zip file with Java $ file d.zip_out d.zip_out: Java archive data (JAR)

  10. Cosiloon payload decoding Decoding other obfuscated files Base64.decode(“c21hbGwudHRm”) => small.ttf

  11. Cosiloon - decoded files $ file * d.zip: data Original files in small.ttf: data assets folder ti.ttf: data d.zip_out: Java archive data (JAR) small.ttf_out: Java archive data (JAR) Decoded files ti.ttf_out: Java archive data (JAR)

  12. Sample 1 - Lesson Learnt Even simple operations, such as bitwise XOR, may significantly help threat actors conceal malicious code 12

  13. Sample 2 DressCode

  14. DressCode malware family Quick reference info Type: ClickFraud What it does: Turns user’s device into a proxy, using SOCKS protocol. Performs ‘clicks’ on advertisements on behalf of the user to generate revenue.

  15. DressCode - all the files are of known types Two Javascript files and an image, nothing suspicious. Well...is it?

  16. On basic principles of RGB model and steganography About colors, bytes, and bits 128 64 32 16 8 4 2 1 0 0 0 1 1 1 0 0 16+8+4=28 Changing the least significant bit rgb(28, 69, 135) 128 64 32 16 8 4 2 1 R: 28 => 00011100 G: 69 => 01000101 1 0 0 0 1 1 1 0 B: 135 => 10000111 16+8+4 +1 = 29 Changing the most significant bit 128 64 32 16 8 4 2 1 1 0 0 1 1 1 0 0 128+ 16+8+4= 156

  17. Insignificance of the least significant bits Results of manipulation with 2 least significant bits of the color rgb(100, 100, 100) 0x64, 0x64, 0x64 0x64 == 0110 0100 rgb(103, 103, 103) 0x67, 0x67, 0x67 0x67 == 0110 0111

  18. Understanding the decoding routine Extracting the payload Load Image from assets -> toRBitmap -> fromBase63 => classes.dex $ file * logo.png: PNG image data, 1280 x 720, 8-bit/color RGBA, non-interlaced logo.png_out: Dalvik dex file version 035

  19. Sample 2 - DressCode About 10% of the image is used for storing the code Payload size: 35840 bytes Required # of pixels: 35864 x 2 = 71728 720 px # of pixels in the image: 1024 x 720 = 737280 % of the picture taken by payload: 71728 / 737280 x 100% ≈ 10% 1024 px

  20. Sample 2 - Lessons Learnt Steganography is a technique used in real-world malware. Do not just trust the file extension and/or type 20

  21. Sample 3 Xafecopy

  22. Xafecopy malware family Quick reference info Type: Chargeware What it does: It will silently visit specially crafted URLs and attempt to subscribe the user for paid services.

  23. Xafecopy in decompiler Ok, I know it must be somewhere in the file…...which file? $ ls -lh classes.dex … 3.6M … . classes.dex

  24. Xafecopy and its main method Self-explanatory method names

  25. Xafecopy payload revealed Split payload from dex??? Read the last 4 bytes from the classes.dex file Copy the specified number of bytes from the end of the classes.dex file into a new file

  26. Xafecopy - manual payload extraction Read the last 4 bytes of Copy the specified number Perform an XOR operation on the classes.dex file -> of bytes into a new file -> the bytes of the new file -> Get the hidden APK file! PK - magic bytes for a zip archive 0x00111C6A == 1121386 $ file * xafecopy.apk: Java archive data (JAR) xafecopy.apk_out: Java archive data (JAR)

  27. Sample 3 - Lesson Learnt classes.dex file format allows for storage of any data appended at the end of the file 27

  28. How does the code gets called? Reflection is the answer Class class = new DexClassLoader(this.getFilesDir().getPath() + File.separator + "module.dex", this.getApplicationInfo().dataDir, null, this.getClass().getClassLoader()).loadClass("com.appstatistics.Main"); class.getMethod("run").invoke(class.newInstance()); Class Name Method Name

  29. Putting it all together ● There is a number of known obfuscation methods used by threat actors today ● File extension is not a reliable indication of file type ● Steganography is not just theory - it is used in real malware ● There are always more ways to hide malicious code than where we expect it to reside

  30. What’s next? Check Lookout website soon for a blog post on DressCode malware family evolution https://blog.lookout.com/ (or just follow my LinkedIn, I’ll make sure to share the link ;) https://www.linkedin.com/in/areshetniak/ SHA1 sums of the reviewed samples for your reversing pleasure: Sample 1 - 6c0da50bbf0524df35ffea87788e4bb8f276a6b4 Sample 2 - e8d2d6ee35a54ee6328f55d2dccbce3c213690d6 Sample 3 - e0f5f0816a1e41785e7b44cf4ac46bff6d557312

  31. EVERYTHING IS OK 31

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

and expression analysis: from handcrafted to learned features Huibin Li

and expression analysis: from handcrafted to learned features Huibin Li

Three-dimensional (3D) facial identity and expression analysis: from handcrafted to learned features Huibin Li http://gr.xjtu.edu.cn/web/huibinli VALSE webinar, October 12 th , 2016

864 views • 51 slides
Influence of Roadside Environment and Road Structures on Blowing-Snow-Induced Visibility

Influence of Roadside Environment and Road Structures on Blowing-Snow-Induced Visibility

Influence of Roadside Environment and Road Structures on Blowing-Snow-Induced Visibility Hindrance on Winter Roads : Analysis using the results of weather observations by a visibility observation vehicle during blowing snow. Hokkaido Sapporo

597 views • 20 slides
PET Stretch Blowing Equipment Stretch blowing Kosme KSB 4000, 1998 Equipped with 4 sets of

PET Stretch Blowing Equipment Stretch blowing Kosme KSB 4000, 1998 Equipped with 4 sets of

COREMA PACK Route Cantonale cp 138, 1942 Levron - Switzerland PET Stretch Blowing Equipment Stretch blowing Kosme KSB 4000, 1998 Equipped with 4 sets of moulds: 0,5 litres; 0,75 litres; 1,5 litres and 2,0 litres Contact Address: Fausto

486 views • 11 slides
Hands Overview Outline Existing hands Robot hands of the 80s Commercial hands Research

Hands Overview Outline Existing hands Robot hands of the 80s Commercial hands Research

Hands Overview Outline Existing hands Robot hands of the 80s Commercial hands Research hands Prosthetics Design issues Kinematics Compliance Sensing Actuation Control Robustness Evaluation Discussion Hands of the 80s Hirose

237 views • 22 slides
The angular blowing-a-kiss 001 010 000 problem 011 111 Kevin Buchin , Irina Kostitsyna, Roel

The angular blowing-a-kiss 001 010 000 problem 011 111 Kevin Buchin , Irina Kostitsyna, Roel

The angular blowing-a-kiss 001 010 000 problem 011 111 Kevin Buchin , Irina Kostitsyna, Roel Lambers, and Martijn Struijs 100 110 101 The angular blowing-a-kiss problem n oriented agents in the plane The angular blowing-a-kiss

802 views • 46 slides
WELCOME ADANI POWER MAHARASHTRA LTD,TIRODA, 5 X 660 MW TOPIC- STEAM BLOWING By- Operation Team

WELCOME ADANI POWER MAHARASHTRA LTD,TIRODA, 5 X 660 MW TOPIC- STEAM BLOWING By- Operation Team

WELCOME ADANI POWER MAHARASHTRA LTD,TIRODA, 5 X 660 MW TOPIC- STEAM BLOWING By- Operation Team INTRODUCTION PURPOSE : Steam blowing of MS lines, CRH,HRH,SH,RH,HP & LP bypass pipe lines of turbine is carried out in order to remove

877 views • 49 slides
Handcrafted in Germany built to last WELCOME TO WORLD OF CYGAL The craftsmanship and

Handcrafted in Germany built to last WELCOME TO WORLD OF CYGAL The craftsmanship and

Handcrafted in Germany built to last WELCOME TO WORLD OF CYGAL The craftsmanship and superiority of material so valued in antiques is still available to this day. Our unique pieces are handmade for you with patience, love and

484 views • 27 slides
ZING 72 BOTANICAL GIN Handcrafted Fine Spirit Shaping Spirit of the World since 2006 ROCKWOOD

ZING 72 BOTANICAL GIN Handcrafted Fine Spirit Shaping Spirit of the World since 2006 ROCKWOOD

ZING 72 BOTANICAL GIN Handcrafted Fine Spirit Shaping Spirit of the World since 2006 ROCKWOOD CRAFT DISTILLER Rockwood Craft Distiller (RCD) is a French spirit maker and bottler of Premium / Handcrafted spirits. Our passion for Spirit led us

414 views • 7 slides
What if Analysis, Charting, and Working with Large Worksheets Chapter 3 What we will cover

What if Analysis, Charting, and Working with Large Worksheets Chapter 3 What we will cover

What if Analysis, Charting, and Working with Large Worksheets Chapter 3 What we will cover Rotating Text Using the fill handle to create a series of month names Copying and pasting What we will cover Inserting, and deleting

558 views • 43 slides
Outline Existing hands Robot hands of the 80s Commercial hands Research hands Prosthetics

Outline Existing hands Robot hands of the 80s Commercial hands Research hands Prosthetics

Outline Existing hands Robot hands of the 80s Commercial hands Research hands Prosthetics Design issues Kinematics Compliance Sensing Actuation Control Robustness Evaluation Discussion Design Issues - Kinematics How many / which

561 views • 18 slides
1 Principal Components Analysis (PCA) Suppose someone hands you a stack of N vectors, { x 1 ,

1 Principal Components Analysis (PCA) Suppose someone hands you a stack of N vectors, { x 1 ,

Mathematical Tools for Neuroscience (NEU 314) Princeton University, Spring 2016 Jonathan Pillow Lecture 9: PCA 1 Principal Components Analysis (PCA) Suppose someone hands you a stack of N vectors, { x 1 , . . . x N } , each of dimension

298 views • 4 slides
Content Everywhere Content Everywhere www.erg.com Or, navigating digital communications without

Content Everywhere Content Everywhere www.erg.com Or, navigating digital communications without

Content Everywhere Content Everywhere www.erg.com Or, navigating digital communications without losing your mind or blowing your budget 02 MY SUPERPOWER Content Everywhere My hands were shown on Stopping cocktail party www.erg.com JOE

868 views • 55 slides
ENCEINTE WIFI / MULTIROOM & BLUETOOTH A PREMIUM HANDCRAFTED SPEAKER including all the

ENCEINTE WIFI / MULTIROOM & BLUETOOTH A PREMIUM HANDCRAFTED SPEAKER including all the

ENCEINTE WIFI / MULTIROOM & BLUETOOTH A PREMIUM HANDCRAFTED SPEAKER including all the modern technologies Artisanal Know-How TRIANGLE manufacture benefjts from 40 years of experience in speaker manufacturing Audiophile Construction

411 views • 15 slides
FSurf: A FreeSurfer Analysis Service for OSG OSG All Hands Meeting March 7, 2017 Suchandra

FSurf: A FreeSurfer Analysis Service for OSG OSG All Hands Meeting March 7, 2017 Suchandra

FSurf: A FreeSurfer Analysis Service for OSG OSG All Hands Meeting March 7, 2017 Suchandra Thapa Donald Krieger Robert Gardner University of Pittsburgh University of Chicago 1 FreeSurfer Widely used software suite for analysis of human

531 views • 19 slides
Hands-On tools@bsc.es 2018 Copy files for the hands-on You can download the material for

Hands-On tools@bsc.es 2018 Copy files for the hands-on You can download the material for

Extrae & Paraver Hands-On tools@bsc.es 2018 Copy files for the hands-on You can download the material for most of the hands on from the web site https://tools.bsc.es/tools-hands-on. No binaries are provided, but you can follow the

633 views • 24 slides
Hands on Case Study: Applying Dynamic Network Analysis to Temporal Netflow Data Geoffrey Dobson

Hands on Case Study: Applying Dynamic Network Analysis to Temporal Netflow Data Geoffrey Dobson

<Your Name> Hands on Case Study: Applying Dynamic Network Analysis to Temporal Netflow Data Geoffrey Dobson gdobson@andrew.cmu.edu June 2020 Center for Computational Analysis of Social and Organizational Systems

259 views • 14 slides
Content Everywhere Content Everywhere www.erg.com Or, navigating digital communications without

Content Everywhere Content Everywhere www.erg.com Or, navigating digital communications without

ERG Content Everywhere Content Everywhere www.erg.com Or, navigating digital communications without losing your mind or blowing your budget ERG NOTE TO DRUPAL GOVCON Content Everywhere www.erg.com // Not my actual proposed presentation

675 views • 41 slides
Resolution and logarithmic resolution by weighted blowing up Dan Abramovich, Brown University

Resolution and logarithmic resolution by weighted blowing up Dan Abramovich, Brown University

Resolution and logarithmic resolution by weighted blowing up Dan Abramovich, Brown University Work with Michael T emkin and Jaros law W lodarczyk and work by Ming Hao Quek Also parallel work by M. McQuillan Simons Conference on

1.62k views • 66 slides
LEARN HOW TO CONTROL EVERY ROOM AT A LUXURY HOTEL REMOTELY: THE DANGERS OF INSECURE HOME

LEARN HOW TO CONTROL EVERY ROOM AT A LUXURY HOTEL REMOTELY: THE DANGERS OF INSECURE HOME

LEARN HOW TO CONTROL EVERY ROOM AT A LUXURY HOTEL REMOTELY: THE DANGERS OF INSECURE HOME AUTOMATION DEPLOYMENT BY JESUS MOLINA @VERIFYTHENTRUST If I were to tell someone is able to control every appliance in your hotel room, will you move to

417 views • 31 slides
Overview Introduction Lexicalized TAG, Advantages of parsing with LTAG Parsing LTAGs

Overview Introduction Lexicalized TAG, Advantages of parsing with LTAG Parsing LTAGs

Parsing with Lexicalized TAG (1) Extracting and comparing LTAG (2) Presentation by Philip John Gorinski Seminar Recent Advances in Parsing Technology Saarland University, Winter Term 2011/12 (1) Yves Shabes, Aravind K. Joshi, 1990 (2)

514 views • 36 slides
Differential Equations Overview of differential equation Initial value problem

Differential Equations Overview of differential equation Initial value problem

Differential Equations Overview of differential equation Initial value problem Explicit numeric methods Implicit numeric methods Modular implementation Physics-based simulation An algorithm that produces a sequence of

939 views • 68 slides
Comments onBlowing in the Wind: Sequential Markets, Market Power and Arbitrag by Koichiro

Comments onBlowing in the Wind: Sequential Markets, Market Power and Arbitrag by Koichiro

Summary The Market Bidder Incentives and Bidding Patterns Comments onBlowing in the Wind: Sequential Markets, Market Power and Arbitrag by Koichiro Ito and Mar Reguant David Salant Toulouse School of Economics dsalant@gmail.com June

386 views • 15 slides
6D SCFTs and Group Theory Tom Rudelius Harvard University Based On 1502.05405/hep-th

6D SCFTs and Group Theory Tom Rudelius Harvard University Based On 1502.05405/hep-th

6D SCFTs and Group Theory Tom Rudelius Harvard University Based On 1502.05405/hep-th with Jonathan Heckman, David Morrison, and Cumrun Vafa 1506.06753/hep-th with Jonathan Heckman 1601.04078/hep-th with

759 views • 57 slides
Lefschetz pencils and the symplectic topology of complex surfaces Denis AUROUX Massachusetts

Lefschetz pencils and the symplectic topology of complex surfaces Denis AUROUX Massachusetts

Lefschetz pencils and the symplectic topology of complex surfaces Denis AUROUX Massachusetts Institute of Technology Symplectic 4-manifolds A (compact) symplectic 4-manifold ( M 4 , ) is a smooth 4-manifold with a sym- plectic form

352 views • 10 slides

More recommend