enhancing mobile malware
play

Enhancing Mobile Malware: an Android RAT Case Study BSIDES VIENNA - PowerPoint PPT Presentation

Jul 08, 2023 •501 likes •870 views

Enhancing Mobile Malware: an Android RAT Case Study BSIDES VIENNA 2014 November 22 About Marco Lancini Security Consultant, CEFRIEL @lancinimarco Roberto Puricelli Security Consultant, CEFRIEL @robywankenoby 2 Introduction Intro

  1. Enhancing Mobile Malware: an Android RAT Case Study BSIDES VIENNA 2014 November 22

  2. About Marco Lancini Security Consultant, CEFRIEL @lancinimarco Roberto Puricelli Security Consultant, CEFRIEL @robywankenoby 2

  3. Introduction

  4. Intro Demonstrate how it is possible to easily create GOAL powerful malware , combining public available attack toolkits and exploits of known vulnerabilities Given the source code of a mobile RAT, it is possible to extend its features , adapting and modifying its HOW behavior (hiding malicious features, adding exploits) AndroRAT++ , a proof-of-concept mobile malware, POC embedded in a legitimate application, that enhances the features of a well-know RAT application 4

  5. Mobile malware evolution ASD 5

  6. Mobile malware evolution Mobile malware is a (relatively) new trend • Actually almost 10 years of samples 6 [1] http://www.sophos.com/en-us/medialibrary/PDFs/other/sophos-mobile-security-threat-report.pdf

  7. DroidDream • Infected 60 different legitimate apps in the Android Market • Breached the Android security sandbox , installed additional software, and stole data • Created a botnet 7

  8. Zitmo • A.k.a. Eurograbber • Widespread in Europe • Bypass 2FA (SMS OTP) • 36M € stolen 8

  9. Android is the prime target Why Android is the most targeted platform? • Wide-spread • “Open” philosophy • Lacks of controls 9 [1] http://blog.kaspersky.com/mobile-malware-evolution-2013/

  10. How to get compromised? Social engineering plays a big role in the exploit • By installing a trojan app that perform unauthorized operations The malware is “ embedded • in the app ” Anzhi Market Renowned for not making controls over published applications Used to spread malicious applications disguised as famous ones 10

  11. What can an attacker do? Malicious Activity • Add new features • Edit configurations • Install new apps • Launch DDoS attacks Surveillance • Click fraud • SMS Impersonation • • Call logs SMS redirection • • Audio Send emails • • Camera Post to social media • Location Data Theft Financial • Stored files • Send premium rate SMS • Account details • Steal transaction auth • Contacts numbers (TANs) • Call logs • Extortion via ransomware • Phone number • Fake antivirus • IMEI 11 [1] https://www.f-secure.com/documents/996508/1030743/Mobile_Threat_Report_Q1_2014_print.pdf

  12. How to build a powerful malware?

  13. The cutting edge of mobile malware What’s new in Android Malware? Remote Access Trojan? Interesting, let’s Google it… 13

  14. Remote Access Trojan I’m feeling lucky... Ok, we just need to find the • First result gave us a possible code… trojan name • Let’s try GitHub AndroRAT • Open source proof of concept • Powerful features • “Easy like Sunday Morning”!!!! 14

  15. AndroRAT Source Code Still lucky… • Lots of different working versions 15

  16. AndroRAT How it works • Java “server” application • Android service on the phone The application itself is not so attractive • We can embed it into another one, it’s easy • A game, or another app could be effective for our target If we could just exploit the certificate validation in Android.. 16

  17. Injection of malicious code If we could just exploit the certificate validation in Android.. 17

  18. Injection of malicious code Android Master Key Vulnerability Allows to: " modify APK code without breaking an application’s • cryptographic signature , to turn any legitimate application into a malicious Trojan, completely unnoticed by the app store, the phone, or the end user “ • Android can be tricked into believing the app is unchanged even if it has been • Corrected with Android 4.4 This allows to change any of the resources contained in an APK (manifest, Java It's possible to classes, graphical assets) and replace them decompile an app and with ones of choice to inject code in it JarVerifier This only applies to resources already existing in the original APK ( new resources cannot be introduced ) 18 [1] BlackHat US 2013: http://bluebox.com/corporate-blog/bluebox-uncovers-android-master-key/

  19. A real example… • Let’s embed our RAT into a benign application • The purpose here is to simulate the attack, not to do it for real.. • AndroRAT has been injected into a *fake* application of BSides Not available in any store  • • New features were added ( AndroRAT++ ) 19

  20. DEMO Scenario

  21. Scenario 1 1) Installation of a malicious APK 2 2) Remote control of the phone 1 3) Leverage the botnet (DoS attacks) 3 4 4) Privilege escalation 5 5) Exfiltration of sensitive data 6 6) Silent installation of new applications 7) Interception of communications 7 21

  22. Scenario 1 1) Installation of a malicious APK 2 2) Remote control of the phone 1 3) Leverage the botnet (DoS attacks) 3 2 6 4 4) Privilege escalation 5 5) Exfiltration of sensitive data + 7 6) Silent installation of new applications 7) Androrat + some configurations Interception of communications 23

  23. ++ Scenario 1 1) Installation of a malicious APK 2 2) Remote control of the phone 1 3) Leverage the botnet 3 2 4 4) escalation 5 5) Exfiltration of sensitive data 6 6) Silent installation of new + applications 7) Interception of communications 7 3 Add some coding 25

  24. Denial of Service 3 • Bulk actions allow to execute a command on all the controlled devices • If the attacker compromises a large number of devices, a botnet is created • The resources of infected devices could be used to carry out attacks on third-party services � 26

  25. ++ Scenario 1 1) Installation of a malicious APK 2 2) Remote control of the phone 1 3) Leverage the botnet (DoS attacks) 3 2 4 4) Privilege escalation 5) Exfiltration of sensitive data 5 6) Silent installation of new 6 4 applications 7) Interception of communications 3 7 We need more… root power! …but how? Let’s find an easy way 27

  26. Privilege escalation 4 I’m feeling lucky (AGAIN!!!!)... • First result gave us an application that can easily root an Android phone Framaroot • Not open source, but we can get the APK from XDA • One-click root • Works from Android 2.0 to 4.2…good enough! 28 [1] http://forum.xda-developers.com/apps/framaroot/root-framaroot-one-click-apk-to-root-t2130276

  27. Framaroot 4 • We can also embed the Several exploits exploits used by Framaroot are available in within the RAT application…. Framaroot • The embedded version is " silent “ • The attacker can root the devices remotely We can now execute The exploit install an system commands administrative shell from within our code 29

  28. ++ Scenario 1 1) Installation of a malicious APK 2 2) Remote control of the phone 1 3) Leverage the botnet (DoS attacks) 3 2 4 4) Privilege escalation 5) 5 Exfiltration of sensitive data 6 6) Silent installation of new 4 applications 5 + 7) Interception of communications 7 3 Add some more code… 31

  29. ++ Scenario 1 1) Installation of a malicious APK 2 2) Remote control of the phone 1 3) Leverage the botnet (DoS attacks) 3 2 4 4) Privilege escalation 5) Exfiltration of sensitive data 5 6 6) 6 Silent installation of new 4 applications 5 7) Interception of communications 7 3 Still some code… 33

  30. Which application to install? I just have to choose the application… • The purpose is always to make money 34

  31. ++ Scenario 1 1) Installation of a malicious APK 2 2) Remote control of the phone 1 3) Leverage the botnet (DoS attacks) 3 2 4 4) Privilege escalation 5) Exfiltration of sensitive data 7 5 6 6) 6 Silent installation of new 4 applications 5 7) Interception of communications 7 3 36

  32. ProxyDroid 7 ProxyDroid • Used to set the proxy (HTTP/SOCKS4/SOCKS5) on Android devices • The app has been modified • The GUI has been stripped entirely • When launched, sets the proxy and exit • The app is installed and run automatically 37

  33. Conclusions

  34. What we did Maybe it’s just a bit of luck, but we demonstrated that it’s easy to create a powerful Android -based malware … ++ Take an Add Make it app malware bad 40

  35. “ Marco Lancini Security Consultant, CEFRIEL @lancinimarco “ Roberto Puricelli Security Consultant, CEFRIEL @robywankenoby 43

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
Ubiquitous and Mobile Computing CS 528: A Survey of Mobile Malware in the Wild Alex Fortier

Ubiquitous and Mobile Computing CS 528: A Survey of Mobile Malware in the Wild Alex Fortier

Ubiquitous and Mobile Computing CS 528: A Survey of Mobile Malware in the Wild Alex Fortier Computer Science Dept. Worcester Polytechnic Institute (WPI) What is mobile malware? Targeted at Android, iOS, Symbian (discontinued), Windows Phone

507 views • 17 slides
Mobile and Ubiquitous Computing CS 525M: A Survey of Mobile Malware in the Wild Hiromu Enoki

Mobile and Ubiquitous Computing CS 525M: A Survey of Mobile Malware in the Wild Hiromu Enoki

Mobile and Ubiquitous Computing CS 525M: A Survey of Mobile Malware in the Wild Hiromu Enoki Computer Science Dept. Worcester Polytechnic Institute (WPI) 1 Introduction Mobile Malware is fairly recent July 2004 Cabir virus came out on

487 views • 24 slides
WHY MOBILE TO MOBILE MALWARE WONT CAUSE A STORM Nathaniel Husted Steven Myers Indiana

WHY MOBILE TO MOBILE MALWARE WONT CAUSE A STORM Nathaniel Husted Steven Myers Indiana

WHY MOBILE TO MOBILE MALWARE WONT CAUSE A STORM Nathaniel Husted Steven Myers Indiana University Monday, April 4, 2011 MOBILE TO MOBILE MALWARE Bluetooth (Mabir/Cabir/Commwarrior) Vs. MMS (Mabir/Commwarrior) Symbian OS -- Dominant

338 views • 21 slides
Experiences of of La Landing Machine Le Learning onto Market-Scale Mobile Malware Detection

Experiences of of La Landing Machine Le Learning onto Market-Scale Mobile Malware Detection

Experiences of of La Landing Machine Le Learning onto Market-Scale Mobile Malware Detection Liangyi Gong, Zhenhua Li, Feng Qian, Zifan Zhang, Qi Alfred Chen, Zhiyun Qian, Hao Lin, Yunhao Liu Mobile Malware Detection Android App Markets

424 views • 29 slides
Mobile Malware: Why the traditional AV paradigm is doomed, and how to use physics to detect

Mobile Malware: Why the traditional AV paradigm is doomed, and how to use physics to detect

Mobile Malware: Why the traditional AV paradigm is doomed, and how to use physics to detect physics to detect undesirable routines Guy Stewart VP Engineering Fatskunk Inc. The Malware Problem The Malware Problem Trojans, Rootkits, the

454 views • 18 slides
Retroac(ve Detec(on of Malware with Applica(ons to Mobile Pla8orms Markus Jakobsson

Retroac(ve Detec(on of Malware with Applica(ons to Mobile Pla8orms Markus Jakobsson

Retroac(ve Detec(on of Malware with Applica(ons to Mobile Pla8orms Markus Jakobsson KarlAnders Johansson FatSkunk 1 Market forecast for mobile More smartphones than PCs in 23 years Dominant pla@orms targeted 4G will fuel

790 views • 16 slides
A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web

A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web

A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web Alexei Bulazel & Blent Yener River Loop Security Rensselaer Polytechnic Institute (RPI) Introduction Automated dynamic malware analysis is

684 views • 33 slides
Why Protection against Viruses, Bots, and Worms is so hard Malware seen as Mobile Agents Till

Why Protection against Viruses, Bots, and Worms is so hard Malware seen as Mobile Agents Till

Foundations Security in MAS Conclusion Why Protection against Viruses, Bots, and Worms is so hard Malware seen as Mobile Agents Till Drges td@pre-secure.de PRESECURE Consulting GmbH June 20, 2007 Till Drges Protection Malware seen

739 views • 57 slides
FlowDroid Alex Mariakakis From CSE 501 again Motivation All sorts of mobile malware exist

FlowDroid Alex Mariakakis From CSE 501 again Motivation All sorts of mobile malware exist

FlowDroid Alex Mariakakis From CSE 501 again Motivation All sorts of mobile malware exist Selling user information to advertisement/ marketing companies Stealing user credentials Premium rate calls and SMS SMS spam

843 views • 17 slides
Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al

Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al

Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al [FSE 14] Presented by Maaz Ahmad The Malware Problem (Feb, 2015) Motive Security Labs estimates 16 million infected mobile devices. [1]

828 views • 30 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

568 views • 22 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

540 views • 42 slides
Security versus Energy Tradeoffs in Host-Based Mobile Malware Detection Jeffrey Bickford *, H.

Security versus Energy Tradeoffs in Host-Based Mobile Malware Detection Jeffrey Bickford *, H.

Security versus Energy Tradeoffs in Host-Based Mobile Malware Detection Jeffrey Bickford *, H. Andrs Lagar-Cavilla #, Alexander Varshavsky #, Vinod Ganapathy *, and Liviu Iftode * * Rutgers University # AT&T Labs Research Smart Phone

709 views • 28 slides
Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that does something that causes harm to a user, computer or network, including viruses, trojan horses, worms, rootkits, scareware and spyware. Malware

119 views • 9 slides
Security and Usability: The Gap in Real-World Online Banking Mohammad Mannan and P . C. van

Security and Usability: The Gap in Real-World Online Banking Mohammad Mannan and P . C. van

Security and Usability Gap in Online Banking NSPW Presentation - Sep 19, 2007 Security and Usability: The Gap in Real-World Online Banking Mohammad Mannan and P . C. van Oorschot Carleton University Mohammad Mannan Sep 19, 2007 1 Security

544 views • 22 slides
Improving Cyber Resiliency using Intelligence-led Attack Simulations Vincent Yiu Who am I?

Improving Cyber Resiliency using Intelligence-led Attack Simulations Vincent Yiu Who am I?

Improving Cyber Resiliency using Intelligence-led Attack Simulations Vincent Yiu Who am I? @vysecurity Vincent Yiu vincent.yiu@syonsecurity.com Founder of SYON Security Offensive Operations including Adversary Simulaton and Penetration

344 views • 33 slides
Collaborative Verification of Information Flow for a High-Assurance App Store Michael D. Ernst,

Collaborative Verification of Information Flow for a High-Assurance App Store Michael D. Ernst,

Collaborative Verification of Information Flow for a High-Assurance App Store Michael D. Ernst, Ren Just , Suzanne Millstein, Werner Dietl*, Stuart Pernsteiner, Franziska Roesner, Karl Koscher, Paulo Barros, Ravi Bhoraskar, Seungyeop Han, Paul

1.24k views • 84 slides
We know what you did this summer Android Banking Trojans Exposing Its Sins in The Cloud

We know what you did this summer Android Banking Trojans Exposing Its Sins in The Cloud

We know what you did this summer Android Banking Trojans Exposing Its Sins in The Cloud Siegfried Rasthofer (TU Darmstadt / CASED) Eric Bodden (TU Darmstadt / Fraunhofer SIT) Carlos Castillo (Intel Security) Alex Hinchliffe (Intel

510 views • 39 slides
Building Your Own Bank or... Constructing Crypto Castles Jameson Lopp Jameson@team.casa

Building Your Own Bank or... Constructing Crypto Castles Jameson Lopp Jameson@team.casa

Building Your Own Bank or... Constructing Crypto Castles Jameson Lopp Jameson@team.casa Infrastructure Engineer https://keys.casa https://lopp.net asa @lopp A History Rife with Failure An estimated 4,000,000+ BTC lost. An estimated

346 views • 24 slides
The Fruitridge Finger Final Design Portfolio The Issue The Fruitridge Finger is an area of

The Fruitridge Finger Final Design Portfolio The Issue The Fruitridge Finger is an area of

The Fruitridge Finger Final Design Portfolio The Issue The Fruitridge Finger is an area of unincorporated Sacramento County almost completely surrounded by the City of Sacramento. As not part of the City of Sacramento, the Finger does

474 views • 20 slides
Chord

Chord

What is Chord? What does it do? Chord

325 views • 7 slides
Finger Search Searching in a sorted array 2 3 5 7 8 11 13 14 15 17 18 20 24 25 26

Finger Search Searching in a sorted array 2 3 5 7 8 11 13 14 15 17 18 20 24 25 26

Finger Search Searching in a sorted array 2 3 5 7 8 11 13 14 15 17 18 20 24 25 26 28 29 31 33 34 time O(log n ) Finger Binary search(13) d 2 3 5 7 8 11 13 14 15 17 18 20 24 25 26 28 29 31 33 34 time

217 views • 7 slides

More recommend