we know what you did this summer android banking trojan
play

We know what you did this summer: Android Banking Trojan exposing - PowerPoint PPT Presentation

Mar 16, 2024 •270 likes •626 views

We know what you did this summer: Android Banking Trojan exposing its sins in the cloud Siegfried Rasthofer (TU Darmstadt / CASED) Eric Bodden (TU Darmstadt / Fraunhofer SIT) Carlos Castillo (Intel Security) Alex Hinchliffe (Intel Security)

  1. We know what you did this summer: Android Banking Trojan exposing its sins in the cloud Siegfried Rasthofer (TU Darmstadt / CASED) Eric Bodden (TU Darmstadt / Fraunhofer SIT) Carlos Castillo (Intel Security) Alex Hinchliffe (Intel Security) Stephan Huber (Fraunhofer SIT) 01.10.2015 | Virus Bulletin 2015 | 1

  2. Siegfried Rasthofer • 3rd year PhD-Student at TU Darmstadt • Research interest in Static-/dynamic code analyses • Found 2 AOSP exploits, various App security vulnerabilities Prof. Dr. Eric Bodden • Professor at TU Darmstadt • Research interest in Static-/dynamic code analyses • Heading the Secure Software Engineering Group at Fraunhofer SIT and Technische Universität Darmstadt Carlos Castillo • Mobile Security Researcher at Intel Security. • Hacking Exposed 7 co-author (Hacking Android). • ESET Latin America’s Best Antivirus Research winner 2009. Alex Hinchliffe • Mobile Security Research Manager at Intel Security • Co-developer of cloud based Anti-Malware technology, Artemis • Project partner of MobSec, S 2 Lab, Royal Holloway University, London 01.10.2015 | Virus Bulletin 2015 | 2

  3. Backend-as-a-Service 56 Mio. data records “publicly“ available (BlackHat EU 2015) 01.10.2015 | Virus Bulletin 2015 | 3

  4. Backend-as-a-Service Malware?? 01.10.2015 | Virus Bulletin 2015 | 4

  5. Backend-as-a-Service (1) Android iOS BaaS JavaScript ... ... 01.10.2015 | Virus Bulletin 2015 | 5

  6. Backend-as-a-Service (2) Push Noti fica tions Data Storage User Administration Social Network 01.10.2015 | Virus Bulletin 2015 | 6

  7. ID Keys != Authentication Keys! Use Proper Access Control Parse.initialize(this, APPLICATION_ID, CLIENT_KEY); Rules on the Server Side! ParseObject sms = new ParseObject("Intercepted SMS"); sms.put("message", "Hi VB2015"); 01.10.2015 | Virus Bulletin 2015 | 7

  8. HAVOC: Automatic Exploit Generator 01.10.2015 | Virus Bulletin 2015 | 8

  9. Malware using Facebook‘s Parse 294,817 malware apps from 2015 scanned 78 Apps with potential Push Notification misuse 16 Apps with data storage misuse 5 Android/OpFake variants 4 Android/Marry variants 5 parse.com accounts exposed 3 common tables 01.10.2015 | Virus Bulletin 2015 | 9

  10. OpFake – App Execution and Main Service Phone Boot Rings Completed App Executed Start Main Service Hide Icon Channels : - D-<deviceId > Locally save Main end - “Everyone” URL (C& C) - Country (SIM ISO) - “welcome” - IMEI Subscribe to Parse - SIM Country Push notifications - SIM Operator Execute Async Tasks - Phone Number - API Save Parse Install - Brand Information - Model - is_worked (true) - IMEI - worked _task (true) - SIM Country Leak Device - is_root - Phone Number Information to C 2C - SIM Operator server /bn/reg.php - Balance Execute Content Receiver Schedule system every minute (60 segs) alarm 01.10.2015 | Virus Bulletin 2015 | 10

  11. OpFake – System Alarm every Minute Execute Content Query Parse table System Alarm imei == Device ID No end Receiver NewTasks by Device ID No Locally save new Yes Yes If active _4 - imei C&C server URL Get task from C &C - balance server /bn/gettask .php If type == task and Push Task Execute New Task No imei == Device ID Open URL in default If active _3 Yes Intercept != null browser : from NewTasks - type - task: type and args Save executed task in - hash: identifier TaskManager table - Imei: device id No No - response: empty Yes Yes Send SMS to all contacts Yes No If active _2 If active _1 with phone number end Yes Report executed Send SMS to Set intercept task ID to /bn/ number _1 with Yes task == intercept flag onoff / settask .php content prefix _1 end No 01.10.2015 | Virus Bulletin 2015 | 11

  12. OpFake – Execute New tasks No Download APK from Yes task == install No task == new_server No task == url No task == ussd No task == sms URL to SD card No Yes Yes Yes Yes End Attempt to install app Device with root Locally save new C&C Open URL using default Send USSD message No Send text message using user interface Privileges? server URL web browser using URI tel : * Delete NewTask Eventually Yes Delete NewTask Eventually Remount system Set read/write Eventually Copy APK in folder Remount partition Silently install the Launch recently Launch recently partition as read / permissions for the /newmainpack /app/ again as read -only APK using pm install installed app installed app write copied APK file End 01.10.2015 | Virus Bulletin 2015 | 12

  13. OpFake – SMS Message Received - from - content Save response - to: imei Save message in Query TaskManager (from:body) in - type: service/other SmsReceiver table by task hash TaskManager - is_card: if content contains cc # - intype: incoming Yes SMS message Process SMS Intercept flag Is a response to a Yes No End received message on? previous SMS sent? No - imei No - phone: from Send message data to No - message Parse Push channel “T” - type: incoming Extract from message Send message to /bn/ Origin contains Yes body the balance and save_message.php 088011 or 000100? save it locally 01.10.2015 | Virus Bulletin 2015 | 13

  14. NewTasks Schema NewTask Record imei task objectId createdAt updatedAt sms origin destination content date intercept values (on/off) date new_server imei URL date install imei URL of the APK date package name 01.10.2015 | Virus Bulletin 2015 | 14

  15. Exposed Malware Parse.com Accounts NewTasks – Commands received commands sms intercept new_server install 60.337 57.760 48.622 48.616 25.738 25.723 10.139 9.397 2.555 742 40 0 0 4 1 0 11 1 3 5 0 35 10 12 0 ACCOUNT A ACCOUNT B ACCOUNT C ACCOUNT D ACCOUNT E 01.10.2015 | Virus Bulletin 2015 | 15

  16. Exposed Malware Parse.com Accounts NewTasks – Examples of commands delivered sms • send sms to number 900 with content “BALANS” • send sms to number 900 with content <confirmation_code> • send sms to number 3116 with content “card < card_number> <exp_month> <exp_year > <CVV>” intercept • on/off new_server • hxxp://newwelcome00.ru • hxxp://newelcome00.ru install • Android/OpFake delivering Android/Marry: • hxxp://newwelcome00.ru/appru.apk (marry.adobe.net.threadsync). • hxxp://newwelcome00.ru/app.apk (marry.adobe.net.nightbuid). • hxxp://notingen.ru/Player.apk (com.adobe.net) • hxxp:// швждаыдлпждв 01.10.2015 | Virus Bulletin 2015 | 16

  17. 10000 15000 20000 25000 01.10.2015 | Virus Bulletin 2015 | 17 5000 Exposed Malware Parse.com Accounts NewTasks – Command created by date 0 13.06.2015 14.06.2015 15.06.2015 16.06.2015 17.06.2015 Account A 18.06.2015 19.06.2015 20.06.2015 21.06.2015 22.06.2015 Account B 23.06.2015 24.06.2015 25.06.2015 26.06.2015 Account C 27.06.2015 28.06.2015 29.06.2015 30.06.2015 01.07.2015 Account D 02.07.2015 03.07.2015 04.07.2015 05.07.2015 06.07.2015 Account E 07.07.2015 08.07.2015 09.07.2015 10.07.2015 11.07.2015 12.07.2015 13.07.2015 14.07.2015

  18. SmsReceived Schema SmsReceived Record body from objectId intype is_card updatedAt type createdAt • from: origin of the text message (phone number/company name) • intype: incoming/outgoing • to: device identifier of the infected device • is_card: true/false if the message contains a credit card number • type: • service: origin is a company (e.g. MegaFon) • other: origin is another phone number (personal messages) 01.10.2015 | Virus Bulletin 2015 | 18

  19. Exposed Malware Parse.com Accounts SmsReceiver – # Intercepted SMS messages # messages ACCOUNT E 60.030 ACCOUNT B 41.105 ACCOUNT A 40.054 ACCOUNT C 28.067 ACCOUNT D 2.000 01.10.2015 | Virus Bulletin 2015 | 19

  20. Exposed Malware Parse.com Accounts SmsReceiver – Credit card numbers in incoming SMS messages # credit card numbers ACCOUNT D 126 ACCOUNT E 19 ACCOUNT B 10 ACCOUNT A 9 ACCOUNT C 5 01.10.2015 | Virus Bulletin 2015 | 20

  21. Exposed Malware Parse.com Accounts SmsReceived – Messages by date 20000 18000 16000 14000 12000 10000 8000 6000 4000 2000 0 Account A Account B Account C Account D Account E 01.10.2015 | Virus Bulletin 2015 | 21

  22. TaskManager Schema TaskManager Record task hash objectId updatedAt imei type response createdAt sms privat_start intercept install sms destination destination empty on/off URL/file.apk text text (response) (command) 01.10.2015 | Virus Bulletin 2015 | 22

  23. Exposed Malware Parse.com Accounts TaskManager – Command Executed requests responses sms intercept install 20.554 19.859 3.615 1.123 1.113 658 565 565 204 204 149 35 1 32 3 0 31 0 0 0 0 17 26 1 0 ACCOUNT A ACCOUNT B ACCOUNT C ACCOUNT D ACCOUNT E 01.10.2015 | Virus Bulletin 2015 | 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

We know what you did this summer Android Banking Trojans Exposing Its Sins in The Cloud

We know what you did this summer Android Banking Trojans Exposing Its Sins in The Cloud

We know what you did this summer Android Banking Trojans Exposing Its Sins in The Cloud Siegfried Rasthofer (TU Darmstadt / CASED) Eric Bodden (TU Darmstadt / Fraunhofer SIT) Carlos Castillo (Intel Security) Alex Hinchliffe (Intel

510 views • 39 slides
Phishing and Banking Trojan Cases Affecting Brazil Cristine Hoepers cristine@cert.br

Phishing and Banking Trojan Cases Affecting Brazil Cristine Hoepers cristine@cert.br

Phishing and Banking Trojan Cases Affecting Brazil Cristine Hoepers cristine@cert.br Centro de Estudos, Resposta e Tratamento de Incidentes de Segurana no Brasil Ncleo de Informao e Coordenao do Ponto BR Comit Gestor da

417 views • 24 slides
Trojan Horse Zion Maxwell and Kaylie Davis The Trojan horse The Greeks had a war against the

Trojan Horse Zion Maxwell and Kaylie Davis The Trojan horse The Greeks had a war against the

Trojan Horse Zion Maxwell and Kaylie Davis The Trojan horse The Greeks had a war against the Trojans for ten years. The Torjan horse So they build the Trojan horse the Greeks Gene The Trojan horse After they built it they put a

392 views • 5 slides
Secure Communication in Client-Server Android Apps With a bias towards mobile banking

Secure Communication in Client-Server Android Apps With a bias towards mobile banking

Secure Communication in Client-Server Android Apps With a bias towards mobile banking applications. AFRICA HACKON CONFERENCE, 2016. Convergent Security. whoami Masters Candidate Ethical Hacker Web Developer Jazz fan

599 views • 20 slides
Developers Google Maps Android API v2 Make your Android app pop with Google Maps Android API v2

Developers Google Maps Android API v2 Make your Android app pop with Google Maps Android API v2

Developers Google Maps Android API v2 Make your Android app pop with Google Maps Android API v2 Anthony Morris Jan-Felix Schmakeit Tech Lead, Android Maps API Android Developer Relations Code, Slides, Worksheet: http://goo.gl/MfY67 Welcome!

687 views • 49 slides
Introduction to Android Development What is Android? Android is the customizable, easy to

Introduction to Android Development What is Android? Android is the customizable, easy to

Introduction to Android Development What is Android? Android is the customizable, easy to use operating system that powers more than a billion devices across the globe - from phones and tablets to watches, TV, cars and more to come.

464 views • 21 slides
CS619 Android 101 BENCE CSERNA Android: Manifest example Android: Manifest &lt;manifest

CS619 Android 101 BENCE CSERNA Android: Manifest example Android: Manifest &lt;manifest

Project #1: Color Guess Game CS619 Android 101 BENCE CSERNA Android: Manifest example Android: Manifest &lt;manifest xmlns:android=&quot;http://schemas.android.com/apk/res/android&quot; package=&quot;net.cserna.bence.colorguess

201 views • 3 slides
What other Android APIs may be useful for ubicomp? Speaking to Android Ref: Professional Android 4

What other Android APIs may be useful for ubicomp? Speaking to Android Ref: Professional Android 4

What other Android APIs may be useful for ubicomp? Speaking to Android Ref: Professional Android 4 Development, Meier, Ch 11, pg 437 Speech recognition: Accept inputs as speech (instead of typing) e.g. dragon dictate app? Note: Google

333 views • 16 slides
Android AsyncTask AsyncTask Android AsyncTask is an abstract class provided by Android

Android AsyncTask AsyncTask Android AsyncTask is an abstract class provided by Android

Android AsyncTask AsyncTask Android AsyncTask is an abstract class provided by Android which gives us the liberty to perform heavy tasks in the background and keep the UI thread light thus making the application more responsive. Basic

240 views • 5 slides
Trojan Horses Seemingly useful program that contains code that does harmful things When

Trojan Horses Seemingly useful program that contains code that does harmful things When

Trojan Horses Seemingly useful program that contains code that does harmful things When you run it, the Greeks creep out and slaughter your system Lecture 12 Page 1 CS 236 Online Basic Trojan Horses A program you pick up somewhere

581 views • 23 slides
Android Android Application Development - Ashwin Agenda Android Platform Overview

Android Android Application Development - Ashwin Agenda Android Platform Overview

Android Android Application Development - Ashwin Agenda Android Platform Overview Installation Building Blocks Application Development Development Tools Source walk through Introduction to Android Open software

978 views • 49 slides
CS371m - Mobile Computing Android Overview and Android Development Environment What is Android?

CS371m - Mobile Computing Android Overview and Android Development Environment What is Android?

CS371m - Mobile Computing Android Overview and Android Development Environment What is Android? A software stack for mobile devices that includes An operating system Middleware Key Applications Uses Linux to provide core

1.49k views • 70 slides
CS378 - Mobile Computing Android Overview and Android Development Environment What is Android?

CS378 - Mobile Computing Android Overview and Android Development Environment What is Android?

CS378 - Mobile Computing Android Overview and Android Development Environment What is Android? A software stack for mobile devices that includes An operating system Middleware Key Applications Uses Linux to provide core

583 views • 31 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
CS 528 Mobile and Ubiquitous Computing Lecture 3: Android UI, WebView, Android Activity Lifecycle

CS 528 Mobile and Ubiquitous Computing Lecture 3: Android UI, WebView, Android Activity Lifecycle

CS 528 Mobile and Ubiquitous Computing Lecture 3: Android UI, WebView, Android Activity Lifecycle Emmanuel Agu Android UI Design Example GeoQuiz App Reference: Android Nerd Ranch, pgs 1 32 App presents questions to test users knowledge

1k views • 96 slides
HOST Hardware Trojans III ECE 525 Seminal Trojan Detection Method D. Agrawal, S. Baktir, D.

HOST Hardware Trojans III ECE 525 Seminal Trojan Detection Method D. Agrawal, S. Baktir, D.

HOST Hardware Trojans III ECE 525 Seminal Trojan Detection Method D. Agrawal, S. Baktir, D. Karakoyunlu, P. Rohatgi, B. Sunar, Trojan Detection using IC Fingerprinting, Symposium on Security and Privacy, 2007, pp. 296 - 310 They use noise

543 views • 37 slides
Object : the superest class of all Inheritance and text in GUIs Check out CloneAndText from SVN

Object : the superest class of all Inheritance and text in GUIs Check out CloneAndText from SVN

Object : the superest class of all Inheritance and text in GUIs Check out CloneAndText from SVN Interfaces Inheritance extends vs implements abstract classes and methods polymorphism Hardy's taxi anything else The

500 views • 15 slides
Clean Code in Small Companies Stock photo, not actual developer Stock photo, not actual developer

Clean Code in Small Companies Stock photo, not actual developer Stock photo, not actual developer

Clean Code in Small Companies Stock photo, not actual developer Stock photo, not actual developer Stock photo, not actual developer Robert C. Martin Uncle Bob 1. Reading code is hard 1. Reading code is hard 2. We all have to read code

1.37k views • 109 slides
GSLE Introduction A New System for DNA Sequencing Orders March 24 th , 2014 Welcome to GLSE Gene

GSLE Introduction A New System for DNA Sequencing Orders March 24 th , 2014 Welcome to GLSE Gene

Northwestern University Feinberg School of Medicine GSLE Introduction A New System for DNA Sequencing Orders March 24 th , 2014 Welcome to GLSE Gene Sifter Lab Edition GSLE will be Replacing Corefac as our Ordering System for Traditional

505 views • 25 slides
Data Analytics CS301 Google Analytics Week 2: 8 th and 11 th Sept Fall 2020 Oliver

Data Analytics CS301 Google Analytics Week 2: 8 th and 11 th Sept Fall 2020 Oliver

Data Analytics CS301 Google Analytics Week 2: 8 th and 11 th Sept Fall 2020 Oliver BONHAM-CARTER Looking at Websites and Data The Internet houses websites that are used is used to give product information to consumers and potential

1.13k views • 31 slides
Example: Associative Arrays An environment can be expressed as an associative array, e.g.:

Example: Associative Arrays An environment can be expressed as an associative array, e.g.:

Example: Associative Arrays An environment can be expressed as an associative array, e.g.: $myEnv = array( phptype =&gt; pgsql, hostspec =&gt; localhost, port =&gt; 5432, database =&gt;

914 views • 63 slides
Speech Processing 15-492/18-492 Spoken Dialog Systems Tree based dialogs VoiceXML State-based

Speech Processing 15-492/18-492 Spoken Dialog Systems Tree based dialogs VoiceXML State-based

Speech Processing 15-492/18-492 Spoken Dialog Systems Tree based dialogs VoiceXML State-based Dialogs Simple state- -based dialog systems based dialog systems Simple state Get Name Get Name Get Account number Get

482 views • 22 slides
Intro to your csci linux account Dave Wessels, CSCI prof at VIU (David.Wessels@viu.ca)

Intro to your csci linux account Dave Wessels, CSCI prof at VIU (David.Wessels@viu.ca)

Intro to your csci linux account Dave Wessels, CSCI prof at VIU (David.Wessels@viu.ca) Quick intro to accessing your computer science linux accounts using ssh (from linux, mac, or win10) Will run through basic process to connect, change

1.02k views • 15 slides
COV COVID-19 19 Upda Update March 13, 2020 Reminders All participant lines are muted as

COV COVID-19 19 Upda Update March 13, 2020 Reminders All participant lines are muted as

COV COVID-19 19 Upda Update March 13, 2020 Reminders All participant lines are muted as default; please un-mute yourself to join the conversation. Send your questions anytime using the Zoom chat box. It is Friday the 13 th

184 views • 17 slides

More recommend