[PPT] - We know what you did this summer: Android Banking Trojan exposing PowerPoint Presentation

SLIDE 1

01.10.2015 | Virus Bulletin 2015 | 1

We know what you did this summer: Android Banking Trojan exposing its sins in the cloud

Siegfried Rasthofer (TU Darmstadt / CASED) Eric Bodden (TU Darmstadt / Fraunhofer SIT) Carlos Castillo (Intel Security) Alex Hinchliffe (Intel Security) Stephan Huber (Fraunhofer SIT)

SLIDE 2

01.10.2015 | Virus Bulletin 2015 | 2

Siegfried Rasthofer

3rd year PhD-Student at TU Darmstadt
Research interest in Static-/dynamic code analyses
Found 2 AOSP exploits, various App security vulnerabilities
Prof. Dr. Eric Bodden
Professor at TU Darmstadt
Research interest in Static-/dynamic code analyses
Heading the Secure Software Engineering Group at Fraunhofer

SIT and Technische Universität Darmstadt Carlos Castillo

Mobile Security Researcher at Intel Security.
Hacking Exposed 7 co-author (Hacking Android).
ESET Latin America’s Best Antivirus Research winner 2009.

Alex Hinchliffe

Mobile Security Research Manager at Intel Security
Co-developer of cloud based Anti-Malware technology, Artemis
Project partner of MobSec, S2Lab, Royal Holloway University, London

SLIDE 3

01.10.2015 | Virus Bulletin 2015 | 3

Backend-as-a-Service 56 Mio. data records “publicly“ available (BlackHat EU 2015)

SLIDE 4

01.10.2015 | Virus Bulletin 2015 | 4

Backend-as-a-Service Malware??

SLIDE 5

01.10.2015 | Virus Bulletin 2015 | 5

Backend-as-a-Service (1)

BaaS

Android iOS JavaScript ...

...

SLIDE 6

01.10.2015 | Virus Bulletin 2015 | 6

Backend-as-a-Service (2)

Push Notifications Data Storage User Administration Social Network

SLIDE 7

01.10.2015 | Virus Bulletin 2015 | 7

Parse.initialize(this, APPLICATION_ID, CLIENT_KEY); ParseObject sms = new ParseObject("Intercepted SMS"); sms.put("message", "Hi VB2015");

ID Keys != Authentication Keys! Use Proper Access Control Rules on the Server Side!

SLIDE 8

01.10.2015 | Virus Bulletin 2015 | 8

HAVOC: Automatic Exploit Generator

SLIDE 9

01.10.2015 | Virus Bulletin 2015 | 9

Malware using Facebook‘s Parse

294,817 malware apps from 2015 scanned 78 Apps with potential Push Notification misuse 16 Apps with data storage misuse 5 Android/OpFake variants 4 Android/Marry variants 5 parse.com accounts exposed

3 common tables

SLIDE 10

01.10.2015 | Virus Bulletin 2015 | 10

OpFake – App Execution and Main Service

App Executed Hide Icon end Boot Completed Start Main Service Phone Rings Locally save Main URL (C& C) Execute Async Tasks Subscribe to Parse Push notifications Save Parse Install Information Schedule system alarm Leak Device Information to C 2C server /bn/reg.php Channels :

D-<deviceId >
“Everyone”
Country (SIM ISO)
“welcome”
IMEI
SIM Country
SIM Operator
Phone Number
API
Brand
Model
is_worked (true)
worked _task (true)
is_root
IMEI
SIM Country
Phone Number
SIM Operator
Balance

Execute Content Receiver every minute (60 segs)

SLIDE 11

01.10.2015 | Virus Bulletin 2015 | 11

OpFake – System Alarm every Minute

System Alarm Execute Content Receiver Get task from C &C server /bn/gettask .php Query Parse table NewTasks by Device ID imei == Device ID Yes Execute New Task No end If type == task and imei == Device ID No

Yes

task == intercept

Yes

No Save executed task in TaskManager table Intercept != null / Set intercept flag onoff

Yes

No If active _1 Yes Send SMS to number _1 with content prefix _1

No

If active _2

Yes

Send SMS to all contacts with phone number No If active _3

Yes

Open URL in default browser No If active _4

Yes

Locally save new C&C server URL Push Task end end Report executed task ID to /bn/ settask .php

type

: from NewTasks

task: type and args
hash: identifier
Imei: device id
response: empty
imei
balance

SLIDE 12

01.10.2015 | Virus Bulletin 2015 | 12

OpFake – Execute New tasks

Delete NewTask

Eventually No

No task == ussd No task == url No task == new_server No task == install Yes Send text message Yes

Send USSD message using URI tel : *

Yes

Open URL using default web browser

Yes

Locally save new C&C server URL

Yes

Download APK from URL to SD card Device with root Privileges? Yes

Remount system

partition as read / write

No

Attempt to install app using user interface Copy APK in folder

/newmainpack /app/ Set read/write

permissions for the copied APK file Remount partition

again as read -only

Silently install the

APK using pm install task == sms

No End End Eventually Delete NewTask Eventually Launch recently

installed app Launch recently installed app

SLIDE 13

01.10.2015 | Virus Bulletin 2015 | 13

OpFake – SMS Message Received

SMS message received Process SMS message Save message in SmsReceiver table Send message data to Parse Push channel “T” Intercept flag

n?

No Send message to /bn/ save_message.php Yes No Is a response to a previous SMS sent? Yes Query TaskManager by task hash Save response (from:body) in TaskManager No End Origin contains 088011 or 000100? body the balance and Yes Extract from message save it locally No

from
content
to: imei
type: service/other
is_card: if content contains cc #
intype: incoming
imei
phone: from
message
type: incoming

SLIDE 14

01.10.2015 | Virus Bulletin 2015 | 14

NewTasks Schema

NewTask Record

imei task

bjectId

createdAt updatedAt

sms

rigin

destination content date

intercept

values (on/off) date

new_server

imei URL date

install

imei URL of the APK date package name

SLIDE 15

01.10.2015 | Virus Bulletin 2015 | 15

NewTasks – Commands received

Exposed Malware Parse.com Accounts

10.139 48.622 25.738 40 60.337 9.397 48.616 25.723 57.760 742 4 11 5 10 1 1 12 3 35 2.555 ACCOUNT A ACCOUNT B ACCOUNT C ACCOUNT D ACCOUNT E

commands sms intercept new_server install

SLIDE 16

01.10.2015 | Virus Bulletin 2015 | 16

NewTasks – Examples of commands delivered

Exposed Malware Parse.com Accounts

send sms to number 900 with content “BALANS”
send sms to number 900 with content <confirmation_code>
send sms to number 3116 with content “card <card_number> <exp_month> <exp_year> <CVV>”

sms

on/off

intercept

hxxp://newwelcome00.ru
hxxp://newelcome00.ru

new_server

Android/OpFake delivering Android/Marry:
hxxp://newwelcome00.ru/appru.apk (marry.adobe.net.threadsync).
hxxp://newwelcome00.ru/app.apk (marry.adobe.net.nightbuid).
hxxp://notingen.ru/Player.apk (com.adobe.net)
hxxp://швждаыдлпждв

install

SLIDE 17

01.10.2015 | Virus Bulletin 2015 | 17

NewTasks – Command created by date

Exposed Malware Parse.com Accounts

5000 10000 15000 20000 25000 13.06.2015 14.06.2015 15.06.2015 16.06.2015 17.06.2015 18.06.2015 19.06.2015 20.06.2015 21.06.2015 22.06.2015 23.06.2015 24.06.2015 25.06.2015 26.06.2015 27.06.2015 28.06.2015 29.06.2015 30.06.2015 01.07.2015 02.07.2015 03.07.2015 04.07.2015 05.07.2015 06.07.2015 07.07.2015 08.07.2015 09.07.2015 10.07.2015 11.07.2015 12.07.2015 13.07.2015 14.07.2015 Account A Account B Account C Account D Account E

SLIDE 18

01.10.2015 | Virus Bulletin 2015 | 18

SmsReceived Schema

SmsReceived Record

body from

bjectId

intype is_card updatedAt type createdAt

from: origin of the text message (phone number/company name)
intype: incoming/outgoing
to: device identifier of the infected device
is_card: true/false if the message contains a credit card number
type:
service: origin is a company (e.g. MegaFon)
ther: origin is another phone number (personal messages)

SLIDE 19

01.10.2015 | Virus Bulletin 2015 | 19

SmsReceiver – # Intercepted SMS messages

Exposed Malware Parse.com Accounts

2.000 28.067 40.054 41.105 60.030 ACCOUNT D ACCOUNT C ACCOUNT A ACCOUNT B ACCOUNT E

# messages

SLIDE 20

01.10.2015 | Virus Bulletin 2015 | 20

SmsReceiver – Credit card numbers in incoming SMS messages

Exposed Malware Parse.com Accounts

5 9 10 19 126 ACCOUNT C ACCOUNT A ACCOUNT B ACCOUNT E ACCOUNT D

# credit card numbers

SLIDE 21

01.10.2015 | Virus Bulletin 2015 | 21

SmsReceived – Messages by date

Exposed Malware Parse.com Accounts

2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 Account A Account B Account C Account D Account E

SLIDE 22

01.10.2015 | Virus Bulletin 2015 | 22

TaskManager Schema

TaskManager Record

task hash

bjectId

updatedAt imei type response createdAt

sms

destination text (command)

privat_start

empty

intercept

n/off

install

URL/file.apk

sms

destination text (response)

SLIDE 23

01.10.2015 | Virus Bulletin 2015 | 23

TaskManager – Command Executed

Exposed Malware Parse.com Accounts

35 204 565 20.554 1.123 1 31 149 3.615 26 32 204 565 19.859 1.113 3 658 1 17 ACCOUNT A ACCOUNT B ACCOUNT C ACCOUNT D ACCOUNT E

requests responses sms intercept install

SLIDE 24

01.10.2015 | Virus Bulletin 2015 | 24

TaskManager – Examples of tasks executed

Exposed Malware Parse.com Accounts

Get list of connected cards and commands available: sms INFO
BALANS/BALANCE <card>
Payment of services: sms <amount>

sms 900 (Sberbank):

B (balance)

sms 000100 (MegaFon)

Pay credit card: <Brand> <card_number> <amount>

sms 7878 (Beeline):

Russia: У вас 1 непрочитаное сообщение (You have 1 unread message)

hxxps://tinyurl.com/phelju3

Russia: Ваша ссылка для скачивания (Your download link) hxxp://goo.gl/TR5GjP
Uzbekistan: Получено новое (Received new MMC) hxxp://goo.gl/RINTTQ

Smishing (newwelcome00.ru)

SLIDE 25

01.10.2015 | Virus Bulletin 2015 | 25

Targeted Companies – Task (TaskManager table) in Account D

Exposed Malware Parse.com Accounts

1 10 16 33 37 51 53 70 141 5350 5335 (SVYAZNOYBANK) 100 (MEGAFON) 79037672265 (ALFA-BANK) 159 (TELE2) 3116 (ROSTELECOMO) 7878 (BEELINE) 6996 (MTC) 7494 (QIWI) 10060 (PRIVATBANK) 900 (SBERBANK)

# Requests (SMS)

SLIDE 26

01.10.2015 | Virus Bulletin 2015 | 26

Sberbank commands – Tasks (TaskManager table) in Account D

Exposed Malware Parse.com Accounts

Command Format Response

BALANCE/BALANS/баланс BALANS <4-last-digits> VISA1234 Balance: <amount> INFO/СПРАВКА СПРАВКА List of connected cards: VISA1234(ON); ПЕРЕВОД/PEREVOD/ПЕР ЕВЕСТИ (Transfer) ПЕРЕВОД <4digits_card_origin> <4digits_card_destination> or <phone_number_destination> <amount> To transfer <amount> from card VISA1234 the recipient <name> must send the code <code> to the number 900 ZAPROS (Request) ZAPROS <phone_number> <amount> Request transfer for <amount> to your card VISA4321 has been sent. After confirmation by the sender <name> the money will go to your account. TEL/PLATEZ/PHONE/POP OLNI/PLATI (Pay mobile account) TEL <phone_number> <amount> To pay with card VISA1234 phone <company> <phone_number> the amount <amount> send the code <code> to number 900.

SLIDE 27

01.10.2015 | Virus Bulletin 2015 | 27

Top Sberbank Commands – Task (TaskManager table) in Account D

Exposed Malware Parse.com Accounts

18 22 37 59 4956 TEL/PLATEZ/PHONE/POPOLNI/PLATI (PAY TEL) ZAPROS (REQUEST) ПЕРЕВОД/PEREVOD/ПЕРЕВЕСТИ (TRANSFER) INFO/СПРАВКА BALANCE/BALANS/БАЛАНС

# Requests

SLIDE 28

01.10.2015 | Virus Bulletin 2015 | 28

Sberbank Responses – Tasks (TaskManager table) in Account D

Exposed Malware Parse.com Accounts

Type Response Balance VISA1234 Balance: <amount> Info List of connected cards: VISA1234(ON); Tel Asked To pay with card VISA1234 phone <company> <phone_number> the amount <amount> send the code <code> to number 900. Tel Processed VISA1234 <date> <time> payment for services <amount> <operator> <phone_number> Balance: <amount> Transfer Processed MAES1234: Transfer <amount> to the card recipient <name> is processed Transfer Accepted VISA1234: <time> Amount <amount> from the sender <name> received. Balance: <amount> Transfer Asked To transfer <amount> from card VISA1234 the card recipient <name> should send the code <code> to number 900.

SLIDE 29

01.10.2015 | Virus Bulletin 2015 | 29

Top Sberbank fraud responses – Task (TaskManager table) - Account D

Exposed Malware Parse.com Accounts

26 30 36 75 88 123 607 TRANSFER ASKED TRANSFER ACCEPTED TRANSFER PROCESSED TEL PROCESSED TEL ASKED INFO BALANCE

# responses

SLIDE 30

01.10.2015 | Virus Bulletin 2015 | 30

TaskManager – Command executed by date

Exposed Malware Parse.com Accounts

100 200 300 400 500 600 700 800 Account A Account B Account C Account D Account E 100 200 300 400 500 600 700 800 900 13.07.2015 14.07.2015 15.07.2015 16.07.2015 Account A Account B Account C Account D Account E

SLIDE 31

01.10.2015 | Virus Bulletin 2015 | 31

Unique Device IDs per table

Exposed Malware Parse.com Accounts

2.244 8.225 4.850 10 7.398 3.761 3.800 2.149 307 3.825 5 34 26 1.549 31 ACCOUNT A ACCOUNT B ACCOUNT C ACCOUNT D ACCOUNT E

NewTasks SmsReceiver TaskManager

SLIDE 32

01.10.2015 | Virus Bulletin 2015 | 32

Responsible Disclosure

2015-08-03: Reported finding to Facebook 2015-08-05: Facebook replied with “... This issue does not qualify as a part of our bounty program...“ 2015-08-05: Facebook asked for more details 2015-08-06: We provided more details and Facebook blocked all Parse accounts 2015-08-28: Facebook offered room for collaboration Facebook‘s responsible disclosure system only works with a Facebook account

SLIDE 33

01.10.2015 | Virus Bulletin 2015 | 33

Conclusions

This Android Banking Trojans are actively performing financial fraud via

SMS messages targeting Eastern Europe countries.

Just like legitimate developers, Android malware authors also expose

cloud accounts with sensitive (personal/financial) stolen information.

Sensitive information stolen from victims by Android malware can be

accessed by “anyone” without any authentication.

SLIDE 34

01.10.2015 | Virus Bulletin 2015 | 34

Siegfried Rasthofer Secure Software Engineering Group Email: siegfried.rasthofer@cased.de Blog: http://sse-blog.ec-spride.de Website: http://sse.ec-spride.de Twitter: @CodeInspect Carlos Castillo Intel Security Email: carlos.castillo@intel.com Twitter: @carlosacastillo