We know what you did this summer Android Banking Trojans Exposing - - PowerPoint PPT Presentation

we know what you did this summer
SMART_READER_LITE
LIVE PREVIEW

We know what you did this summer Android Banking Trojans Exposing - - PowerPoint PPT Presentation

Jul 17, 2023 110 likes •513 views

We know what you did this summer Android Banking Trojans Exposing Its Sins in The Cloud Siegfried Rasthofer (TU Darmstadt / CASED) Eric Bodden (TU Darmstadt / Fraunhofer SIT) Carlos Castillo (Intel Security) Alex Hinchliffe (Intel

slide-1
SLIDE 1

3.12.2015 | AVAR 2015 | 1

“We know what you did this summer” Android Banking Trojans Exposing Its Sins in The Cloud

Siegfried Rasthofer (TU Darmstadt / CASED) Eric Bodden (TU Darmstadt / Fraunhofer SIT) Carlos Castillo (Intel Security) Alex Hinchliffe (Intel Security)

slide-2
SLIDE 2

3.12.2015 | AVAR 2015 | 2

Siegfried Rasthofer

  • 3rd year PhD-Student at TU Darmstadt
  • Research interest in Static-/dynamic code analyses
  • Found 2 AOSP exploits, various App security vulnerabilities
  • Prof. Dr. Eric Bodden
  • Professor at TU Darmstadt
  • Research interest in Static-/dynamic code analyses
  • Heading the Secure Software Engineering Group at Fraunhofer

SIT and Technische Universität Darmstadt Carlos Castillo

  • Mobile Security Researcher at Intel Security.
  • Hacking Exposed 7 co-author (Hacking Android).
  • ESET Latin America’s Best Antivirus Research winner 2009.

Alex Hinchliffe

  • Mobile Security Research Manager at Intel Security
  • Co-developer of cloud based Anti-Malware technology, Artemis
  • Project partner of MobSec, S2Lab, Royal Holloway University, London
slide-3
SLIDE 3

3.12.2015 | AVAR 2015 | 3

Backend-as-a-Service 56 Mio. data records “publicly“ available (BlackHat EU 2015)

slide-4
SLIDE 4

3.12.2015 | AVAR 2015 | 4

Backend-as-a-Service

slide-5
SLIDE 5

3.12.2015 | AVAR 2015 | 5

Agenda

  • Backend-as-a-Service
  • Developers exposing BaaS resources
  • Android Malware using Facebook Parse
  • Android/OpFake and Android/Marry
  • Exposed Android Malware Facebook Parse accounts
  • Financial Fraud by Android/Marry
  • Responsible disclosure
  • Conclusions
slide-6
SLIDE 6

3.12.2015 | AVAR 2015 | 6

Backend-as-a-Service (1)

BaaS SDK Cloud

APP

slide-7
SLIDE 7

3.12.2015 | AVAR 2015 | 7

Backend-as-a-Service (2) BaaS

Android iOS ... JavaScript

slide-8
SLIDE 8

3.12.2015 | AVAR 2015 | 8

Backend-as-a-Service (3)

Push Notifications Data Storage User Administration Social Network

slide-9
SLIDE 9

3.12.2015 | AVAR 2015 | 9

Amazon Tutorial

DB connection

AmazonS3Client s3Client = new AmazonS3Client( new BasicAWSCredentials(“ACCESS_KEY_ID“, “SECRET_KEY“) );

BaaS SDK “When you access AWS programmatically, you use an access key to verify your identity and the identity of your applications. An access key consists of an access key ID and a secret access key. Anyone who has your access key has the same level of access to your AWS resources that you do.“

Source: http://docs.aws.amazon.com/

slide-10
SLIDE 10

3.12.2015 | AVAR 2015 | 10

App Authentication Model

App “Hi, I am app <Application ID>” Identification “My <Secret Key> is in the app” ??? Authentication Server Identification Authentication = ??

slide-11
SLIDE 11

3.12.2015 | AVAR 2015 | 11

HAVOC: Automatic Exploit Generator

slide-12
SLIDE 12

3.12.2015 | AVAR 2015 | 12

Malware using Facebook‘s Parse 294,817 malware apps scanned 9 Android malware samples 5 Parse accounts

3 tables

slide-13
SLIDE 13

3.12.2015 | AVAR 2015 | 13

OpFake – App Execution

Icon Hidden

slide-14
SLIDE 14

3.12.2015 | AVAR 2015 | 14

OpFake – MainService Started

Phone Rings Boot Completed OR

slide-15
SLIDE 15

3.12.2015 | AVAR 2015 | 15

OpFake – Main Service Functionality

Subscribe to Push Notifications

  • D-<device_id>
  • “Everyone”
  • Country
  • “welcome”

Leak device data to a remote C&C server

  • IMEI
  • Country
  • Phone Number
  • Network

Operator

  • Balance

Save installation data in Parse

  • Device data
  • device is rooted?
  • device is active?

Schedule a System Alarm

  • Execute code

every 60 seconds

slide-16
SLIDE 16

3.12.2015 | AVAR 2015 | 16

OpFake – “Traditional” C&C cycle Infected Device Command and Control Server Request

Change C&C Intercept Open URL Send SMS

Send task for execution Report

slide-17
SLIDE 17

3.12.2015 | AVAR 2015 | 17

OpFake – Parse C&C cycle Infected Device Parse BaaS Query NewTasks

new_server intercept sms ussd url install

Send task for execution Save task in TaskManager Task deleted in NewTasks

slide-18
SLIDE 18

3.12.2015 | AVAR 2015 | 18

OpFake – SMS Received

Save data in Parse SmsReceiver table

  • origin
  • content
  • IMEI
  • type
  • is_card

Send message data to Parse Push channel “T”

  • IMEI
  • origin
  • content
  • type (incoming)
slide-19
SLIDE 19

3.12.2015 | AVAR 2015 | 19

OpFake – Intercept flag

Intercept is ON

  • Check if it is a

response from a previous command

  • Find the executed

task in TaskManager Parse table

  • Update the record

with the response Intercept is OFF

  • Leak SMS message

to remote server

  • If origin is a specific

network operator, extract balance

slide-20
SLIDE 20

3.12.2015 | AVAR 2015 | 20

NewTasks Schema

NewTask Record

imei task

  • bjectId

createdAt updatedAt

sms

  • rigin

destination content date

intercept

values (on/off) date

new_server

imei URL date

install

imei URL of the APK date package name

slide-21
SLIDE 21

3.12.2015 | AVAR 2015 | 21

NewTasks – Commands received but never consumed

Exposed Malware Parse.com Accounts

slide-22
SLIDE 22

3.12.2015 | AVAR 2015 | 22

NewTasks – Command created by date

Exposed Malware Parse.com Accounts

slide-23
SLIDE 23

3.12.2015 | AVAR 2015 | 23

SmsReceived Schema

SmsReceived Record

body from

  • bjectId

intype is_card updatedAt type createdAt

slide-24
SLIDE 24

3.12.2015 | AVAR 2015 | 24

Number of Intercepted SMS messages in SmsReceiver Parse table

Exposed Malware Parse.com Accounts

2,000 28,067 40,054 41,105 60,030 ACCOUNT D (MARRY) ACCOUNT C (OPFAKE) ACCOUNT A (OPFAKE) ACCOUNT B (OPFAKE) ACCOUNT E (OPFAKE)

slide-25
SLIDE 25

3.12.2015 | AVAR 2015 | 25

Number of credit cards numbers in SMS messages in SmsReceiver

Exposed Malware Parse.com Accounts

5 9 10 19 126 ACCOUNT C (OPFAKE) ACCOUNT A (OPFAKE) ACCOUNT B (OPFAKE) ACCOUNT E (OPFAKE) ACCOUNT D (MARRY)

slide-26
SLIDE 26

3.12.2015 | AVAR 2015 | 26

TaskManager Schema

TaskManager Record

task hash

  • bjectId

updatedAt imei type response createdAt

sms

destination text (command)

privat_start

empty

intercept

  • n/off

install

URL/file.apk

sms

destination text (response)

slide-27
SLIDE 27

3.12.2015 | AVAR 2015 | 27

TaskManager – Command Executed

Exposed Malware Parse.com Accounts

slide-28
SLIDE 28

3.12.2015 | AVAR 2015 | 28

Android/Marry

slide-29
SLIDE 29

3.12.2015 | AVAR 2015 | 29

Number of SMS requests by targeted companies in Account D (Marry)

Exposed Malware Parse.com Accounts

1 10 16 33 37 51 53 70 141 5350 5335 (SVYAZNOYBANK) 100 (MEGAFON) 79037672265 (ALFA-BANK) 159 (TELE2) 3116 (ROSTELECOMO) 7878 (BEELINE) 6996 (MTC) 7494 (QIWI) 10060 (PRIVATBANK) 900 (SBERBANK)

slide-30
SLIDE 30

3.12.2015 | AVAR 2015 | 30

Sberbank SMS Banking Commands in TaskManager

To: 900 INFO From: 900 VISA1234 (ON) VISA7894 (OFF) To: 900 BALANCE 1234 From: 900 VISA1234: $100

slide-31
SLIDE 31

3.12.2015 | AVAR 2015 | 31

Sberbank SMS Banking Commands in TaskManager

To: 900 PEVEROD 1234 (origin) 7894 (destination) 50 (amount) From: 900 Send code 1111 to confirm transfer To: 900 1111 From: 900 Transfer processed

slide-32
SLIDE 32

3.12.2015 | AVAR 2015 | 32

Sberbank SMS Banking Commands in TaskManager

To: 900 ZAPROS 123456 (phone #) 100 (amount) From: 900 Send code 999 to confirm transfer to 456789

Phone 123456 Phone 456789 Phone 123456

To: 900 999 From: 900 Transfer processed

Phone 456789

slide-33
SLIDE 33

3.12.2015 | AVAR 2015 | 33

Sberbank SMS Banking Commands in TaskManager

To: 900 TEL 123456 (phone #) 50 (amount) From: 900 Send code 555 to confirm payment To: 900 555 From: 900 Payment processed

slide-34
SLIDE 34

3.12.2015 | AVAR 2015 | 34

Top Sberbank Commands – Task (TaskManager table) in Account D

Exposed Malware Parse.com Accounts

18 22 37 59 4956 PAY TEL REQUEST TRANSFER INFO BALANCE

slide-35
SLIDE 35

3.12.2015 | AVAR 2015 | 35

Top Sberbank fraud responses – Task (TaskManager table) - Account D

Exposed Malware Parse.com Accounts

26 30 36 75 88 123 607 TRANSFER ASKED TRANSFER ACCEPTED TRANSFER PROCESSED TEL PROCESSED TEL ASKED INFO BALANCE

slide-36
SLIDE 36

3.12.2015 | AVAR 2015 | 36

Unique Device IDs per table

Exposed Malware Parse.com Accounts

slide-37
SLIDE 37

3.12.2015 | AVAR 2015 | 37

Responsible Disclosure

2015-08-03: Reported finding to Facebook 2015-08-05: Facebook replied with “... This issue does not qualify as a part of our bounty program...“ 2015-08-05: Facebook asked for more details 2015-08-06: We provided more details and Facebook blocked all Parse accounts 2015-08-28: Facebook offered room for collaboration Facebook‘s responsible disclosure system only works with a Facebook account

slide-38
SLIDE 38

3.12.2015 | AVAR 2015 | 38

Conclusions

  • Android Banking Trojans stores and exposes its data in BaaS solutions
  • By default no authentication is needed to access BaaS data
  • Android Banking Trojans are actively performing financial fraud via SMS.
  • In less than a month, thousands of people were victims of financial fraud
slide-39
SLIDE 39

3.12.2015 | AVAR 2015 | 39

Siegfried Rasthofer Secure Software Engineering Group Email: siegfried.rasthofer@cased.de Blog: http://sse-blog.ec-spride.de Website: http://sse.ec-spride.de Twitter: @CodeInspect Carlos Castillo Intel Security Email: carlos.castillo@intel.com Twitter: @carlosacastillo