we know what you did this summer
play

We know what you did this summer Android Banking Trojans Exposing - PowerPoint PPT Presentation

Jul 17, 2023 •110 likes •510 views

We know what you did this summer Android Banking Trojans Exposing Its Sins in The Cloud Siegfried Rasthofer (TU Darmstadt / CASED) Eric Bodden (TU Darmstadt / Fraunhofer SIT) Carlos Castillo (Intel Security) Alex Hinchliffe (Intel

  1. “We know what you did this summer” Android Banking Trojans Exposing Its Sins in The Cloud Siegfried Rasthofer (TU Darmstadt / CASED) Eric Bodden (TU Darmstadt / Fraunhofer SIT) Carlos Castillo (Intel Security) Alex Hinchliffe (Intel Security) 3.12.2015 | AVAR 2015 | 1

  2. Siegfried Rasthofer • 3rd year PhD-Student at TU Darmstadt • Research interest in Static-/dynamic code analyses • Found 2 AOSP exploits, various App security vulnerabilities Prof. Dr. Eric Bodden • Professor at TU Darmstadt • Research interest in Static-/dynamic code analyses • Heading the Secure Software Engineering Group at Fraunhofer SIT and Technische Universität Darmstadt Carlos Castillo • Mobile Security Researcher at Intel Security. • Hacking Exposed 7 co-author (Hacking Android). • ESET Latin America’s Best Antivirus Research winner 2009. Alex Hinchliffe • Mobile Security Research Manager at Intel Security • Co-developer of cloud based Anti-Malware technology, Artemis • Project partner of MobSec, S 2 Lab, Royal Holloway University, London 3.12.2015 | AVAR 2015 | 2

  3. Backend-as-a-Service 56 Mio. data records “publicly“ available (BlackHat EU 2015) 3.12.2015 | AVAR 2015 | 3

  4. Backend-as-a-Service 3.12.2015 | AVAR 2015 | 4

  5. Agenda • Backend-as-a-Service • Developers exposing BaaS resources • Android Malware using Facebook Parse • Android/OpFake and Android/Marry • Exposed Android Malware Facebook Parse accounts • Financial Fraud by Android/Marry • Responsible disclosure • Conclusions 3.12.2015 | AVAR 2015 | 5

  6. Backend-as-a-Service (1) APP Cloud BaaS SDK 3.12.2015 | AVAR 2015 | 6

  7. Backend-as-a-Service (2) Android iOS BaaS JavaScript ... 3.12.2015 | AVAR 2015 | 7

  8. Backend-as-a-Service (3) Push Noti fica tions Data Storage User Administration Social Network 3.12.2015 | AVAR 2015 | 8

  9. BaaS Amazon Tutorial SDK DB connection AmazonS3Client s3Client = new AmazonS3Client( new BasicAWSCredentials( “ACCESS_KEY_ID“ , “SECRET_KEY“ ) ); “ When you access AWS programmatically, you use an access key to verify your identity and the identity of your applications. An access key consists of an access key ID and a secret access key. Anyone who has your access key has the same level of access to your AWS resources that you do. “ Source: http://docs.aws.amazon.com/ 3.12.2015 | AVAR 2015 | 9

  10. App Authentication Model “Hi, I am app Identification App <Application ID>” Server “My <Secret Key> Authentication is in the app” ??? ?? Identification Authentication = 3.12.2015 | AVAR 2015 | 10

  11. HAVOC: Automatic Exploit Generator 3.12.2015 | AVAR 2015 | 11

  12. Malware using Facebook‘s Parse 294,817 malware apps scanned 9 Android malware samples 5 Parse accounts 3 tables 3.12.2015 | AVAR 2015 | 12

  13. OpFake – App Execution Icon Hidden 3.12.2015 | AVAR 2015 | 13

  14. OpFake – MainService Started Phone Rings OR Boot Completed 3.12.2015 | AVAR 2015 | 14

  15. OpFake – Main Service Functionality Leak device data Subscribe to Push Save installation Schedule a to a remote C&C Notifications data in Parse System Alarm server • D-<device_id> • IMEI • Device data • Execute code every 60 • “Everyone” • Country • device is rooted? seconds • Country • Phone Number • device is active? • “welcome” • Network Operator • Balance 3.12.2015 | AVAR 2015 | 15

  16. OpFake – “Traditional” C&C cycle Infected Device Command and Control Server Request Change C&C Send task for execution Intercept Open URL Report Send SMS 3.12.2015 | AVAR 2015 | 16

  17. OpFake – Parse C&C cycle Infected Device Parse BaaS Query NewTasks new_server intercept Send task for execution sms ussd Save task in TaskManager url Task deleted install in NewTasks 3.12.2015 | AVAR 2015 | 17

  18. OpFake – SMS Received Send message Save data in Parse data to Parse SmsReceiver table Push channel “T” • origin • IMEI • content • origin • IMEI • content • type • type (incoming) • is_card 3.12.2015 | AVAR 2015 | 18

  19. OpFake – Intercept flag Intercept is ON Intercept is OFF • Check if it is a • Leak SMS message response from a to remote server previous command • If origin is a specific • Find the executed network operator, task in TaskManager extract balance Parse table • Update the record with the response 3.12.2015 | AVAR 2015 | 19

  20. NewTasks Schema NewTask Record imei task objectId createdAt updatedAt sms origin destination content date intercept values (on/off) date new_server imei URL date install imei URL of the APK date package name 3.12.2015 | AVAR 2015 | 20

  21. Exposed Malware Parse.com Accounts NewTasks – Commands received but never consumed 3.12.2015 | AVAR 2015 | 21

  22. Exposed Malware Parse.com Accounts NewTasks – Command created by date 3.12.2015 | AVAR 2015 | 22

  23. SmsReceived Schema SmsReceived Record body from objectId intype is_card updatedAt type createdAt 3.12.2015 | AVAR 2015 | 23

  24. Exposed Malware Parse.com Accounts Number of Intercepted SMS messages in SmsReceiver Parse table ACCOUNT E (OPFAKE) 60,030 ACCOUNT B (OPFAKE) 41,105 ACCOUNT A (OPFAKE) 40,054 ACCOUNT C (OPFAKE) 28,067 ACCOUNT D (MARRY) 2,000 3.12.2015 | AVAR 2015 | 24

  25. Exposed Malware Parse.com Accounts Number of credit cards numbers in SMS messages in SmsReceiver ACCOUNT D (MARRY) 126 ACCOUNT E (OPFAKE) 19 ACCOUNT B (OPFAKE) 10 ACCOUNT A (OPFAKE) 9 ACCOUNT C (OPFAKE) 5 3.12.2015 | AVAR 2015 | 25

  26. TaskManager Schema TaskManager Record task hash objectId updatedAt imei type response createdAt sms privat_start intercept install sms destination destination empty on/off URL/file.apk text text (response) (command) 3.12.2015 | AVAR 2015 | 26

  27. Exposed Malware Parse.com Accounts TaskManager – Command Executed 3.12.2015 | AVAR 2015 | 27

  28. Android/Marry 3.12.2015 | AVAR 2015 | 28

  29. Exposed Malware Parse.com Accounts Number of SMS requests by targeted companies in Account D (Marry) 900 (SBERBANK) 5350 10060 (PRIVATBANK) 141 7494 (QIWI) 70 6996 (MTC) 53 7878 (BEELINE) 51 3116 (ROSTELECOMO) 37 159 (TELE2) 33 79037672265 (ALFA-BANK) 16 100 (MEGAFON) 10 5335 (SVYAZNOYBANK) 1 3.12.2015 | AVAR 2015 | 29

  30. Sberbank SMS Banking Commands in TaskManager From: 900 To: 900 To: 900 From: 900 VISA1234 (ON) INFO BALANCE 1234 VISA1234: $100 VISA7894 (OFF) 3.12.2015 | AVAR 2015 | 30

  31. Sberbank SMS Banking Commands in TaskManager From: 900 To: 900 From: 900 To: 900 Send code 1111 PEVEROD Transfer processed 1111 to confirm transfer 1234 (origin) 7894 (destination) 50 (amount) 3.12.2015 | AVAR 2015 | 31

  32. Sberbank SMS Banking Commands in TaskManager Phone 456789 Phone 123456 Phone 123456 Phone 456789 From: 900 To: 900 To: 900 From: 900 Send code 999 to 999 ZAPROS Transfer processed confirm transfer 123456 (phone #) to 456789 100 (amount) 3.12.2015 | AVAR 2015 | 32

  33. Sberbank SMS Banking Commands in TaskManager From: 900 To: 900 From: 900 To: 900 Send code 555 TEL Payment processed 555 to confirm payment 123456 (phone #) 50 (amount) 3.12.2015 | AVAR 2015 | 33

  34. Exposed Malware Parse.com Accounts Top Sberbank Commands – Task (TaskManager table) in Account D BALANCE 4956 INFO 59 TRANSFER 37 REQUEST 22 PAY TEL 18 3.12.2015 | AVAR 2015 | 34

  35. Exposed Malware Parse.com Accounts Top Sberbank fraud responses – Task (TaskManager table) - Account D BALANCE 607 INFO 123 TEL ASKED 88 TEL PROCESSED 75 TRANSFER PROCESSED 36 TRANSFER ACCEPTED 30 TRANSFER ASKED 26 3.12.2015 | AVAR 2015 | 35

  36. Exposed Malware Parse.com Accounts Unique Device IDs per table 3.12.2015 | AVAR 2015 | 36

  37. Responsible Disclosure 2015-08-03: Reported finding to Facebook 2015-08-05: Facebook replied with “ ... This issue does not qualify as a part of our bounty program.. .“ 2015-08-05: Facebook asked for more details 2015-08-06: We provided more details and Facebook blocked all Parse accounts 2015-08-28: Facebook offered room for collaboration Facebook‘s responsible disclosure system only works with a Facebook account 3.12.2015 | AVAR 2015 | 37

  38. Conclusions • Android Banking Trojans stores and exposes its data in BaaS solutions • By default no authentication is needed to access BaaS data • Android Banking Trojans are actively performing financial fraud via SMS. • In less than a month, thousands of people were victims of financial fraud 3.12.2015 | AVAR 2015 | 38

  39. Siegfried Rasthofer Carlos Castillo Secure Software Engineering Group Intel Security Email: siegfried.rasthofer@cased.de Email: carlos.castillo@intel.com Blog: http://sse-blog.ec-spride.de Twitter: @carlosacastillo Website: http://sse.ec-spride.de Twitter: @CodeInspect 3.12.2015 | AVAR 2015 | 39

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

SUMMER BRAIN GAIN: REIMAGINING SUMMER LEARNING What is the problem? Why Summer Matters There is

SUMMER BRAIN GAIN: REIMAGINING SUMMER LEARNING What is the problem? Why Summer Matters There is

SUMMER BRAIN GAIN: REIMAGINING SUMMER LEARNING What is the problem? Why Summer Matters There is no other time of year when inequalities are greater in the United States than during the summer months. Why Summer Matters In the summer, 43

218 views • 18 slides
AT THE FRONTIERS Update &amp; Summer 2018 Edition ATF SUMMER 2017 ATF SUMMER 2017 3 cities:

AT THE FRONTIERS Update &amp; Summer 2018 Edition ATF SUMMER 2017 ATF SUMMER 2017 3 cities:

AT THE FRONTIERS Update &amp; Summer 2018 Edition ATF SUMMER 2017 ATF SUMMER 2017 3 cities: Torino, Ragusa, Reggio Calabria Shifts of two weeks 55 volunteers in total (Spain, Italy, Portugal, Belgium, UK, France, Germany)

324 views • 11 slides
Summer School 2020 Canterbury Whats a summer school? summer sciool noun [C] /sm

Summer School 2020 Canterbury Whats a summer school? summer sciool noun [C] /sm

Summer School 2020 Canterbury Whats a summer school? summer sciool noun [C] /sm skul/ 1. Classes taken during the summer that make it possible to 2. An academic excursion that allows you to move more quickly towards a

258 views • 13 slides
Summer Salary MARCH 20, 2019 Todays Agenda What is Summer Salary? Key Considerations

Summer Salary MARCH 20, 2019 Todays Agenda What is Summer Salary? Key Considerations

Summer Salary MARCH 20, 2019 Todays Agenda What is Summer Salary? Key Considerations Completing the Summer Salary EAF Processing Summer Salary Payments Questions What is Summer Salary? During the summer service period,

421 views • 17 slides
Partners: Summer Village of Birchcliff Town of Sylvan Lake Summer Village of Half Moon Bay

Partners: Summer Village of Birchcliff Town of Sylvan Lake Summer Village of Half Moon Bay

Partners: Summer Village of Birchcliff Town of Sylvan Lake Summer Village of Half Moon Bay Lacombe County Summer Village of Jarvis Bay Red Deer County Summer Village of Norglenwold Alberta Environment and Water Summer Village of Sunbreaker

504 views • 27 slides
Moving Communities and Programs Forward for Summer Learning Katie Willse National Summer

Moving Communities and Programs Forward for Summer Learning Katie Willse National Summer

Moving Communities and Programs Forward for Summer Learning Katie Willse National Summer Learning Association NSLA seeks to: Improve the quality of summer learning opportunities Expand access to summer learning Increase demand for

697 views • 32 slides
Making Summer Eats work for your Community Agenda The creation of Summer Eats The

Making Summer Eats work for your Community Agenda The creation of Summer Eats The

Making Summer Eats work for your Community Agenda The creation of Summer Eats The importance of branding Tools designed just for you this summer Stories from the field Using social media to maximize impact Q&amp;A 2

579 views • 53 slides
ACPSD SUMMER LEARNING 2019 INSTRUCTIONAL SERVICES DIVISION Goal for Summer Learning: To

ACPSD SUMMER LEARNING 2019 INSTRUCTIONAL SERVICES DIVISION Goal for Summer Learning: To

ACPSD SUMMER LEARNING 2019 INSTRUCTIONAL SERVICES DIVISION Goal for Summer Learning: To connect ACPSD families with community- or school-based resources for continued learning throughout the summer Prevent summer learning loss

576 views • 30 slides
Summer 2016 Recreation Preview Summer Program Guide 48 pages Printed 44,000 Mailed

Summer 2016 Recreation Preview Summer Program Guide 48 pages Printed 44,000 Mailed

Summer 2016 Recreation Preview Summer Program Guide 48 pages Printed 44,000 Mailed 42,000 Also posted at www.playmedford.com Core Programs Summer day camps Park N Play (mobile recreation) Swim lessons/aquatics

428 views • 9 slides
SUMMER 16 Whats new ? LETS GIVE OUR GM A SUMMER 2016 WITHOUT CONSTRAINTS AND NOT OR ! NEW

SUMMER 16 Whats new ? LETS GIVE OUR GM A SUMMER 2016 WITHOUT CONSTRAINTS AND NOT OR ! NEW

Sales Opening SUMMER 16 Whats new ? LETS GIVE OUR GM A SUMMER 2016 WITHOUT CONSTRAINTS AND NOT OR ! NEW BUSINESS WEAPONS TO HELP YOU REACH YOUR S16 OBJECTIVES 1. Your top priorities 2. Think about diversification 3. NEW EBB formula ! 4.

1.2k views • 94 slides
ANY PLANS FOR THE SUMMER? Summer School More than 250 students last year Intercultural

ANY PLANS FOR THE SUMMER? Summer School More than 250 students last year Intercultural

ANY PLANS FOR THE SUMMER? Summer School More than 250 students last year Intercultural Atmosphere A mixture of learning and socialising Students and teachers alike built strong working and social relationships Positive

759 views • 59 slides
Summer Lunch Program Summer Lunch Presentation for Food Security Task Force 12/4/19 1 Agenda

Summer Lunch Program Summer Lunch Presentation for Food Security Task Force 12/4/19 1 Agenda

Summer Lunch Program Summer Lunch Presentation for Food Security Task Force 12/4/19 1 Agenda Overview of Summer Lunches Successes Data Points Current Challenges Next steps 2 Overview: What is the Summer Lunch

511 views • 11 slides
Summer school program summer 2012. Campus De Nayer J. De Nayerlaan 5 BE2860 Sint Katelijne

Summer school program summer 2012. Campus De Nayer J. De Nayerlaan 5 BE2860 Sint Katelijne

TEMPUS PROMENG Practice oriented Master Programmes in Engineering in RU, UA and UZ Summer school program summer 2012. Campus De Nayer J. De Nayerlaan 5 BE2860 Sint Katelijne Waver, Belgium Tuesday 21/8: 9 am, welcome to the summer

349 views • 8 slides
Summer Weather Safety Know Your Risk Take Action Be a Force of Nature Summer Weather Safety

Summer Weather Safety Know Your Risk Take Action Be a Force of Nature Summer Weather Safety

Summer Weather Safety Know Your Risk Take Action Be a Force of Nature Summer Weather Safety Summer Weather Hazards Tornadoes, Thunderstorms, and Lightning Flooding Heat Hurricanes Tsunamis Rip Currents Wildfire and

486 views • 31 slides
Summer School and Summer Programs 2014 District Effectiveness Report Summer School Locations:

Summer School and Summer Programs 2014 District Effectiveness Report Summer School Locations:

Summer School and Summer Programs 2014 District Effectiveness Report Summer School Locations: To provide high To provide high qual quality cu y curricul rriculum, instruction, and m, instruction, and assessme assessment To support

342 views • 16 slides
Take It Outside: Summer Reading Challenge 2020 Can you take on the outdoor summer reading

Take It Outside: Summer Reading Challenge 2020 Can you take on the outdoor summer reading

Take It Outside: Summer Reading Challenge 2020 Can you take on the outdoor summer reading challenge tasks? To learn to read is to light a fire; every syllable that is spelled out is a spark. Victor Hugo What do you think this quote

361 views • 6 slides
5 TIPS TO PROTECT YOUR CONSTRUCTION BUSINESS AGAINST FINANCIAL FRAUD Presented by Rhonda Greene

5 TIPS TO PROTECT YOUR CONSTRUCTION BUSINESS AGAINST FINANCIAL FRAUD Presented by Rhonda Greene

5 TIPS TO PROTECT YOUR CONSTRUCTION BUSINESS AGAINST FINANCIAL FRAUD Presented by Rhonda Greene Sponsored by MEET YOUR SPEAKER Rhonda Greene, APSC Principal Solutions Consultant AvidXchange Current Challenges Understanding How to Save

434 views • 24 slides
Taking Your Cannabis Company Public In Canada With Marko Glisic Audit Partner at GreenGrowth

Taking Your Cannabis Company Public In Canada With Marko Glisic Audit Partner at GreenGrowth

Taking Your Cannabis Company Public In Canada With Marko Glisic Audit Partner at GreenGrowth CPAs About Us 1000+ Prepared Annual Tax Returns for cannabis operators spread across all verticals: Dispensary, distribution, cultivation,

405 views • 15 slides
Q2 2020 Earnings Call Supplemental Slides Kevin OMeara, Chief Executive Officer Geoff Krause,

Q2 2020 Earnings Call Supplemental Slides Kevin OMeara, Chief Executive Officer Geoff Krause,

July 30, 2020 Q2 2020 Earnings Call Supplemental Slides Kevin OMeara, Chief Executive Officer Geoff Krause, Chief Financial Officer Advisory Special Note Regarding Forward-Looking Statements Certain information and statements contained in

205 views • 18 slides
Credit Suisse Presentation on historical financials under new reporting structure David Mathers,

Credit Suisse Presentation on historical financials under new reporting structure David Mathers,

Credit Suisse Presentation on historical financials under new reporting structure David Mathers, Chief Financial Officer October 8, 2020 Disclaimer (1/2) This material does not purport to contain all of the information that you may wish to

792 views • 20 slides
Collaborative Verification of Information Flow for a High-Assurance App Store Michael D. Ernst,

Collaborative Verification of Information Flow for a High-Assurance App Store Michael D. Ernst,

Collaborative Verification of Information Flow for a High-Assurance App Store Michael D. Ernst, Ren Just , Suzanne Millstein, Werner Dietl*, Stuart Pernsteiner, Franziska Roesner, Karl Koscher, Paulo Barros, Ravi Bhoraskar, Seungyeop Han, Paul

1.24k views • 84 slides
Improving Cyber Resiliency using Intelligence-led Attack Simulations Vincent Yiu Who am I?

Improving Cyber Resiliency using Intelligence-led Attack Simulations Vincent Yiu Who am I?

Improving Cyber Resiliency using Intelligence-led Attack Simulations Vincent Yiu Who am I? @vysecurity Vincent Yiu vincent.yiu@syonsecurity.com Founder of SYON Security Offensive Operations including Adversary Simulaton and Penetration

344 views • 33 slides
Security and Usability: The Gap in Real-World Online Banking Mohammad Mannan and P . C. van

Security and Usability: The Gap in Real-World Online Banking Mohammad Mannan and P . C. van

Security and Usability Gap in Online Banking NSPW Presentation - Sep 19, 2007 Security and Usability: The Gap in Real-World Online Banking Mohammad Mannan and P . C. van Oorschot Carleton University Mohammad Mannan Sep 19, 2007 1 Security

544 views • 22 slides
Enhancing Mobile Malware: an Android RAT Case Study BSIDES VIENNA 2014 November 22 About Marco

Enhancing Mobile Malware: an Android RAT Case Study BSIDES VIENNA 2014 November 22 About Marco

Enhancing Mobile Malware: an Android RAT Case Study BSIDES VIENNA 2014 November 22 About Marco Lancini Security Consultant, CEFRIEL @lancinimarco Roberto Puricelli Security Consultant, CEFRIEL @robywankenoby 2 Introduction Intro

870 views • 35 slides

More recommend