mobile malware threats and countermeasures › getatt.php?filename=oo_3162877.pdf · mobile malware...
TRANSCRIPT
Stefaan Seys, PhD
Security Architect @ VASCO
Mobile malware threats and countermeasures
Sofia, April 12, 2018
Entities in Online Banking Application
Main attack vectors:
• Phishing
• Financial malware
End-user
ATM network
Bank
Data centre
Main attack vector:
Advanced Persistent Threats (APTs)
Communication network
(e.g. Internet, SS7)
Trojans
Virtually all banking malware are Banking Trojans.
Trojan = innocent looking app that includes
hidden malicious capabilities
Mobile Banking Trojans: a short History
2010: Zeus
2013: Svpeng
2014: Torec
2015: Gugi, Torec becomes Acecard, Marcher, Facetoken
2016: Acecard, Marcher, Facetoken, Svpeng, Asacub,
Gugi also includes overlay
2017: Bankbot, Svpeng added keylogger through ACCESSIBILITY
Banking Trojans – Main functionality
Infection Monitor
and attack
Self-
protection Update
• Installation on mobile device
• Check banking apps of user
• Compare apps with filter list
• Capture credentials and upload to C2 server
via secure channel
• Take control of victim app (rooted)
• Hiding: ensure Trojan cannot be detected
by security software
• Obfuscation: make analysis and reverse
engineering more difficult
• Download additional software
modules
• Update filter list from C2 server
Mobile banking Trojans almost exclusively target Android
• Malware is largely targeting Android-based devices
• Reasons:
Item iOS Android
Ecosystem complexity Device and OS by same company Google, OEMs, Mobile Operator
Security updates Older and new devices often patched Many devices never patched
App sources Only official app store Allows untrusted sources
Vetting by app store Strong manual vetting Automated Bouncer checks
Ease of rooting Jailbreak window smaller every year Easy to root, or rooted out of the box
Mobile malware infection methods
1. Android Play Store (must circumvent bouncer)
1. Does not require user to enabled “untrusted sources”
2. Sometimes heavily pushed using ads
2. Third-party stores (nothing to circumvent)
3. Drive-by download (typically on adult sites as video player)
4. Phishing (SMS and chat very popular on mobile)
5. Exploit security vulnerability to install files without security warning
• E.g. Stagefright vulnerability (August 2015)
• E.g. Chrome vulnerability (November 2016) caused infection of 300,000 Android devices
6. Counterfeit toolchain (XCodeGhost)
1. 1) Without Root
- malware is “limited” to the capabilities of any normal app
2. 2) With Root, obtained through
- User rooting the phone
- Exploit vulnerability in OS (e.g., framaroot)
Mobile malware capabilities
Without root: SMS interception
2011: Zeus-in-the-Mobile (Zitmo) and SpyEye-in-the-Mobile (Spitmo)
2013: Perkele
1. Username/password
Cellular
Internet
2. mTAN
PC Malware (Zeus)
Inject code in web page, ask user
to install Perkele
Steal credentials
Zitmo/Spitmo/Perkele
Looks genuine (tailored to bank)
Keeps running in background
Intercepts SMS
Without root: Overlays
Partial overlay for
keyboard sniffing
Partial overlay for
stealing credit card Full overlay for
credential stealing
Without root: ACCESSIBILITY permission to take control
2017: Bankbot, targeted over 200 banks
Bankbot’s Dropper name is “Google Service” and it asks the user for the Accessibility permission
Without root: Repackaged App
# virtual methods
.method public final onClick(Landroid/view/View;)V
.locals 3
.line 122
invoke-virtual {p1}, Landroid/view/View;->getId()I
move-result v0
sget v1, Lo/Iw$f;->button:I
if-ne v0, v1, :cond_1
.line 123
iget-object v0, p0, Lo/JE;->B:Lo/JE$c;
.line 4078
iget-object v1, p0, Lo/JE;->A:Landroid/widget/EditText;
# virtual methods
.method public final onClick(Landroid/view/View;)V
.locals 3
# Changed by Stefaan
# send our new string to the log.
# this can be used to debug and can be picked up with ddms, logcat
# or log collector. as an exercise look up what the d() function does
# in the android developer documentation.
sget-object v2, Ljava/lang/System;->out:Ljava/io/PrintStream;
invoke-virtual {v2, v1}, Ljava/io/PrintStream;->println(Ljava/lang/String;)V
# End of changes
[original code here]
Phishing 3rd party
store
Drive-by-
download
Banking Trojans with root access
• Rooting / jailbreaking
• Typically, one user of device has “super” powers on device
• Mobile OS usually does not allow owner of device to access “root” user
• Rooting (Android) or jailbreaking (iOS) provides access to “root” user
• Risks due to rooting:
1. Banking Trojan can read files on device
Any file
2. Banking Trojan can write to files on device
Including system libraries!
3. Banking Trojan can hook into another process
Separate process
Unique UID
runtime
Private
Data
App 1
Separate process
Unique UID
runtime
Private
Data
App 2
Linux Kernel
Separate process
Unique UID
Malware
Hook agent
Hooking script
ROOT
Take control
Remote Code Execution
• No “malware” is present on the device
• The code is pushed or pulled remotely and executed on the device because of a vulnerability in some library
• Usually components running with high privileges (“root”) are targeted
Well-known examples:
• Stagefright (2015, media engine)
• Chrome Javascript engine exploit (2016, browser)
• Blueborne (2017, bluetooth)
• Broadpwn (2017, Broadcom WiFi chips)
Every day new vulnerabilities are reported and patched, but very few of them are every exploited on large scale
Classification of Banking Trojans by capability and risk level
Likelihood
Th
reat
Banking Trojan
without root
access
Medium High Low
Banking Trojan
with root
access Repackaged
banking app Remote code
execution
Low
H
igh
M
ed
ium
VASCO Mobile App Protection
MY
Runtime Application
Self-Protection
• Jailbreak & Root
Detection
• overlay protection
• trusted keyboards
• screen reader detection
• app integrity protection
• hook & debug
prevention
• code obfuscation
Device Binding
Secure Storage
Behavioral Authentication
Face Authentication
Fingerprint Authentication
Secure Login
Transaction Signing
Secure Channel
VASCO DIGIPASS4Apps