we know what you did this summer: android banking trojan ...get task from c &c server...
TRANSCRIPT
![Page 1: We know what you did this summer: Android Banking Trojan ...Get task from C &C server /bn/gettask.php Query Parse table NewTasks by Device ID imei == Device ID Yes Execute New Task](https://reader033.vdocument.in/reader033/viewer/2022052104/603eb839fb205c3965105f80/html5/thumbnails/1.jpg)
01.10.2015 | Virus Bulletin 2015 | 1
We know what you did this summer:
Android Banking Trojan exposing its
sins in the cloud
Siegfried Rasthofer (TU Darmstadt / CASED)
Eric Bodden (TU Darmstadt / Fraunhofer SIT)
Carlos Castillo (Intel Security)
Alex Hinchliffe (Intel Security)
Stephan Huber (Fraunhofer SIT)
![Page 2: We know what you did this summer: Android Banking Trojan ...Get task from C &C server /bn/gettask.php Query Parse table NewTasks by Device ID imei == Device ID Yes Execute New Task](https://reader033.vdocument.in/reader033/viewer/2022052104/603eb839fb205c3965105f80/html5/thumbnails/2.jpg)
01.10.2015 | Virus Bulletin 2015 | 2
Siegfried Rasthofer
• 3rd year PhD-Student at TU Darmstadt
• Research interest in Static-/dynamic code analyses
• Found 2 AOSP exploits, various App security vulnerabilities
Prof. Dr. Eric Bodden
• Professor at TU Darmstadt
• Research interest in Static-/dynamic code analyses
• Heading the Secure Software Engineering Group at Fraunhofer
SIT and Technische Universität Darmstadt
Carlos Castillo
• Mobile Security Researcher at Intel Security.
• Hacking Exposed 7 co-author (Hacking Android).
• ESET Latin America’s Best Antivirus Research winner 2009.
Alex Hinchliffe
• Mobile Security Research Manager at Intel Security
• Co-developer of cloud based Anti-Malware technology, Artemis
• Project partner of MobSec, S2Lab, Royal Holloway University, London
![Page 3: We know what you did this summer: Android Banking Trojan ...Get task from C &C server /bn/gettask.php Query Parse table NewTasks by Device ID imei == Device ID Yes Execute New Task](https://reader033.vdocument.in/reader033/viewer/2022052104/603eb839fb205c3965105f80/html5/thumbnails/3.jpg)
01.10.2015 | Virus Bulletin 2015 | 3
Backend-as-a-Service
56 Mio. data records
“publicly“ available
(BlackHat EU 2015)
![Page 4: We know what you did this summer: Android Banking Trojan ...Get task from C &C server /bn/gettask.php Query Parse table NewTasks by Device ID imei == Device ID Yes Execute New Task](https://reader033.vdocument.in/reader033/viewer/2022052104/603eb839fb205c3965105f80/html5/thumbnails/4.jpg)
01.10.2015 | Virus Bulletin 2015 | 4
Backend-as-a-Service
Malware??
![Page 5: We know what you did this summer: Android Banking Trojan ...Get task from C &C server /bn/gettask.php Query Parse table NewTasks by Device ID imei == Device ID Yes Execute New Task](https://reader033.vdocument.in/reader033/viewer/2022052104/603eb839fb205c3965105f80/html5/thumbnails/5.jpg)
01.10.2015 | Virus Bulletin 2015 | 5
Backend-as-a-Service (1)
BaaS
Android iOS
JavaScript
...
...
![Page 6: We know what you did this summer: Android Banking Trojan ...Get task from C &C server /bn/gettask.php Query Parse table NewTasks by Device ID imei == Device ID Yes Execute New Task](https://reader033.vdocument.in/reader033/viewer/2022052104/603eb839fb205c3965105f80/html5/thumbnails/6.jpg)
01.10.2015 | Virus Bulletin 2015 | 6
Backend-as-a-Service (2)
Push Notifications Data Storage
User Administration Social Network
![Page 7: We know what you did this summer: Android Banking Trojan ...Get task from C &C server /bn/gettask.php Query Parse table NewTasks by Device ID imei == Device ID Yes Execute New Task](https://reader033.vdocument.in/reader033/viewer/2022052104/603eb839fb205c3965105f80/html5/thumbnails/7.jpg)
01.10.2015 | Virus Bulletin 2015 | 7
Parse.initialize(this, APPLICATION_ID, CLIENT_KEY);
ParseObject sms = new ParseObject("Intercepted SMS");
sms.put("message", "Hi VB2015");
ID Keys != Authentication Keys!
Use Proper Access Control
Rules on the Server Side!
![Page 8: We know what you did this summer: Android Banking Trojan ...Get task from C &C server /bn/gettask.php Query Parse table NewTasks by Device ID imei == Device ID Yes Execute New Task](https://reader033.vdocument.in/reader033/viewer/2022052104/603eb839fb205c3965105f80/html5/thumbnails/8.jpg)
01.10.2015 | Virus Bulletin 2015 | 8
HAVOC: Automatic Exploit Generator
![Page 9: We know what you did this summer: Android Banking Trojan ...Get task from C &C server /bn/gettask.php Query Parse table NewTasks by Device ID imei == Device ID Yes Execute New Task](https://reader033.vdocument.in/reader033/viewer/2022052104/603eb839fb205c3965105f80/html5/thumbnails/9.jpg)
01.10.2015 | Virus Bulletin 2015 | 9
Malware using Facebook‘s Parse
294,817 malware apps from 2015 scanned
78 Apps with potential Push Notification misuse
16 Apps with data storage misuse
5 Android/OpFake variants
4 Android/Marry variants
5 parse.com accounts exposed
3 common
tables
![Page 10: We know what you did this summer: Android Banking Trojan ...Get task from C &C server /bn/gettask.php Query Parse table NewTasks by Device ID imei == Device ID Yes Execute New Task](https://reader033.vdocument.in/reader033/viewer/2022052104/603eb839fb205c3965105f80/html5/thumbnails/10.jpg)
01.10.2015 | Virus Bulletin 2015 | 10
OpFake – App Execution and Main Service
App Executed Hide Icon
end
Boot Completed
Start Main Service
Phone Rings
Locally save Main URL (C&C)
Execute Async Tasks
Subscribe to Parse Push notifications
Save Parse Install
Information
Schedule system alarm
Leak Device Information to C 2C server /bn/reg.php
Channels :- D-<deviceId >
- “Everyone”- Country (SIM ISO )- “welcome”
- IMEI
- SIM Country - SIM Operator- Phone Number- API
- Brand- Model- is_worked (true)- worked _task (true)
- is_root
- IMEI
- SIM Country- Phone Number- SIM Operator- Balance
Execute Content Receiver every minute (60 segs)
![Page 11: We know what you did this summer: Android Banking Trojan ...Get task from C &C server /bn/gettask.php Query Parse table NewTasks by Device ID imei == Device ID Yes Execute New Task](https://reader033.vdocument.in/reader033/viewer/2022052104/603eb839fb205c3965105f80/html5/thumbnails/11.jpg)
01.10.2015 | Virus Bulletin 2015 | 11
OpFake – System Alarm every Minute
System AlarmExecute Content
Receiver
Get task from C & C server /bn/gettask.php
Query Parse tableNewTasks by Device ID
imei == Device ID
Yes
Execute New Task
No end
If type == task and imei == Device ID
No
Yes
task == interceptYes
No
Save executed task in TaskManager table
Intercept != null
/Set intercept flag on off
Yes
No
If active_1
Yes
Send SMS to number_1 with
content prefix_1
NoIf active_2YesSend SMS to all contacts with phone number
No
If active_3YesOpen URL in default
browser
No
If active_4YesLocally save new C&C server URL
Push Task
end
end
Report executed task ID to /bn/
settask.php
- type : from NewTasks- task: type and args- hash: identifier- Imei: device id- response: empty
- imei- balance
![Page 12: We know what you did this summer: Android Banking Trojan ...Get task from C &C server /bn/gettask.php Query Parse table NewTasks by Device ID imei == Device ID Yes Execute New Task](https://reader033.vdocument.in/reader033/viewer/2022052104/603eb839fb205c3965105f80/html5/thumbnails/12.jpg)
01.10.2015 | Virus Bulletin 2015 | 12
OpFake – Execute New tasks
Delete NewTask
Eventually
No
Notask == ussdNotask == urlNotask == new_serverNotask == install
Yes
Send text message
Yes
Send USSD message using URI tel: *
Yes
Open URL using default web browser
Yes
Locally save new C&C server URL
YesDownload APK from
URL to SD card
Device with root Privileges?
Yes
Remount system
partition as read /write
NoAttempt to install app
using user interface
Copy APK in folder /newmainpack /app/
Set read/write
permissions for the copied APK file
Remount partition again as read -only
Silently install the APK using pm install
task == sms
No
End
End
Eventually
Delete NewTaskEventually
Launch recently installed app
Launch recently installed app
![Page 13: We know what you did this summer: Android Banking Trojan ...Get task from C &C server /bn/gettask.php Query Parse table NewTasks by Device ID imei == Device ID Yes Execute New Task](https://reader033.vdocument.in/reader033/viewer/2022052104/603eb839fb205c3965105f80/html5/thumbnails/13.jpg)
01.10.2015 | Virus Bulletin 2015 | 13
OpFake – SMS Message Received
SMS message received
Process SMS message
Save message in SmsReceiver table
Send message data to Parse Push channel “T”
Intercept flag on?
No
Send message to /bn/save_message.php
YesNo
Is a response to a previous SMS sent?
Yes
Query TaskManager by task hash
Save response (from:body) in TaskManager
No End
Origin contains 088011 or 000100?
body the balance and YesExtract from message
save it locally
No
- from- content- to: imei- type: service/other- is_card: if content contains cc #
- intype: incoming
- imei- phone: from- message- type: incoming
![Page 14: We know what you did this summer: Android Banking Trojan ...Get task from C &C server /bn/gettask.php Query Parse table NewTasks by Device ID imei == Device ID Yes Execute New Task](https://reader033.vdocument.in/reader033/viewer/2022052104/603eb839fb205c3965105f80/html5/thumbnails/14.jpg)
01.10.2015 | Virus Bulletin 2015 | 14
NewTasks Schema
NewTask Record
imei task objectId createdAt updatedAt
sms
origin destination content date
intercept
values (on/off) date
new_server
imei URL date
install
imei URL of the APK date package name
![Page 15: We know what you did this summer: Android Banking Trojan ...Get task from C &C server /bn/gettask.php Query Parse table NewTasks by Device ID imei == Device ID Yes Execute New Task](https://reader033.vdocument.in/reader033/viewer/2022052104/603eb839fb205c3965105f80/html5/thumbnails/15.jpg)
01.10.2015 | Virus Bulletin 2015 | 15
NewTasks – Commands received
Exposed Malware Parse.com Accounts
10.1
39
48.6
22
25.7
38
40
60.3
37
9.3
97
48.6
16
25.7
23
0
57.7
60
742 4 11 5 100 1 1 0 120 0 3 352.555
ACCOUNT A ACCOUNT B ACCOUNT C ACCOUNT D ACCOUNT E
commands sms intercept new_server install
![Page 16: We know what you did this summer: Android Banking Trojan ...Get task from C &C server /bn/gettask.php Query Parse table NewTasks by Device ID imei == Device ID Yes Execute New Task](https://reader033.vdocument.in/reader033/viewer/2022052104/603eb839fb205c3965105f80/html5/thumbnails/16.jpg)
01.10.2015 | Virus Bulletin 2015 | 16
NewTasks – Examples of commands delivered
Exposed Malware Parse.com Accounts
• send sms to number 900 with content “BALANS”
• send sms to number 900 with content <confirmation_code>
• send sms to number 3116 with content “card <card_number> <exp_month> <exp_year> <CVV>”
sms
• on/off
intercept
• hxxp://newwelcome00.ru
• hxxp://newelcome00.ru
new_server
• Android/OpFake delivering Android/Marry:
• hxxp://newwelcome00.ru/appru.apk (marry.adobe.net.threadsync).
• hxxp://newwelcome00.ru/app.apk (marry.adobe.net.nightbuid).
• hxxp://notingen.ru/Player.apk (com.adobe.net)
• hxxp://швждаыдлпждв
install
![Page 17: We know what you did this summer: Android Banking Trojan ...Get task from C &C server /bn/gettask.php Query Parse table NewTasks by Device ID imei == Device ID Yes Execute New Task](https://reader033.vdocument.in/reader033/viewer/2022052104/603eb839fb205c3965105f80/html5/thumbnails/17.jpg)
01.10.2015 | Virus Bulletin 2015 | 17
NewTasks – Command created by date
Exposed Malware Parse.com Accounts
0
5000
10000
15000
20000
25000
13
.06
.201
5
14
.06
.201
5
15
.06
.201
5
16
.06
.201
5
17
.06
.201
5
18
.06
.201
5
19
.06
.201
5
20
.06
.201
5
21
.06
.201
5
22
.06
.201
5
23
.06
.201
5
24
.06
.201
5
25
.06
.201
5
26
.06
.201
5
27
.06
.201
5
28
.06
.201
5
29
.06
.201
5
30
.06
.201
5
01
.07
.201
5
02
.07
.201
5
03
.07
.201
5
04
.07
.201
5
05
.07
.201
5
06
.07
.201
5
07
.07
.201
5
08
.07
.201
5
09
.07
.201
5
10
.07
.201
5
11
.07
.201
5
12
.07
.201
5
13
.07
.201
5
14
.07
.201
5
Account A Account B Account C Account D Account E
![Page 18: We know what you did this summer: Android Banking Trojan ...Get task from C &C server /bn/gettask.php Query Parse table NewTasks by Device ID imei == Device ID Yes Execute New Task](https://reader033.vdocument.in/reader033/viewer/2022052104/603eb839fb205c3965105f80/html5/thumbnails/18.jpg)
01.10.2015 | Virus Bulletin 2015 | 18
SmsReceived Schema
SmsReceived Record
body from objectId intype is_card updatedAt type createdAt
• from: origin of the text message (phone number/company name)
• intype: incoming/outgoing
• to: device identifier of the infected device
• is_card: true/false if the message contains a credit card number
• type:
• service: origin is a company (e.g. MegaFon)
• other: origin is another phone number (personal messages)
![Page 19: We know what you did this summer: Android Banking Trojan ...Get task from C &C server /bn/gettask.php Query Parse table NewTasks by Device ID imei == Device ID Yes Execute New Task](https://reader033.vdocument.in/reader033/viewer/2022052104/603eb839fb205c3965105f80/html5/thumbnails/19.jpg)
01.10.2015 | Virus Bulletin 2015 | 19
SmsReceiver – # Intercepted SMS messages
Exposed Malware Parse.com Accounts
2.000
28.067
40.054
41.105
60.030
ACCOUNT D
ACCOUNT C
ACCOUNT A
ACCOUNT B
ACCOUNT E
# messages
![Page 20: We know what you did this summer: Android Banking Trojan ...Get task from C &C server /bn/gettask.php Query Parse table NewTasks by Device ID imei == Device ID Yes Execute New Task](https://reader033.vdocument.in/reader033/viewer/2022052104/603eb839fb205c3965105f80/html5/thumbnails/20.jpg)
01.10.2015 | Virus Bulletin 2015 | 20
SmsReceiver – Credit card numbers in incoming SMS messages
Exposed Malware Parse.com Accounts
5
9
10
19
126
ACCOUNT C
ACCOUNT A
ACCOUNT B
ACCOUNT E
ACCOUNT D
# credit card numbers
![Page 21: We know what you did this summer: Android Banking Trojan ...Get task from C &C server /bn/gettask.php Query Parse table NewTasks by Device ID imei == Device ID Yes Execute New Task](https://reader033.vdocument.in/reader033/viewer/2022052104/603eb839fb205c3965105f80/html5/thumbnails/21.jpg)
01.10.2015 | Virus Bulletin 2015 | 21
SmsReceived – Messages by date
Exposed Malware Parse.com Accounts
0
2000
4000
6000
8000
10000
12000
14000
16000
18000
20000
Account A Account B Account C Account D Account E
![Page 22: We know what you did this summer: Android Banking Trojan ...Get task from C &C server /bn/gettask.php Query Parse table NewTasks by Device ID imei == Device ID Yes Execute New Task](https://reader033.vdocument.in/reader033/viewer/2022052104/603eb839fb205c3965105f80/html5/thumbnails/22.jpg)
01.10.2015 | Virus Bulletin 2015 | 22
TaskManager Schema
TaskManager Record
task hash objectId updatedAt imei type response createdAt
sms
destination
text (command)
privat_start
empty
intercept
on/off
install
URL/file.apk
sms
destination
text (response)
![Page 23: We know what you did this summer: Android Banking Trojan ...Get task from C &C server /bn/gettask.php Query Parse table NewTasks by Device ID imei == Device ID Yes Execute New Task](https://reader033.vdocument.in/reader033/viewer/2022052104/603eb839fb205c3965105f80/html5/thumbnails/23.jpg)
01.10.2015 | Virus Bulletin 2015 | 23
TaskManager – Command Executed
Exposed Malware Parse.com Accounts
35 204 565
20.554
1.123
1 31 149
3.615
2632 204 565
19.859
1.113
3 0 0658
10 0 0 17 0
ACCOUNT A ACCOUNT B ACCOUNT C ACCOUNT D ACCOUNT E
requests responses sms intercept install
![Page 24: We know what you did this summer: Android Banking Trojan ...Get task from C &C server /bn/gettask.php Query Parse table NewTasks by Device ID imei == Device ID Yes Execute New Task](https://reader033.vdocument.in/reader033/viewer/2022052104/603eb839fb205c3965105f80/html5/thumbnails/24.jpg)
01.10.2015 | Virus Bulletin 2015 | 24
TaskManager – Examples of tasks executed
Exposed Malware Parse.com Accounts
• Get list of connected cards and commands available: sms INFO
• BALANS/BALANCE <card>
• Payment of services: sms <amount>
sms 900 (Sberbank):
• B (balance)
sms 000100 (MegaFon)
• Pay credit card: <Brand> <card_number> <amount>
sms 7878 (Beeline):
• Russia: У вас 1 непрочитаное сообщение (You have 1 unread message) hxxps://tinyurl.com/phelju3
• Russia: Ваша ссылка для скачивания (Your download link) hxxp://goo.gl/TR5GjP
• Uzbekistan: Получено новое (Received new MMC) hxxp://goo.gl/RINTTQ
Smishing (newwelcome00.ru)
![Page 25: We know what you did this summer: Android Banking Trojan ...Get task from C &C server /bn/gettask.php Query Parse table NewTasks by Device ID imei == Device ID Yes Execute New Task](https://reader033.vdocument.in/reader033/viewer/2022052104/603eb839fb205c3965105f80/html5/thumbnails/25.jpg)
01.10.2015 | Virus Bulletin 2015 | 25
Targeted Companies – Task (TaskManager table) in Account D
Exposed Malware Parse.com Accounts
1
10
16
33
37
51
53
70
141
5350
5335 (SVYAZNOYBANK)
100 (MEGAFON)
79037672265 (ALFA-BANK)
159 (TELE2)
3116 (ROSTELECOMO)
7878 (BEELINE)
6996 (MTC)
7494 (QIW I)
10060 (PRIVATBANK)
900 (SBERBANK)
# Requests (SMS)
![Page 26: We know what you did this summer: Android Banking Trojan ...Get task from C &C server /bn/gettask.php Query Parse table NewTasks by Device ID imei == Device ID Yes Execute New Task](https://reader033.vdocument.in/reader033/viewer/2022052104/603eb839fb205c3965105f80/html5/thumbnails/26.jpg)
01.10.2015 | Virus Bulletin 2015 | 26
Sberbank commands – Tasks (TaskManager table) in Account D
Exposed Malware Parse.com Accounts
Command Format Response
BALANCE/BALANS/баланс BALANS <4-last-digits> VISA1234 Balance: <amount>
INFO/СПРАВКА СПРАВКА List of connected cards:
VISA1234(ON);
ПЕРЕВОД/PEREVOD/ПЕР
ЕВЕСТИ (Transfer)
ПЕРЕВОД <4digits_card_origin>
<4digits_card_destination> or
<phone_number_destination>
<amount>
To transfer <amount> from card
VISA1234 the recipient <name> must
send the code <code> to the number
900
ZAPROS (Request) ZAPROS <phone_number>
<amount>
Request transfer for <amount> to your
card VISA4321 has been sent. After
confirmation by the sender <name>
the money will go to your account.
TEL/PLATEZ/PHONE/POP
OLNI/PLATI (Pay mobile
account)
TEL <phone_number> <amount> To pay with card VISA1234 phone
<company> <phone_number> the
amount <amount> send the code
<code> to number 900.
![Page 27: We know what you did this summer: Android Banking Trojan ...Get task from C &C server /bn/gettask.php Query Parse table NewTasks by Device ID imei == Device ID Yes Execute New Task](https://reader033.vdocument.in/reader033/viewer/2022052104/603eb839fb205c3965105f80/html5/thumbnails/27.jpg)
01.10.2015 | Virus Bulletin 2015 | 27
Top Sberbank Commands – Task (TaskManager table) in Account D
Exposed Malware Parse.com Accounts
18
22
37
59
4956
TEL/PLATEZ/PHONE/POPOLNI /PLATI (PAY TEL)
ZAPROS (REQUEST)
ПЕРЕВОД/PEREVOD/ПЕРЕВЕСТИ (TRANSFER)
INFO/СПРАВКА
BALANCE/BALANS/БАЛАНС
# Requests
![Page 28: We know what you did this summer: Android Banking Trojan ...Get task from C &C server /bn/gettask.php Query Parse table NewTasks by Device ID imei == Device ID Yes Execute New Task](https://reader033.vdocument.in/reader033/viewer/2022052104/603eb839fb205c3965105f80/html5/thumbnails/28.jpg)
01.10.2015 | Virus Bulletin 2015 | 28
Sberbank Responses – Tasks (TaskManager table) in Account D
Exposed Malware Parse.com Accounts
Type Response
Balance VISA1234 Balance: <amount>
Info List of connected cards: VISA1234(ON);
Tel Asked To pay with card VISA1234 phone <company> <phone_number> the
amount <amount> send the code <code> to number 900.
Tel Processed VISA1234 <date> <time> payment for services <amount> <operator>
<phone_number> Balance: <amount>
Transfer Processed MAES1234: Transfer <amount> to the card recipient <name> is processed
Transfer Accepted VISA1234: <time> Amount <amount> from the sender <name> received.
Balance: <amount>
Transfer Asked To transfer <amount> from card VISA1234 the card recipient <name>
should send the code <code> to number 900.
![Page 29: We know what you did this summer: Android Banking Trojan ...Get task from C &C server /bn/gettask.php Query Parse table NewTasks by Device ID imei == Device ID Yes Execute New Task](https://reader033.vdocument.in/reader033/viewer/2022052104/603eb839fb205c3965105f80/html5/thumbnails/29.jpg)
01.10.2015 | Virus Bulletin 2015 | 29
Top Sberbank fraud responses – Task (TaskManager table) - Account D
Exposed Malware Parse.com Accounts
26
30
36
75
88
123
607
TRANSFER ASKED
TRANSFER ACCEPTED
TRANSFER PROCESSED
TEL PROCESSED
TEL ASKED
INFO
BALANCE
# responses
![Page 30: We know what you did this summer: Android Banking Trojan ...Get task from C &C server /bn/gettask.php Query Parse table NewTasks by Device ID imei == Device ID Yes Execute New Task](https://reader033.vdocument.in/reader033/viewer/2022052104/603eb839fb205c3965105f80/html5/thumbnails/30.jpg)
01.10.2015 | Virus Bulletin 2015 | 30
TaskManager – Command executed by date
Exposed Malware Parse.com Accounts
0
100
200
300
400
500
600
700
800
Account A Account B Account C
Account D Account E
0
100
200
300
400
500
600
700
800
900
13.07.2015 14.07.2015 15.07.2015 16.07.2015
Account A Account B Account C
Account D Account E
![Page 31: We know what you did this summer: Android Banking Trojan ...Get task from C &C server /bn/gettask.php Query Parse table NewTasks by Device ID imei == Device ID Yes Execute New Task](https://reader033.vdocument.in/reader033/viewer/2022052104/603eb839fb205c3965105f80/html5/thumbnails/31.jpg)
01.10.2015 | Virus Bulletin 2015 | 31
Unique Device IDs per table
Exposed Malware Parse.com Accounts
2.244
8.225
4.850
10
7.398
3.761 3.800
2.149
307
3.825
5 34 26
1.549
31
ACCOUNT A ACCOUNT B ACCOUNT C ACCOUNT D ACCOUNT E
NewTasks SmsReceiver TaskManager
![Page 32: We know what you did this summer: Android Banking Trojan ...Get task from C &C server /bn/gettask.php Query Parse table NewTasks by Device ID imei == Device ID Yes Execute New Task](https://reader033.vdocument.in/reader033/viewer/2022052104/603eb839fb205c3965105f80/html5/thumbnails/32.jpg)
01.10.2015 | Virus Bulletin 2015 | 32
Responsible Disclosure
2015-08-03: Reported finding to Facebook
2015-08-05: Facebook replied with “... This issue
does not qualify as a part of our bounty program...“
2015-08-05: Facebook asked for more details
2015-08-06: We provided more details and Facebook
blocked all Parse accounts
2015-08-28: Facebook offered room for collaboration
Facebook‘s responsible disclosure system only works
with a Facebook account
![Page 33: We know what you did this summer: Android Banking Trojan ...Get task from C &C server /bn/gettask.php Query Parse table NewTasks by Device ID imei == Device ID Yes Execute New Task](https://reader033.vdocument.in/reader033/viewer/2022052104/603eb839fb205c3965105f80/html5/thumbnails/33.jpg)
01.10.2015 | Virus Bulletin 2015 | 33
Conclusions
• This Android Banking Trojans are actively performing financial fraud via
SMS messages targeting Eastern Europe countries.
• Just like legitimate developers, Android malware authors also expose
cloud accounts with sensitive (personal/financial) stolen information.
• Sensitive information stolen from victims by Android malware can be
accessed by “anyone” without any authentication.
![Page 34: We know what you did this summer: Android Banking Trojan ...Get task from C &C server /bn/gettask.php Query Parse table NewTasks by Device ID imei == Device ID Yes Execute New Task](https://reader033.vdocument.in/reader033/viewer/2022052104/603eb839fb205c3965105f80/html5/thumbnails/34.jpg)
01.10.2015 | Virus Bulletin 2015 | 34
Siegfried Rasthofer
Secure Software Engineering Group
Email: [email protected]
Blog: http://sse-blog.ec-spride.de
Website: http://sse.ec-spride.de
Twitter: @CodeInspect
Carlos Castillo
Intel Security
Email: [email protected]
Twitter: @carlosacastillo