01.10.2015 | Virus Bulletin 2015 | 1

We know what you did this summer:

Android Banking Trojan exposing its

sins in the cloud

Siegfried Rasthofer (TU Darmstadt / CASED)

Eric Bodden (TU Darmstadt / Fraunhofer SIT)

Carlos Castillo (Intel Security)

Alex Hinchliffe (Intel Security)

Stephan Huber (Fraunhofer SIT)

01.10.2015 | Virus Bulletin 2015 | 2

Siegfried Rasthofer

• 3rd year PhD-Student at TU Darmstadt

• Research interest in Static-/dynamic code analyses

• Found 2 AOSP exploits, various App security vulnerabilities

Prof. Dr. Eric Bodden

• Professor at TU Darmstadt

• Research interest in Static-/dynamic code analyses

• Heading the Secure Software Engineering Group at Fraunhofer

SIT and Technische Universität Darmstadt

Carlos Castillo

• Mobile Security Researcher at Intel Security.

• Hacking Exposed 7 co-author (Hacking Android).

• ESET Latin America’s Best Antivirus Research winner 2009.

Alex Hinchliffe

• Mobile Security Research Manager at Intel Security

• Co-developer of cloud based Anti-Malware technology, Artemis

• Project partner of MobSec, S2Lab, Royal Holloway University, London

01.10.2015 | Virus Bulletin 2015 | 3

Backend-as-a-Service

56 Mio. data records

“publicly“ available

(BlackHat EU 2015)

01.10.2015 | Virus Bulletin 2015 | 4

Backend-as-a-Service

Malware??

01.10.2015 | Virus Bulletin 2015 | 5

Backend-as-a-Service (1)

BaaS

Android iOS

JavaScript

...

...

01.10.2015 | Virus Bulletin 2015 | 6

Backend-as-a-Service (2)

Push Notifications Data Storage

User Administration Social Network

01.10.2015 | Virus Bulletin 2015 | 7

Parse.initialize(this, APPLICATION_ID, CLIENT_KEY);

ParseObject sms = new ParseObject("Intercepted SMS");

sms.put("message", "Hi VB2015");

ID Keys != Authentication Keys!

Use Proper Access Control

Rules on the Server Side!

01.10.2015 | Virus Bulletin 2015 | 8

HAVOC: Automatic Exploit Generator

01.10.2015 | Virus Bulletin 2015 | 9

Malware using Facebook‘s Parse

294,817 malware apps from 2015 scanned

78 Apps with potential Push Notification misuse

16 Apps with data storage misuse

5 Android/OpFake variants

4 Android/Marry variants

5 parse.com accounts exposed

3 common

tables

01.10.2015 | Virus Bulletin 2015 | 10

OpFake – App Execution and Main Service

App Executed Hide Icon

end

Boot Completed

Start Main Service

Phone Rings

Locally save Main URL (C&C)

Execute Async Tasks

Subscribe to Parse Push notifications

Save Parse Install

Information

Schedule system alarm

Leak Device Information to C 2C server /bn/reg.php

Channels :- D-<deviceId >

- “Everyone”- Country (SIM ISO )- “welcome”

- IMEI

- SIM Country - SIM Operator- Phone Number- API

- Brand- Model- is_worked (true)- worked _task (true)

- is_root

- IMEI

- SIM Country- Phone Number- SIM Operator- Balance

Execute Content Receiver every minute (60 segs)

01.10.2015 | Virus Bulletin 2015 | 11

OpFake – System Alarm every Minute

System AlarmExecute Content

Receiver

Get task from C & C server /bn/gettask.php

Query Parse tableNewTasks by Device ID

imei == Device ID

Yes

Execute New Task

No end

If type == task and imei == Device ID

No

Yes

task == interceptYes

No

Save executed task in TaskManager table

Intercept != null

/Set intercept flag on off

Yes

No

If active_1

Yes

Send SMS to number_1 with

content prefix_1

NoIf active_2YesSend SMS to all contacts with phone number

No

If active_3YesOpen URL in default

browser

No

If active_4YesLocally save new C&C server URL

Push Task

end

end

Report executed task ID to /bn/

settask.php

- type : from NewTasks- task: type and args- hash: identifier- Imei: device id- response: empty

- imei- balance

01.10.2015 | Virus Bulletin 2015 | 12

OpFake – Execute New tasks

Delete NewTask

Eventually

No

Notask == ussdNotask == urlNotask == new_serverNotask == install

Yes

Send text message

Yes

Send USSD message using URI tel: *

Yes

Open URL using default web browser

Yes

Locally save new C&C server URL

YesDownload APK from

URL to SD card

Device with root Privileges?

Yes

Remount system

partition as read /write

NoAttempt to install app

using user interface

Copy APK in folder /newmainpack /app/

Set read/write

permissions for the copied APK file

Remount partition again as read -only

Silently install the APK using pm install

task == sms

No

End

End

Eventually

Delete NewTaskEventually

Launch recently installed app

Launch recently installed app

01.10.2015 | Virus Bulletin 2015 | 13

OpFake – SMS Message Received

SMS message received

Process SMS message

Save message in SmsReceiver table

Send message data to Parse Push channel “T”

Intercept flag on?

No

Send message to /bn/save_message.php

YesNo

Is a response to a previous SMS sent?

Yes

Query TaskManager by task hash

Save response (from:body) in TaskManager

No End

Origin contains 088011 or 000100?

body the balance and YesExtract from message

save it locally

No

- from- content- to: imei- type: service/other- is_card: if content contains cc #

- intype: incoming

- imei- phone: from- message- type: incoming

01.10.2015 | Virus Bulletin 2015 | 14

NewTasks Schema

NewTask Record

imei task objectId createdAt updatedAt

sms

origin destination content date

intercept

values (on/off) date

new_server

imei URL date

install

imei URL of the APK date package name

01.10.2015 | Virus Bulletin 2015 | 15

NewTasks – Commands received

Exposed Malware Parse.com Accounts

10.1

39

48.6

22

25.7

38

40

60.3

37

9.3

97

48.6

16

25.7

23

0

57.7

60

742 4 11 5 100 1 1 0 120 0 3 352.555

ACCOUNT A ACCOUNT B ACCOUNT C ACCOUNT D ACCOUNT E

commands sms intercept new_server install

01.10.2015 | Virus Bulletin 2015 | 16

NewTasks – Examples of commands delivered

Exposed Malware Parse.com Accounts

• send sms to number 900 with content “BALANS”

• send sms to number 900 with content <confirmation_code>

• send sms to number 3116 with content “card <card_number> <exp_month> <exp_year> <CVV>”

sms

• on/off

intercept

• hxxp://newwelcome00.ru

• hxxp://newelcome00.ru

new_server

• Android/OpFake delivering Android/Marry:

• hxxp://newwelcome00.ru/appru.apk (marry.adobe.net.threadsync).

• hxxp://newwelcome00.ru/app.apk (marry.adobe.net.nightbuid).

• hxxp://notingen.ru/Player.apk (com.adobe.net)

• hxxp://швждаыдлпждв

install

01.10.2015 | Virus Bulletin 2015 | 17

NewTasks – Command created by date

Exposed Malware Parse.com Accounts

0

5000

10000

15000

20000

25000

13

.06

.201

5

14

.06

.201

5

15

.06

.201

5

16

.06

.201

5

17

.06

.201

5

18

.06

.201

5

19

.06

.201

5

20

.06

.201

5

21

.06

.201

5

22

.06

.201

5

23

.06

.201

5

24

.06

.201

5

25

.06

.201

5

26

.06

.201

5

27

.06

.201

5

28

.06

.201

5

29

.06

.201

5

30

.06

.201

5

01

.07

.201

5

02

.07

.201

5

03

.07

.201

5

04

.07

.201

5

05

.07

.201

5

06

.07

.201

5

07

.07

.201

5

08

.07

.201

5

09

.07

.201

5

10

.07

.201

5

11

.07

.201

5

12

.07

.201

5

13

.07

.201

5

14

.07

.201

5

Account A Account B Account C Account D Account E

01.10.2015 | Virus Bulletin 2015 | 18

SmsReceived Schema

SmsReceived Record

body from objectId intype is_card updatedAt type createdAt

• from: origin of the text message (phone number/company name)

• intype: incoming/outgoing

• to: device identifier of the infected device

• is_card: true/false if the message contains a credit card number

• type:

• service: origin is a company (e.g. MegaFon)

• other: origin is another phone number (personal messages)

01.10.2015 | Virus Bulletin 2015 | 19

SmsReceiver – # Intercepted SMS messages

Exposed Malware Parse.com Accounts

2.000

28.067

40.054

41.105

60.030

ACCOUNT D

ACCOUNT C

ACCOUNT A

ACCOUNT B

ACCOUNT E

# messages

01.10.2015 | Virus Bulletin 2015 | 20

SmsReceiver – Credit card numbers in incoming SMS messages

Exposed Malware Parse.com Accounts

5

9

10

19

126

ACCOUNT C

ACCOUNT A

ACCOUNT B

ACCOUNT E

ACCOUNT D

# credit card numbers

01.10.2015 | Virus Bulletin 2015 | 21

SmsReceived – Messages by date

Exposed Malware Parse.com Accounts

0

2000

4000

6000

8000

10000

12000

14000

16000

18000

20000

Account A Account B Account C Account D Account E

01.10.2015 | Virus Bulletin 2015 | 22

TaskManager Schema

TaskManager Record

task hash objectId updatedAt imei type response createdAt

sms

destination

text (command)

privat_start

empty

intercept

on/off

install

URL/file.apk

sms

destination

text (response)

01.10.2015 | Virus Bulletin 2015 | 23

TaskManager – Command Executed

Exposed Malware Parse.com Accounts

35 204 565

20.554

1.123

1 31 149

3.615

2632 204 565

19.859

1.113

3 0 0658

10 0 0 17 0

ACCOUNT A ACCOUNT B ACCOUNT C ACCOUNT D ACCOUNT E

requests responses sms intercept install

01.10.2015 | Virus Bulletin 2015 | 24

TaskManager – Examples of tasks executed

Exposed Malware Parse.com Accounts

• Get list of connected cards and commands available: sms INFO

• BALANS/BALANCE <card>

• Payment of services: sms <amount>

sms 900 (Sberbank):

• B (balance)

sms 000100 (MegaFon)

• Pay credit card: <Brand> <card_number> <amount>

sms 7878 (Beeline):

• Russia: У вас 1 непрочитаное сообщение (You have 1 unread message) hxxps://tinyurl.com/phelju3

• Russia: Ваша ссылка для скачивания (Your download link) hxxp://goo.gl/TR5GjP

• Uzbekistan: Получено новое (Received new MMC) hxxp://goo.gl/RINTTQ

Smishing (newwelcome00.ru)

01.10.2015 | Virus Bulletin 2015 | 25

Targeted Companies – Task (TaskManager table) in Account D

Exposed Malware Parse.com Accounts

1

10

16

33

37

51

53

70

141

5350

5335 (SVYAZNOYBANK)

100 (MEGAFON)

79037672265 (ALFA-BANK)

159 (TELE2)

3116 (ROSTELECOMO)

7878 (BEELINE)

6996 (MTC)

7494 (QIW I)

10060 (PRIVATBANK)

900 (SBERBANK)

# Requests (SMS)

01.10.2015 | Virus Bulletin 2015 | 26

Sberbank commands – Tasks (TaskManager table) in Account D

Exposed Malware Parse.com Accounts

Command Format Response

BALANCE/BALANS/баланс BALANS <4-last-digits> VISA1234 Balance: <amount>

INFO/СПРАВКА СПРАВКА List of connected cards:

VISA1234(ON);

ПЕРЕВОД/PEREVOD/ПЕР

ЕВЕСТИ (Transfer)

ПЕРЕВОД <4digits_card_origin>

<4digits_card_destination> or

<phone_number_destination>

<amount>

To transfer <amount> from card

VISA1234 the recipient <name> must

send the code <code> to the number

900

ZAPROS (Request) ZAPROS <phone_number>

<amount>

Request transfer for <amount> to your

card VISA4321 has been sent. After

confirmation by the sender <name>

the money will go to your account.

TEL/PLATEZ/PHONE/POP

OLNI/PLATI (Pay mobile

account)

TEL <phone_number> <amount> To pay with card VISA1234 phone

<company> <phone_number> the

amount <amount> send the code

<code> to number 900.

01.10.2015 | Virus Bulletin 2015 | 27

Top Sberbank Commands – Task (TaskManager table) in Account D

Exposed Malware Parse.com Accounts

18

22

37

59

4956

TEL/PLATEZ/PHONE/POPOLNI /PLATI (PAY TEL)

ZAPROS (REQUEST)

ПЕРЕВОД/PEREVOD/ПЕРЕВЕСТИ (TRANSFER)

INFO/СПРАВКА

BALANCE/BALANS/БАЛАНС

# Requests

01.10.2015 | Virus Bulletin 2015 | 28

Sberbank Responses – Tasks (TaskManager table) in Account D

Exposed Malware Parse.com Accounts

Type Response

Balance VISA1234 Balance: <amount>

Info List of connected cards: VISA1234(ON);

Tel Asked To pay with card VISA1234 phone <company> <phone_number> the

amount <amount> send the code <code> to number 900.

Tel Processed VISA1234 <date> <time> payment for services <amount> <operator>

<phone_number> Balance: <amount>

Transfer Processed MAES1234: Transfer <amount> to the card recipient <name> is processed

Transfer Accepted VISA1234: <time> Amount <amount> from the sender <name> received.

Balance: <amount>

Transfer Asked To transfer <amount> from card VISA1234 the card recipient <name>

should send the code <code> to number 900.

01.10.2015 | Virus Bulletin 2015 | 29

Top Sberbank fraud responses – Task (TaskManager table) - Account D

Exposed Malware Parse.com Accounts

26

30

36

75

88

123

607

TRANSFER ASKED

TRANSFER ACCEPTED

TRANSFER PROCESSED

TEL PROCESSED

TEL ASKED

INFO

BALANCE

# responses

01.10.2015 | Virus Bulletin 2015 | 30

TaskManager – Command executed by date

Exposed Malware Parse.com Accounts

0

100

200

300

400

500

600

700

800

Account A Account B Account C

Account D Account E

0

100

200

300

400

500

600

700

800

900

13.07.2015 14.07.2015 15.07.2015 16.07.2015

Account A Account B Account C

Account D Account E

01.10.2015 | Virus Bulletin 2015 | 31

Unique Device IDs per table

Exposed Malware Parse.com Accounts

2.244

8.225

4.850

10

7.398

3.761 3.800

2.149

307

3.825

5 34 26

1.549

31

ACCOUNT A ACCOUNT B ACCOUNT C ACCOUNT D ACCOUNT E

NewTasks SmsReceiver TaskManager

01.10.2015 | Virus Bulletin 2015 | 32

Responsible Disclosure

2015-08-03: Reported finding to Facebook

2015-08-05: Facebook replied with “... This issue

does not qualify as a part of our bounty program...“

2015-08-05: Facebook asked for more details

2015-08-06: We provided more details and Facebook

blocked all Parse accounts

2015-08-28: Facebook offered room for collaboration

Facebook‘s responsible disclosure system only works

with a Facebook account

01.10.2015 | Virus Bulletin 2015 | 33

Conclusions

• This Android Banking Trojans are actively performing financial fraud via

SMS messages targeting Eastern Europe countries.

• Just like legitimate developers, Android malware authors also expose

cloud accounts with sensitive (personal/financial) stolen information.

• Sensitive information stolen from victims by Android malware can be

accessed by “anyone” without any authentication.

01.10.2015 | Virus Bulletin 2015 | 34

Siegfried Rasthofer

Secure Software Engineering Group

Email: siegfried.rasthofer@cased.de

Blog: http://sse-blog.ec-spride.de

Website: http://sse.ec-spride.de

Twitter: @CodeInspect

Carlos Castillo

Intel Security

Email: carlos.castillo@intel.com

Twitter: @carlosacastillo