when the medicine is more dangerous than the disease: mobile antivirus security assessment
TRANSCRIPT
Whenthemedicineismoredangerousthanthedisease:
MobileAntivirusSecurityAssessment
Alexander‘dark_k3y’BolshevIvan‘Steph’Yushkevich
;cat/dev/user
2
• Alexander‘@dark_k3y’Bolshev– SecurityConsultant@IOActive,Ph.D.,– AssistantProfessor@SPb ETU.
• Ivan‘Steph’Yushkevich:– SecurityAuditor@DigitalSecurity
Agenda
• Demovideo• Introduction:whatit’sallabout?• Analysisapproaches• Results&vulnerabilities– Virusscanning– Updatemechanism– Privacyanduserdata– Other&funnythings
• Conclusions
4
Mobilemalware…
6http://thenextweb.com/insider/2013/06/26/juniper-mobile-malware- is-an- increasingly-profit-driven-business-as-92-of-all-known-threats-target-android/#grefhttp://news.softpedia.com/news/Mobile-Malware-and-Malicious-Apps-Surpass-the-1-Million-Mark-387564.shtmlhttps://www.gdatasoftware.com/securitylabs/news/article/g-data-releases-mobile-malware-report-for-the-fourth-quarter-of-2015http://www.wirefresh.com/the-growing-risk-of-mobile-phone-malware-explained-in-a-hefty-graphic/
Andherecomesthehero…
7http://thenextweb.com/insider/2013/06/26/juniper-mobile-malware- is-an- increasingly-profit-driven-business-as-92-of-all-known-threats-target-android/#grefhttp://news.softpedia.com/news/Mobile-Malware-and-Malicious-Apps-Surpass-the-1-Million-Mark-387564.shtmlhttps://www.gdatasoftware.com/securitylabs/news/article/g-data-releases-mobile-malware-report-for-the-fourth-quarter-of-2015http://www.wirefresh.com/the-growing-risk-of-mobile-phone-malware-explained-in-a-hefty-graphic/
Mobileantiviruses:functionality
• Scanningforviruses• Realtimeprotection?• Ads?Sometimes
Free
•+Allfreefeatures•Antitheft•Backups•Optimization•Anyotherfunctionforyourmoney•Noads?
Withsubscription/paid functions:
• Showinstalledapps• Showtheirpermissions• Lotsofads• Useless
”Super-Free”
9
Whatitisallabout…
• Therearemanyresearches/antivirusestestthatanalyzingtheantivirusperformanceinvirusdetection/activeprotection/e.t.c.
• Herewearefocusingonotherquestion:howsecurearemobileantiviruses?Inotherwords:isitSECURE/SAFEtousethem?
• Orsometimesthismedicineismuchworsethandisease?• Ortheirhelptoyoudevicecouldbelikethefollowing:
10
Whatisallabout…
• Therearemanyresearches/antivirusestestthatanalyzingtheantivirusperformanceinvirusdetection/activeprotection/e.t.c.
• Herewearefocusingonotherquestion:howsecurearemobileantiviruses?Inotherwords:isitSECURE/SAFEtousethem?
• Orsometimesthismedicineismuchworsethandisease?• Ortheirhelptoyoudevicecouldbelikethefollowing:
11
Disclaimer:thisisjustaverylightreview ofthemobileantiviruses;we’vejustpointedtoveryeasy-to-exploitthings;however,italsomakesthisresearchmorescary.
12
Selectedantiviruses
• Android,googleplay• Subsetof“morethan100000installs”:38antiviruses
14
Selectedmobile antivirusescom.antiy.avlpro com.avira.android com.psafe.msuite com.trustlook.antivirus
com.nqmobile.antivirus20 com.pandasecurity.pandaav com.bullguard.mobile.mobilesecurity com.trustgo.mobile.security
com.estsoft.alyac com.iobit.mobilecare com.zoner.android.antivirus com.wsandroid.suite
com.quickheal.platform com.bornaria.antivirus com.aegislab.sd3prj.antivirus.free com.cyou.security
com.virusfighter.android com.gpaddy.free.antivirus com.sophos.appprotectionmonitor com.escan.main
com.kms.free com.eset.ems2.gp com.trendmicro.tmmspersonal.emea com.maxtotalsecurity
com.cleanmaster.security com.bitdefender.antivirus com.androhelm.antivirus.free com.mpsecurity
com.androidantivirus com.qihoo.security com.mobandme.security.virusguard com.drweb
com.lookout com.max.gamerantivirus com.avast.android.mobilesecurity com.secore.privacyshield
com.symantec.mobilesecurity com.fsecure.ms.safe
Checklist
16
Isitajunk?
Howthevirusscanningisworking?Whatalgorithms/approachesareused?
Arethereanynativecodeintheapplication?
Howdoestheapplicationupdateit’smodulesand/orsignaturedatabases?
Securityoftheupdates/backups/configurationsstorage
Privacy:whatinformationissendtobackend?
Whatadditionalfunctionalityisused?
OtherOWASPTOP10MOBILE
Rootdetection
Attackapproaches
• Vs.scanningengines:– DoS:APK/ZIPbombs– Fuzzing
• Vs.updateengines:– MiTM andchangeupdatesfiles?– Spoofexecutable(s)(.so,.dex,.jar,.lua,…)inupdates?– Spoofupdate(slanderalltypicalapplications)– SQLinjection– Fuzzsignatureparser?
• Vs.insecuredatastorage• Vs.backend:incaseof“cloud”• Vs.additionalfeatures(mayvary)
17
ToolZ:attacksagainstupdates
• Mitmproxy• BurpSuite• PythonDNSserver(twisted)+SimpleHTTPServer
• Erlamsa,radamsa• IDAPro• Frida• adb• Radare2• jd-gui,bytecodeviewer,dex2jar,apktool
20
Oritatlistscansfor…
• Installedapplications• Runtimescan– e.g.downloadedapps• SDcard• UnpackZip/JARtoseewhat’sinside?
…Buthow?Signatures?Heuristics?
24
Scan
• Installedapplications• Runtimescan– e.g.downloadedapps• SDcard• UnpackZip/JARtoseewhat’sinside?
…Buthow?Signatures?Heuristics?
25
Scan:>60%ofantivirusesapproach
1)Applicationname2)Path3)Type4)Cryptosignature*(50%)
*sha1/md5/own_crypto_hash (appname|app)
26
Scanapproaches(stats)
28
Appnames– scanonlyfornames/paths/hashsumsofinstalledapplications
Normal– “deep”APKinspectionorevenscanningofnon-apk files
Fake– noscanningengine
55%37%
8%
Scanningenginetype
Name/Hash/Path/e.t.c. Normal Fake
Nightmaresresults(stats)
31
Mobile Antivirus DoS inJavacode DoS innativecode ZIP/APKBomb
Kaspersky MobileSecurity - + (unstable) -
F-SecureSAFE + + -
Dr.WebMobile - - +
ESETMobileSecurity&Antivirus - - +
PSafe Antivirus - + -
AVLProAntivirus&Security - - +
NQMobileSecurity&Antivirus - + +
AviraAntivirus Security - + -
CMSecurityAppLock AntiVirus - + -
Zoner AntiVirus + - -
AMCSecurity- Antivirus - + -
ALYac Android - + -
eScan - MobileAntivirus - + +
McAfeeSecurity&PowerBooster - + -
/dev/tcp:updateconnectiontypes
33
HTTP55%
3%
HTTPS34%
8%
0%0%0%0%0%0%0%
HTTP26%
HTTP+hash8%
HTTP+crytosign/crypto16%
HTTP+other5%
HTTPS+HTTP3%
HTTPS21%
HTTPS+cryptosign/crypto
3%
HTTPS+pinning10%
Other8%
HTTP HTTP+hash HTTP+crytosign/cryptoHTTP+other HTTPS+HTTP HTTPSHTTPS+cryptosign/crypto HTTPS+pinning Other
Updates:MiTM andchangefiles
– Spoofexecutable(s)(.so,.dex,.jar,.lua,…)inupdates?=>RCE
– Spoofupdate (changesignatures)=>slanderalllegitimateapplications
– SQLinjection– Attacksagainstadsengines?– Fuzzsignatureparser?*
35*taskforseparate/nextresearch
RCE(introvideo)
36
Evilserver
MobileAntivirus
Updaterequest(https)
Updaterequest(https)
Updateresponse
mitmproxy orsimilarInstalls:10,000,000 - 50,000,000
Updateviagoogleplay?Spoofable!
37Installs:10,000,000 - 50,000,000
YoucouldpointtoanyappinGoogle Playortothecustomapk file;inthelastcaseitwillbedownloaded anduserwillbeaskedforinstallation;becauseyoucontroltheupdatemessage,youcouldaskusertoenableunknownsources.
JARinupdate…
DefconRussia(DCG#7812) 38
JARarchivewithadvanced“heuristics”inupdate
EasyRCE
Butwait,theyhavea“defence”!
Installs:50,000,000- 100,000,000
Not“soeasy”!
39
Developerspresented“newtechnology”insigningandhashing:
ZIPArchivewithpassword!*
MobileAntivirusDeveloper
*Easybruted inlessthan1minute
Installs:50,000,000- 100,000,000
Fakeupdates==Bettersecurity
40
• SomeniceAV• UseKAVengine• Updatescontains*.sofiles• Nosigning…• But:updatesareNEVER used atall• Download,checkhash,unpack,butneveruse• Noupdateusage==noRCE,PROFIT!
Installs:1,000,000 - 5,000,000
Lua inads?
41
• Lua scriptsasadvertisingengine• Advertsupdatessimultaneouslywithvirusdatabases
• Nosigningforscripts,ofcourse
Installs:10,000,000 - 50,000,000
Slanderallgoodguys!
42
Resultor/andsignchanged
cosHTTP/HTTPS
Yougotnothingbutviruses!(also,AVcouldremoveAppdata too!)
Installs:100000–500000
Easier:SQLinjectionviaupdate?
<item><name>9dc4831488ed784afe45a4c67674ab3e5225bb785d37916d3021888f9f13b3ae</name><tip>application</tip><path>146fdabd0300280de8f25d6ee52689091e4fcca6cb8939bc8b7c84da97e28cbd</path></item>
44
Codepart:public boolean hasSign(String paramString){paramString = getReadableDatabase().rawQuery("SELECT id FROM ****_signaturesWHERE h
ash='"+ paramString +"'", null);
So… SELECT id FROM ***_signatures WHERE hash=123or1=1
Andallappsbecomesviruses!Installs:1000000–5000000
Privacyanddata
Datacollection*:1) DeviceInfo2) WiFi
3) Applicationslist4) IMEI/IMSI?5) Contactsanddatabackeduptoremoteserver?!
SometimesthisisdoneusingjustHTTP?
*IMSI:4/38,IMEI:7/38,App.list:4/38
46
…andyourandfriend(s)datatoo
49
• FTPBACKUPS…forbettersecurity
FromGooglePlaycomments,dialogwith“support”:[Visitor]IfIreinstallapplication,errorswillnotmagicallydisapper[Visitor]Sodon't sayanything like"reinstall"- this'llnothelp.[Visitor]Itestediton2devices[Visitor]whatcanyousayaboutit?[Andrew]CanIremotelyaccessyourPCnowandgetyour issueresolved?[Visitor]ThisisanAndroid application[Visitor]Andwhatdoyoumeanunder"IremotelyaccessyourPCnowandgetyourissueresolved?"?
Rootdetection
5%
95%
Rootdetection
Detect Norootdetection
51
“C”-- config overHTTP
[Root]<r>noshufou,supersu,chainfire<p>free.spapa.bankfreed<p>/tegrak/bin/tegrak_service<p>spapa_su<p>bankfreed<f>/system/bin/.ext/.su<f>/system/bin/.222/.su<f>/system/xbin/.tmpsu<f>/su/lib<h>org.sbtools.gamehack
Writingexploitsisveryhard,let’ssupplybusybox andsuperuser tomakeiteasier.
52Installs:10,000,000 - 50,000,000
We’vefindsomememorycorruptionsduringfuzzinginthisAV
RCEonbackend
WhencontroloversignaturesandcontactsorevenRCEisnotenough…FINDRCEONSERVER!
53Installs:100000–500000
Bestapproaches*
• Usedeepscan• UseHTTPS+SSLpinningand/orcryptographicsignaturesduringsoftwareupdate
• UseHTTPS+SSLpinningduringanyothercommunications
• Respectprivacy
55*fromSECURITYperspective,we’renottalkingaboutvirusdetectionresults
Conclusions
• Thisresearchwasdoneinaverylightway(searchedfor”low-hanging”fruits),howeverwe’vefoundsomeseriousproblems.
• Atleast1/3ofreviewedantivirusesusesinsecureupdatemechanisms;atleast50%ofantivirusesareexposedtodenialofserviceorevenworseattacks.
• SomeofmodernAndroidantivirusesmaybearealsecuritythreattoyourdevice.*
• ThesethreatsincludeDoS,deviceDoS,slanderlegalapplication(s),leakofprivatedataorevenRCEonyourdevice.
• Andremember,thatmobileAVusuallyrequireasmuchpermissionsaspossible.
• So,chooseyourmobileantiviruscarefullyorfindanotherwaytoimproveyourdevicesecurity.
56*Nomatterwhatratingtheyhaveandhowmuchisinstallscount.