when the medicine is more dangerous than the disease: mobile antivirus security assessment

Whenthemedicineismoredangerousthanthedisease:

MobileAntivirusSecurityAssessment

Alexander‘dark_k3y’BolshevIvan‘Steph’Yushkevich

;cat/dev/user

2

• Alexander‘@dark_k3y’Bolshev– SecurityConsultant@IOActive,Ph.D.,– AssistantProfessor@SPb ETU.

• Ivan‘Steph’Yushkevich:– SecurityAuditor@DigitalSecurity

INTRODUCTORYVIDEORCEinmobileantivirusviasignatures/engineupdate

3Installs:10,000,000 - 50,000,000

Agenda

• Demovideo• Introduction:whatit’sallabout?• Analysisapproaches• Results&vulnerabilities– Virusscanning– Updatemechanism– Privacyanduserdata– Other&funnythings

• Conclusions

4

WHATIT’SALLABOUT?Introduction:

5

Mobilemalware…

6http://thenextweb.com/insider/2013/06/26/juniper-mobile-malware- is-an- increasingly-profit-driven-business-as-92-of-all-known-threats-target-android/#grefhttp://news.softpedia.com/news/Mobile-Malware-and-Malicious-Apps-Surpass-the-1-Million-Mark-387564.shtmlhttps://www.gdatasoftware.com/securitylabs/news/article/g-data-releases-mobile-malware-report-for-the-fourth-quarter-of-2015http://www.wirefresh.com/the-growing-risk-of-mobile-phone-malware-explained-in-a-hefty-graphic/

Andherecomesthehero…

7http://thenextweb.com/insider/2013/06/26/juniper-mobile-malware- is-an- increasingly-profit-driven-business-as-92-of-all-known-threats-target-android/#grefhttp://news.softpedia.com/news/Mobile-Malware-and-Malicious-Apps-Surpass-the-1-Million-Mark-387564.shtmlhttps://www.gdatasoftware.com/securitylabs/news/article/g-data-releases-mobile-malware-report-for-the-fourth-quarter-of-2015http://www.wirefresh.com/the-growing-risk-of-mobile-phone-malware-explained-in-a-hefty-graphic/

Andherecomesthehero(es)…

8

GooglePlay:• Totalof100+antiviruses• Morethan10billionsinstalls

Mobileantiviruses:functionality

• Scanningforviruses• Realtimeprotection?• Ads?Sometimes

Free

•+Allfreefeatures•Antitheft•Backups•Optimization•Anyotherfunctionforyourmoney•Noads?

Withsubscription/paid functions:

• Showinstalledapps• Showtheirpermissions• Lotsofads• Useless

”Super-Free”

9

Whatitisallabout…

• Therearemanyresearches/antivirusestestthatanalyzingtheantivirusperformanceinvirusdetection/activeprotection/e.t.c.

• Herewearefocusingonotherquestion:howsecurearemobileantiviruses?Inotherwords:isitSECURE/SAFEtousethem?

• Orsometimesthismedicineismuchworsethandisease?• Ortheirhelptoyoudevicecouldbelikethefollowing:

10

Whatisallabout…

• Therearemanyresearches/antivirusestestthatanalyzingtheantivirusperformanceinvirusdetection/activeprotection/e.t.c.

• Herewearefocusingonotherquestion:howsecurearemobileantiviruses?Inotherwords:isitSECURE/SAFEtousethem?

• Orsometimesthismedicineismuchworsethandisease?• Ortheirhelptoyoudevicecouldbelikethefollowing:

11

Disclaimer:thisisjustaverylightreview ofthemobileantiviruses;we’vejustpointedtoveryeasy-to-exploitthings;however,italsomakesthisresearchmorescary.

12

Selectedantiviruses

• Android,googleplay• Subsetof“morethan100000installs”:38antiviruses

14

Selectedmobile antivirusescom.antiy.avlpro com.avira.android com.psafe.msuite com.trustlook.antivirus

com.nqmobile.antivirus20 com.pandasecurity.pandaav com.bullguard.mobile.mobilesecurity com.trustgo.mobile.security

com.estsoft.alyac com.iobit.mobilecare com.zoner.android.antivirus com.wsandroid.suite

com.quickheal.platform com.bornaria.antivirus com.aegislab.sd3prj.antivirus.free com.cyou.security

com.virusfighter.android com.gpaddy.free.antivirus com.sophos.appprotectionmonitor com.escan.main

com.kms.free com.eset.ems2.gp com.trendmicro.tmmspersonal.emea com.maxtotalsecurity

com.cleanmaster.security com.bitdefender.antivirus com.androhelm.antivirus.free com.mpsecurity

com.androidantivirus com.qihoo.security com.mobandme.security.virusguard com.drweb

com.lookout com.max.gamerantivirus com.avast.android.mobilesecurity com.secore.privacyshield

com.symantec.mobilesecurity com.fsecure.ms.safe

ANALYSIS

15

Checklist

16

Isitajunk?

Howthevirusscanningisworking?Whatalgorithms/approachesareused?

Arethereanynativecodeintheapplication?

Howdoestheapplicationupdateit’smodulesand/orsignaturedatabases?

Securityoftheupdates/backups/configurationsstorage

Privacy:whatinformationissendtobackend?

Whatadditionalfunctionalityisused?

OtherOWASPTOP10MOBILE

Rootdetection

Attackapproaches

• Vs.scanningengines:– DoS:APK/ZIPbombs– Fuzzing

• Vs.updateengines:– MiTM andchangeupdatesfiles?– Spoofexecutable(s)(.so,.dex,.jar,.lua,…)inupdates?– Spoofupdate(slanderalltypicalapplications)– SQLinjection– Fuzzsignatureparser?

• Vs.insecuredatastorage• Vs.backend:incaseof“cloud”• Vs.additionalfeatures(mayvary)

17

Fuzzing

18https://s-media-cache-ak0.pinimg.com/236x/13/41/d6/1341d6537089b044deb6d485a8bab26f.jpg

Makingnightmares

19

erlamsa

radamsa

FuzzedAPK

FuzzedfilesinAPK

ToolZ:attacksagainstupdates

• Mitmproxy• BurpSuite• PythonDNSserver(twisted)+SimpleHTTPServer

• Erlamsa,radamsa• IDAPro• Frida• adb• Radare2• jd-gui,bytecodeviewer,dex2jar,apktool

20

But…,sorry,responsible disclosure

21

VIRUSSCANNING

22

Sometimesappisjust/dev/junk

23

UpdatesRealtime protectionAntitheftAds

Stone FakeAV

Oritatlistscansfor…

• Installedapplications• Runtimescan– e.g.downloadedapps• SDcard• UnpackZip/JARtoseewhat’sinside?

…Buthow?Signatures?Heuristics?

24

Scan

• Installedapplications• Runtimescan– e.g.downloadedapps• SDcard• UnpackZip/JARtoseewhat’sinside?

…Buthow?Signatures?Heuristics?

25

Scan:>60%ofantivirusesapproach

1)Applicationname2)Path3)Type4)Cryptosignature*(50%)

*sha1/md5/own_crypto_hash (appname|app)

26

Scan:appname,hash,path

27

Virusdetected! Seemslegit…

Ultimatebypass.

Scanapproaches(stats)

28

Appnames– scanonlyfornames/paths/hashsumsofinstalledapplications

Normal– “deep”APKinspectionorevenscanningofnon-apk files

Fake– noscanningengine

55%37%

8%

Scanningenginetype

Name/Hash/Path/e.t.c. Normal Fake

DEMO:ZIP/APKBOMBCompletedevicelock!

29Install:50000000– 100000000

Nightmaresresults(screens)

30

Nightmaresresults(stats)

31

Mobile Antivirus DoS inJavacode DoS innativecode ZIP/APKBomb

Kaspersky MobileSecurity - + (unstable) -

F-SecureSAFE + + -

Dr.WebMobile - - +

ESETMobileSecurity&Antivirus - - +

PSafe Antivirus - + -

AVLProAntivirus&Security - - +

NQMobileSecurity&Antivirus - + +

AviraAntivirus Security - + -

CMSecurityAppLock AntiVirus - + -

Zoner AntiVirus + - -

AMCSecurity- Antivirus - + -

ALYac Android - + -

eScan - MobileAntivirus - + +

McAfeeSecurity&PowerBooster - + -

SIGNATURES/ENGINEUPDATES

32

/dev/tcp:updateconnectiontypes

33

HTTP55%

3%

HTTPS34%

8%

0%0%0%0%0%0%0%

HTTP26%

HTTP+hash8%

HTTP+crytosign/crypto16%

HTTP+other5%

HTTPS+HTTP3%

HTTPS21%

HTTPS+cryptosign/crypto

3%

HTTPS+pinning10%

Other8%

HTTP HTTP+hash HTTP+crytosign/cryptoHTTP+other HTTPS+HTTP HTTPSHTTPS+cryptosign/crypto HTTPS+pinning Other

We’reusingSSL… pinning?Eh...Maybe...

34

Updates:MiTM andchangefiles

– Spoofexecutable(s)(.so,.dex,.jar,.lua,…)inupdates?=>RCE

– Spoofupdate (changesignatures)=>slanderalllegitimateapplications

– SQLinjection– Attacksagainstadsengines?– Fuzzsignatureparser?*

35*taskforseparate/nextresearch

RCE(introvideo)

36

Evilserver

MobileAntivirus

Updaterequest(https)

Updaterequest(https)

Updateresponse

mitmproxy orsimilarInstalls:10,000,000 - 50,000,000

Updateviagoogleplay?Spoofable!

37Installs:10,000,000 - 50,000,000

YoucouldpointtoanyappinGoogle Playortothecustomapk file;inthelastcaseitwillbedownloaded anduserwillbeaskedforinstallation;becauseyoucontroltheupdatemessage,youcouldaskusertoenableunknownsources.

JARinupdate…

DefconRussia(DCG#7812) 38

JARarchivewithadvanced“heuristics”inupdate

EasyRCE

Butwait,theyhavea“defence”!

Installs:50,000,000- 100,000,000

Not“soeasy”!

39

Developerspresented“newtechnology”insigningandhashing:

ZIPArchivewithpassword!*

MobileAntivirusDeveloper

*Easybruted inlessthan1minute

Installs:50,000,000- 100,000,000

Fakeupdates==Bettersecurity

40

• SomeniceAV• UseKAVengine• Updatescontains*.sofiles• Nosigning…• But:updatesareNEVER used atall• Download,checkhash,unpack,butneveruse• Noupdateusage==noRCE,PROFIT!

Installs:1,000,000 - 5,000,000

Lua inads?

41

• Lua scriptsasadvertisingengine• Advertsupdatessimultaneouslywithvirusdatabases

• Nosigningforscripts,ofcourse

Installs:10,000,000 - 50,000,000

Slanderallgoodguys!

42

Resultor/andsignchanged

cosHTTP/HTTPS

Yougotnothingbutviruses!(also,AVcouldremoveAppdata too!)

Installs:100000–500000

DEMOVIDEOSlanderallgoodapplications!

43Installs:1000000–5000000

Easier:SQLinjectionviaupdate?

<item><name>9dc4831488ed784afe45a4c67674ab3e5225bb785d37916d3021888f9f13b3ae</name><tip>application</tip><path>146fdabd0300280de8f25d6ee52689091e4fcca6cb8939bc8b7c84da97e28cbd</path></item>

44

Codepart:public boolean hasSign(String paramString){paramString = getReadableDatabase().rawQuery("SELECT id FROM ****_signaturesWHERE h

ash='"+ paramString +"'", null);

So… SELECT id FROM ***_signatures WHERE hash=123or1=1

Andallappsbecomesviruses!Installs:1000000–5000000

PRIVACY&&DATA

45

Privacyanddata

Datacollection*:1) DeviceInfo2) WiFi

3) Applicationslist4) IMEI/IMSI?5) Contactsanddatabackeduptoremoteserver?!

SometimesthisisdoneusingjustHTTP?

*IMSI:4/38,IMEI:7/38,App.list:4/38

46

Data?Yep,wegotone…

47

SDCARDbackupforbetteraccess.

Whatifyoulostyourphone?

…andyourandfriend(s)datatoo

48

• FTPBACKUPS…forbettersecurity

…andyourandfriend(s)datatoo

49

• FTPBACKUPS…forbettersecurity

FromGooglePlaycomments,dialogwith“support”:[Visitor]IfIreinstallapplication,errorswillnotmagicallydisapper[Visitor]Sodon't sayanything like"reinstall"- this'llnothelp.[Visitor]Itestediton2devices[Visitor]whatcanyousayaboutit?[Andrew]CanIremotelyaccessyourPCnowandgetyour issueresolved?[Visitor]ThisisanAndroid application[Visitor]Andwhatdoyoumeanunder"IremotelyaccessyourPCnowandgetyourissueresolved?"?

OTHER&&FUNNYTHINGS

50

Rootdetection

5%

95%

Rootdetection

Detect Norootdetection

51

“C”-- config overHTTP

[Root]<r>noshufou,supersu,chainfire<p>free.spapa.bankfreed<p>/tegrak/bin/tegrak_service<p>spapa_su<p>bankfreed<f>/system/bin/.ext/.su<f>/system/bin/.222/.su<f>/system/xbin/.tmpsu<f>/su/lib<h>org.sbtools.gamehack

Writingexploitsisveryhard,let’ssupplybusybox andsuperuser tomakeiteasier.

52Installs:10,000,000 - 50,000,000

We’vefindsomememorycorruptionsduringfuzzinginthisAV

RCEonbackend

WhencontroloversignaturesandcontactsorevenRCEisnotenough…FINDRCEONSERVER!

53Installs:100000–500000

CONCLUSIONS

54

Bestapproaches*

• Usedeepscan• UseHTTPS+SSLpinningand/orcryptographicsignaturesduringsoftwareupdate

• UseHTTPS+SSLpinningduringanyothercommunications

• Respectprivacy

55*fromSECURITYperspective,we’renottalkingaboutvirusdetectionresults

Conclusions

• Thisresearchwasdoneinaverylightway(searchedfor”low-hanging”fruits),howeverwe’vefoundsomeseriousproblems.

• Atleast1/3ofreviewedantivirusesusesinsecureupdatemechanisms;atleast50%ofantivirusesareexposedtodenialofserviceorevenworseattacks.

• SomeofmodernAndroidantivirusesmaybearealsecuritythreattoyourdevice.*

• ThesethreatsincludeDoS,deviceDoS,slanderlegalapplication(s),leakofprivatedataorevenRCEonyourdevice.

• Andremember,thatmobileAVusuallyrequireasmuchpermissionsaspossible.

• So,chooseyourmobileantiviruscarefullyorfindanotherwaytoimproveyourdevicesecurity.

56*Nomatterwhatratingtheyhaveandhowmuchisinstallscount.

Questions?