SlideShare a Scribd company logo

Android_Malware_IOAsis_2014_Analysis.pdf

J
jjb117343

The document discusses the importance of custom Android malware in penetration testing, targeting individuals who aim to assess security defenses thoroughly. It delves into the Android architecture, the nature of malware, and outlines potential pentesting scenarios related to mobile devices. The document emphasizes the need for explicit security models and validation to identify and combat malicious applications effectively.

Mobile
1 of 38
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
Android Malware for Pen-testing IOAsis San Fransicso 2014
Dr. Who? Robert Erbes Senior Security Consultant (not a doctor)
Target Audience • The Malicious Defender ™ – i.e., Someone who believes that the best way to evaluate the effectiveness of a security defense is to TEST it. And test it again. And test it again. And test it again…
Why Custom Android Malware? • (See Previous Slide) TEST TEST TEST • One doesn’t just trivially trust ITW Malware – (at least not in polite societies) • To develop scenarios that match what you actually care about – BYOD – Internal App Store – Prove to management that installing XYZ really isn’t a good idea – Validating Security Product does what it’s supposed to…
The Playground
Architecture Overview GO! • Android is an open source (mostly) operating system that runs on small devices. It is built on top of a slightly modified version of Linux • Runs apps within a VM called Dalvik, which is similar to the Java VM, but optimized for speed. • (stack layout on next slide…)
Android Layer Cake Java SDK / NDK Linux / Binary Blobs Bionic (not glibc)
Android SDK • Framework for developing applications: – Like the .NET Framework • Lots of example patterns you can use • APIs you can call to access key features of Android
Android NDK • The Android Native Development Kit (NDK) is a toolset that allows you to implement parts of your app using native-code languages such as C and C++ • If you write native code, your applications are still packaged into an .apk file and they still run inside of a virtual machine on the device. • Native code is no different from code running under the Dalvik VM. All security in Android is enforced at the kernel level through processes and UIDs
NDK Madness <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/> #include <string.h> #include <jni.h> #include <stdio.h> jstring Java_com_example_hellojni_HelloJni_stringFromJNI( JNIEnv* env, jobject thiz ) { FILE* file = fopen("/sdcard/hello.txt","w+"); if (file != NULL) { fputs("HELLO CRAZY NAME!n", file); fflush(file); fclose(file); } return (*env)->NewStringUTF(env, "Hello from JNI (with file io)!"); } int sockfd = socket(AF_INET, SOCK_STREAM, 0); <uses-permission android:name="android.permission.INTERNET" />
Dalvik VM • Register-based machine which executes Dalvik bytecode instructions. – Which are generated from Java class files • Different from a JVM, hence its bytecode is different from Java bytecode. • As of Android 2.2 has a JIT Compiler
The Kernel • Linux - Underlying OS that runs the Dalvik VM • Very lightly modified version of Linux kernel • 4.0  3.4 Kernel • Pre 4.0  2.6.x Kernel • But user space wholly unlike that of any other linux system. • File IO. File System tweaks (/system, /data, etc) • Process Management • Drivers (can be binary blobs) for: • Display • Camera, Audio, Video • Keypad • WiFi and Carrier • Inter-process Communication
Building an App 1. Android programmers write android apps in Java. Native apps can be included and written in native languages (e.g. C++) and are compiled for the native architecture (ARM/MIPS, etc.) 2. Then IDEs like eclipse use the JDK to generate .class files which are then translated to .dex files (Dalvik executable). The Android Asset Packaging Tool (AAPT) is then use to build the APK 3. The Dalvik virtual machine in Android can then run these Dalvik executables by translating them to native instructions.
Building “Not an App” • Device drivers appears to be exactly the same as in Linux – Only on ARM/MIPS whatever • Assets (mentioned earlier) can be anything. This makes them REAL easy to build. 
APK Contents
And We’re Done. • (not really) • We now have – An idea about the pieces involved – A very basic guide about writing software • What about malware?
Well, What is Malware? • “You know it when you see it” – 1964 Jacob Elllis V.S. Ohio • Anything that breaks the android security model • Deceptive/hide true intent – bad for user / good for attacker e.g. surveillance, collecting passwords, etc. • Applications that are detrimental to the user running the device. • Harms a user – Financial – Privacy – Personal information – location (surveillance) , – Stealing resources – cracking, botnets – processing power • Example: not-compatible.
More generically • Malware is any piece of software/script/hardware that you don’t want on your Android device, for any reason.
In The Wilde
Categorical Malware Android Premium Service Abusers Android Adware Android Data Stealers Targeted Spyware Malicious Android Downloaders Source: https://www.lookout.com/
https://www.lookout.com/resources/top-threats
Droid Dream Infection Vector  DroidDream hid the malware in seemingly legitimate applications to trick unsuspecting users into downloading the malware (more than 50 apps on the Android App Store were found to contain Droid Dream) Entry Point  Requires user to launch application. Post-Launch malware will start a service then launch the host application’s primary activity Elevated Privileges  1) “exploid” to attempt to exploit a vulnerability in udev event handling in Android’s init. If “exploid” fails… 2) “rageagainstthecage”, leveraging a vulnerability in adbd’s attempt to drop its privileges. Payload  Sends device information to C&C e.g. IMEI, IMSI and device model and SDK version, Checks if already infected, by checking package com.android.providers.downloadsmanager is installed. If this package is not found it will install the second payload, which is bundled as sqlite.db. This part of the malware will be copied to the /system/app/ directory, installing itself as DownloadProviderManager.apk. Copying the file using this method, to this directory will silently install the APK file, and not prompt user to grant permissions as in a standard app installation process.
Droid Dream (phase 2) Entry Point  triggered by Intents it listens for on the device. receiver for BOOT_COMPLETED and PHONE_STATE intents single service: Payload  DownloadManageService controls a timer-scheduled task Gather information and send to C&C and install: • ProductID – Specific to the DroidDream variant • Partner – Specific to the DroidDream variant • IMSI • IMEI • Model & SDK value • Language • Country • UserID – Though this does not appear to be fully implemented Zombie agent that can install any payload silently and execute code with root privileges at will.
Pentest Scenario
BYOD • Malicious behavior to test: – Tracking Network Surface • WiFi / bluetooth sniffing / profiling – Tracking Physical Location • GPS Coordinates, accelerometers, altimeters, etc – On the Network • (GSM -> WiFi -> “Secure” network) – USB • Egress filtering policies – Visual/Audio snooping…
Android_Malware_IOAsis_2014_Analysis.pdf
Other Means of Being Evil • Bypassing Detection – Arbitrary Code “injection” • Known Vulnerable Libs • Custom Vulnerable Libs • Malicious updating mechanism – Data Exfiltration • Angry Birds(?!)
Delivery Mechanism • Existing Device under our Control • Complete customization: – Inject/replace device driver – Vulnerable Library + Later exploitation – Malicious Update • Existing Application – Decompilation + insertion
Launch Mechanisms Unlike other programming paradigms in which apps are launched with a main() method, the Android system initiates code in an Activity instance by invoking specific callback methods that correspond to specific stages of its lifecycle.
Launch via Broadcast • A broadcast receiver is an Android component which allows you to register for system or application events. All registered receivers for an event will be notified by the Android runtime once this event happens. • For example applications can register for the ACTION_BOOT_COMPLETED system event which is fired once the Android system has completed the boot process. • A receiver can be registered via the AndroidManifest.xml file. • Alternatively to this static registration, you can also register a broadcast receiver dynamically via theContext.registerReceiver() method. • The Broadcast receiver can then start a service to perform any number of actions.
Android_Malware_IOAsis_2014_Analysis.pdf
Some Example Broadcast Intents
But… • With so many options, wouldn’t it be nice to automate the generation of malicious apps? • Why yes. Yes it would. • (And we did)
So… • Customized malware is King. • What can you do?
Security Models Should be Explicit • As policy, your org allows X and Y. But NO Z. • If something breaks the model, it’s Malware.
Deception Is Bad • Within your model: – If an application does X when it says Y… • It’s malware.
The Paranoid Validate • Everything. • Test. And Test. And Test… http://www.flickr.com/photos/adactio/4012169563/
Done (really!) Questions? robert.erbes@ioactive.com Pub Key Fingerprint: 1ABA 463E D3ED B8B5 5935 7E07 55A8 049C 46CB 2398

More Related Content

PDF
Building Custom Android Malware BruCON 2013
Stephan Chenette
 
PDF
Hacking your Android (slides)
Justin Hoang
 
PDF
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
Stephan Chenette
 
PPTX
Hacker Halted 2014 - Reverse Engineering the Android OS
EC-Council
 
PDF
Hacking your Droid (Aditya Gupta)
ClubHack
 
PDF
CNIT 128 6. Analyzing Android Applications (Part 1)
Sam Bowne
 
PDF
A case study of malware detection and removal in android apps
ijmnct
 
PDF
Stealing sensitive data from android phones the hacker way
n|u - The Open Security Community
 
Building Custom Android Malware BruCON 2013
Stephan Chenette
 
Hacking your Android (slides)
Justin Hoang
 
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
Stephan Chenette
 
Hacker Halted 2014 - Reverse Engineering the Android OS
EC-Council
 
Hacking your Droid (Aditya Gupta)
ClubHack
 
CNIT 128 6. Analyzing Android Applications (Part 1)
Sam Bowne
 
A case study of malware detection and removal in android apps
ijmnct
 
Stealing sensitive data from android phones the hacker way
n|u - The Open Security Community
 

Similar to Android_Malware_IOAsis_2014_Analysis.pdf (20)

PDF
ToorCon 14 : Malandroid : The Crux of Android Infections
Aditya K Sood
 
PDF
Android malware presentation
Sandeep Joshi
 
PDF
Andriod Pentesting and Malware Analysis
n|u - The Open Security Community
 
PPTX
I haz you and pwn your maal
Harsimran Walia
 
PDF
Unit 1 Kali Nethunter Android: OS, Debub Bridge
ChatanBawankar
 
PPTX
Android sandbox
Anusha Chavan
 
PDF
I haz you and pwn your maal
c0c0n - International Cyber Security and Policing Conference
 
PDF
CNIT 128 Ch 4: Android
Sam Bowne
 
PPTX
Android security
Hassan Abutair
 
PDF
Reading Group Presentation: Why Eve and Mallory Love Android
Michael Rushanan
 
PPTX
128-ch4.pptx
SankalpKabra
 
PDF
Android Attacks
Michael Scovetta
 
PPT
ethical hacking-mobile hacking methods.ppt
Jayaprasanna4
 
PPTX
Android village @nullcon 2012
hakersinfo
 
PPTX
Advanced malware analysis training session8 introduction to android
Cysinfo Cyber Security Community
 
PPTX
Mobile platform security models
Prachi Gulihar
 
PDF
I haz you and pwn your maal whitepaper
Harsimran Walia
 
PDF
Android Internals
Opersys inc.
 
PDF
Unit Kali NetHunter is the official Kali Linux penetration testing platform f...
ChatanBawankar
 
PPTX
Advanced Malware Analysis Training Session 8 - Introduction to Android
securityxploded
 
ToorCon 14 : Malandroid : The Crux of Android Infections
Aditya K Sood
 
Android malware presentation
Sandeep Joshi
 
Andriod Pentesting and Malware Analysis
n|u - The Open Security Community
 
I haz you and pwn your maal
Harsimran Walia
 
Unit 1 Kali Nethunter Android: OS, Debub Bridge
ChatanBawankar
 
Android sandbox
Anusha Chavan
 
I haz you and pwn your maal
c0c0n - International Cyber Security and Policing Conference
 
CNIT 128 Ch 4: Android
Sam Bowne
 
Android security
Hassan Abutair
 
Reading Group Presentation: Why Eve and Mallory Love Android
Michael Rushanan
 
128-ch4.pptx
SankalpKabra
 
Android Attacks
Michael Scovetta
 
ethical hacking-mobile hacking methods.ppt
Jayaprasanna4
 
Android village @nullcon 2012
hakersinfo
 
Advanced malware analysis training session8 introduction to android
Cysinfo Cyber Security Community
 
Mobile platform security models
Prachi Gulihar
 
I haz you and pwn your maal whitepaper
Harsimran Walia
 
Android Internals
Opersys inc.
 
Unit Kali NetHunter is the official Kali Linux penetration testing platform f...
ChatanBawankar
 
Advanced Malware Analysis Training Session 8 - Introduction to Android
securityxploded
 
Ad

Android_Malware_IOAsis_2014_Analysis.pdf

  • 1. Android Malware for Pen-testing IOAsis San Fransicso 2014
  • 2. Dr. Who? Robert Erbes Senior Security Consultant (not a doctor)
  • 3. Target Audience • The Malicious Defender ™ – i.e., Someone who believes that the best way to evaluate the effectiveness of a security defense is to TEST it. And test it again. And test it again. And test it again…
  • 4. Why Custom Android Malware? • (See Previous Slide) TEST TEST TEST • One doesn’t just trivially trust ITW Malware – (at least not in polite societies) • To develop scenarios that match what you actually care about – BYOD – Internal App Store – Prove to management that installing XYZ really isn’t a good idea – Validating Security Product does what it’s supposed to…
  • 6. Architecture Overview GO! • Android is an open source (mostly) operating system that runs on small devices. It is built on top of a slightly modified version of Linux • Runs apps within a VM called Dalvik, which is similar to the Java VM, but optimized for speed. • (stack layout on next slide…)
  • 7. Android Layer Cake Java SDK / NDK Linux / Binary Blobs Bionic (not glibc)
  • 8. Android SDK • Framework for developing applications: – Like the .NET Framework • Lots of example patterns you can use • APIs you can call to access key features of Android
  • 9. Android NDK • The Android Native Development Kit (NDK) is a toolset that allows you to implement parts of your app using native-code languages such as C and C++ • If you write native code, your applications are still packaged into an .apk file and they still run inside of a virtual machine on the device. • Native code is no different from code running under the Dalvik VM. All security in Android is enforced at the kernel level through processes and UIDs
  • 10. NDK Madness <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/> #include <string.h> #include <jni.h> #include <stdio.h> jstring Java_com_example_hellojni_HelloJni_stringFromJNI( JNIEnv* env, jobject thiz ) { FILE* file = fopen("/sdcard/hello.txt","w+"); if (file != NULL) { fputs("HELLO CRAZY NAME!n", file); fflush(file); fclose(file); } return (*env)->NewStringUTF(env, "Hello from JNI (with file io)!"); } int sockfd = socket(AF_INET, SOCK_STREAM, 0); <uses-permission android:name="android.permission.INTERNET" />
  • 11. Dalvik VM • Register-based machine which executes Dalvik bytecode instructions. – Which are generated from Java class files • Different from a JVM, hence its bytecode is different from Java bytecode. • As of Android 2.2 has a JIT Compiler
  • 12. The Kernel • Linux - Underlying OS that runs the Dalvik VM • Very lightly modified version of Linux kernel • 4.0  3.4 Kernel • Pre 4.0  2.6.x Kernel • But user space wholly unlike that of any other linux system. • File IO. File System tweaks (/system, /data, etc) • Process Management • Drivers (can be binary blobs) for: • Display • Camera, Audio, Video • Keypad • WiFi and Carrier • Inter-process Communication
  • 13. Building an App 1. Android programmers write android apps in Java. Native apps can be included and written in native languages (e.g. C++) and are compiled for the native architecture (ARM/MIPS, etc.) 2. Then IDEs like eclipse use the JDK to generate .class files which are then translated to .dex files (Dalvik executable). The Android Asset Packaging Tool (AAPT) is then use to build the APK 3. The Dalvik virtual machine in Android can then run these Dalvik executables by translating them to native instructions.
  • 14. Building “Not an App” • Device drivers appears to be exactly the same as in Linux – Only on ARM/MIPS whatever • Assets (mentioned earlier) can be anything. This makes them REAL easy to build. 
  • 16. And We’re Done. • (not really) • We now have – An idea about the pieces involved – A very basic guide about writing software • What about malware?
  • 17. Well, What is Malware? • “You know it when you see it” – 1964 Jacob Elllis V.S. Ohio • Anything that breaks the android security model • Deceptive/hide true intent – bad for user / good for attacker e.g. surveillance, collecting passwords, etc. • Applications that are detrimental to the user running the device. • Harms a user – Financial – Privacy – Personal information – location (surveillance) , – Stealing resources – cracking, botnets – processing power • Example: not-compatible.
  • 18. More generically • Malware is any piece of software/script/hardware that you don’t want on your Android device, for any reason.
  • 20. Categorical Malware Android Premium Service Abusers Android Adware Android Data Stealers Targeted Spyware Malicious Android Downloaders Source: https://www.lookout.com/
  • 22. Droid Dream Infection Vector  DroidDream hid the malware in seemingly legitimate applications to trick unsuspecting users into downloading the malware (more than 50 apps on the Android App Store were found to contain Droid Dream) Entry Point  Requires user to launch application. Post-Launch malware will start a service then launch the host application’s primary activity Elevated Privileges  1) “exploid” to attempt to exploit a vulnerability in udev event handling in Android’s init. If “exploid” fails… 2) “rageagainstthecage”, leveraging a vulnerability in adbd’s attempt to drop its privileges. Payload  Sends device information to C&C e.g. IMEI, IMSI and device model and SDK version, Checks if already infected, by checking package com.android.providers.downloadsmanager is installed. If this package is not found it will install the second payload, which is bundled as sqlite.db. This part of the malware will be copied to the /system/app/ directory, installing itself as DownloadProviderManager.apk. Copying the file using this method, to this directory will silently install the APK file, and not prompt user to grant permissions as in a standard app installation process.
  • 23. Droid Dream (phase 2) Entry Point  triggered by Intents it listens for on the device. receiver for BOOT_COMPLETED and PHONE_STATE intents single service: Payload  DownloadManageService controls a timer-scheduled task Gather information and send to C&C and install: • ProductID – Specific to the DroidDream variant • Partner – Specific to the DroidDream variant • IMSI • IMEI • Model & SDK value • Language • Country • UserID – Though this does not appear to be fully implemented Zombie agent that can install any payload silently and execute code with root privileges at will.
  • 25. BYOD • Malicious behavior to test: – Tracking Network Surface • WiFi / bluetooth sniffing / profiling – Tracking Physical Location • GPS Coordinates, accelerometers, altimeters, etc – On the Network • (GSM -> WiFi -> “Secure” network) – USB • Egress filtering policies – Visual/Audio snooping…
  • 27. Other Means of Being Evil • Bypassing Detection – Arbitrary Code “injection” • Known Vulnerable Libs • Custom Vulnerable Libs • Malicious updating mechanism – Data Exfiltration • Angry Birds(?!)
  • 28. Delivery Mechanism • Existing Device under our Control • Complete customization: – Inject/replace device driver – Vulnerable Library + Later exploitation – Malicious Update • Existing Application – Decompilation + insertion
  • 29. Launch Mechanisms Unlike other programming paradigms in which apps are launched with a main() method, the Android system initiates code in an Activity instance by invoking specific callback methods that correspond to specific stages of its lifecycle.
  • 30. Launch via Broadcast • A broadcast receiver is an Android component which allows you to register for system or application events. All registered receivers for an event will be notified by the Android runtime once this event happens. • For example applications can register for the ACTION_BOOT_COMPLETED system event which is fired once the Android system has completed the boot process. • A receiver can be registered via the AndroidManifest.xml file. • Alternatively to this static registration, you can also register a broadcast receiver dynamically via theContext.registerReceiver() method. • The Broadcast receiver can then start a service to perform any number of actions.
  • 33. But… • With so many options, wouldn’t it be nice to automate the generation of malicious apps? • Why yes. Yes it would. • (And we did)
  • 34. So… • Customized malware is King. • What can you do?
  • 35. Security Models Should be Explicit • As policy, your org allows X and Y. But NO Z. • If something breaks the model, it’s Malware.
  • 36. Deception Is Bad • Within your model: – If an application does X when it says Y… • It’s malware.
  • 37. The Paranoid Validate • Everything. • Test. And Test. And Test… http://www.flickr.com/photos/adactio/4012169563/