Post on 16-Dec-2015
Android Malwarein PracticePart II
Demo Recap• SMSBypasser• Here we hijacked the SMS text and sent it to our website• This application could filter sms when required
• MaliciousSDcardScanner• No significant security permissions were required to gain access
to the sdcard location • Security exploit?
• Swift Key-logger• Simply piggy backing and altering some one else's malware• http://
www.android-app-development.ie/blog/2013/03/06/inserting-keyloggercode-in-android-swiftkey-using-apktool/
High Risk Android Permissionsandroid.permission.SEND_SMS / RECEIVE_SMSandroid.permission.SYSTEM_ALERT_WINDOWandroid.permission.READ_CONTACTS / WRITE_CONTACTS android.permission.READ_CALENDAR / WRITE_CALENDARandroid.permission.CALL_PHONEandroid.permission.READ_LOGSandroid.permission.ACCESS_FINE_LOCATIONandroid.permission.GET_TASKSandroid.permission.RECEIVE_BOOT_COMPLETEDandroid.permission.CHANGE_WIFI_STATEcom.android.browser.permission.READ_HISTORY_BOOKMARKS /WRITE_HISTORY_BOOKMARKS
List built-in permissions$ pm list permissions -f
Sourced from Google IO 2012 and marakana.com
Thoughts…• We have based our attacks using knowledge of the android
stack using the Android framework• These attacks are relatively simple yet effective to a naive user
• Would AntiVirus or Google Bouncer detect these malicious apps?
Corporate Migration• BYOD (Bring Your Own Device) means that smartphones are
now being accepted into a protected internal network• Consider how we might mitigate malware and how companies
attempt to refute such malware from their platforms/environment
Malware Detection and Prevention• Static analysis of an applications code can provide insight into
its intentions• Antivirus software carries out static analysis of applications
and protects against files that match binary signatures• This type of protection is often inadequate!
Malware Detection and Prevention• Rootkits are also difficult to discover depending on the
sophistication of the attack• Rootkits which attack the kernel memory are able to advise
other application with a tainted view of the system, hence disguising itself cleverly
Reactive• Most reactive approaches to application protection requires a
runtime overhead to be incurred• Overhead is a significant design consideration especially when
targeting mobile devices
strace• strace is a unix base tool that allow following of all system call
made by an application• Tracing the steps we can often see the system call along with
arguments passed
https://github.com/adetaylor/strace-android
Volatility• Deep memory analysis of the dalvik machine provides
application information associate with its runtime• For example we can snoop an application and determine if data
being sent is malware by reading into a intent and deciphering if it has a malicious payload or target
• Links• https://code.google.com/p/volatility/ • http://
www.504ensics.com/android-application-dalvikmemory-analysis-the-chuli-malware/
Android Filesystem Layout(Recap)
visitor@UOA283090 ~ $ adb shell mountrootfs / rootfs ro,relatime 0 0tmpfs /dev tmpfs rw,nosuid,relatime,mode=755 0 0devpts /dev/pts devpts rw,relatime,mode=600 0 0proc /proc proc rw,relatime 0 0sysfs /sys sysfs rw,relatime 0 0none /acct cgroup rw,relatime,cpuacct 0 0tmpfs /mnt/asec tmpfs rw,relatime,mode=755,gid=1000 0 0tmpfs /mnt/obb tmpfs rw,relatime,mode=755,gid=1000 0 0none /dev/cpuctl cgroup rw,relatime,cpu 0 0/dev/block/mmcblk0p9 /system ext4 ro,noatime,barrier=1,data=ordered 0 0/dev/block/mmcblk0p12 /data ext4 rw,nosuid,nodev,noatime,barrier=1,journal_async_commit,data=ordered,noauto_da_alloc,discard 0 0/dev/block/mmcblk0p8 /cache ext4 rw,nosuid,nodev,noatime,barrier=1,journal_async_commit,data=ordered 0 0/dev/block/mmcblk0p3 /efs ext4 rw,nosuid,nodev,noatime,barrier=1,journal_async_commit,data=ordered 0 0/sys/kernel/debug /sys/kernel/debug debugfs rw,relatime 0 0/dev/fuse /mnt/sdcard fuse rw,nosuid,nodev,relatime,user_id=1023,group_id=1023,..../dev/block/vold/179:17 /mnt/extSdCard vfat rw,dirsync,nosuid,nodev,noexec,noatime,nodiratime,uid=1000,gid=1023,...
Android Filesystem Layout(Recap)
The mounts of interest
/ - root of the filesystem hierarchy/system - the ROM that holds all system binaries and files/data - RW location for user applications/cache - transient data space for user applications/efs - phone specific information like IMEI number/mnt/sdcard - fat32 filesystem with no inbuilt security
Android Open Source Project• Android Open Source Project is a commitment from Google to
freely provide the Android source code to developers• Developers can download a vanilla based version of Android
(eg Jelly Bean) using repo (git wrapper application)• Developers can then customise the software to fit the
requirements of their targeted hardware and audience
http://source.android.com/
Rooting the device• Why root a device?• develop new features• update to latest software (OS)• provide security fixes• remove bloatware• get superuser access to hardware
• (overclocking)• some applications require full access
• (backup software, AV?)
Rooting how?• Attacking the OS• Carry out an exploit to grant one time root access
• Remount '/system' as Read/Write• Provide a mechanism to easily gain future root access
One time Exploits• Here we briefly review some of the one time exploits required
to gain initial root access
• ueventd - similar to udev (CVE-2009-1185)• vold (CVE-2011-1823)• rageagainstthecage(CVE-2010-EASY)• Zimperlich (similar to CVE-2010-EASY)• Ashmem (CVE-2011-1149)• suid on /proc/pid/mem (CVE-2012-0056)
Allowing for future root access (I)• Once the exploit has successfully given access we need to set
the system up so that we can change to root privileges on demand
Remount /system$ mount -o remount,rw /dev/null /system
Allowing for future root access (II)• We can either• Create a copy of the shell binary as su and place setuid
permissions to allow users to run as root• or• Cross compile and build your own su binary, then place in
/system/bin/• The su-binary can be found within the AOSP source tree
References• Android: http://developer.android.com/index.html • Google IO: https://sites.google.com/site/io/ • Marakana: http://marakana.com/training/android/ • Genome project http://www.malgenomeproject.org/
Questions?