Post on 22-Nov-2014
description
I haz you and pwn your maal
Harsimran Walia
#WhoamI
• Research Scientist @ McAfee
• Expertise: Malware Analysis, Exploit
development and Vulnerability Analysis
• Twitter: b44nz0r
• Email: walia.harsimran@gmail.com
• Previous papers: Reversing Microsoft Patches
to Reveal Vulnerable code @ NullCon,2012
Disclaimer
• The research and views presented here are
solely mine and nothing to do with any of the
current and previous organizations, I work for
or associated with in any form
• The presentation is for educational purposes
only and no one can be held responsible for
any harm caused in any form due to use or
misuse of information presented here
Access Data?
• Use of smartphones, tablets, mobile devices
• No longer need to stay in one place
• Information on the go
• But,
Danger!
• Create a larger attack vector
• Treasure trove for attackers
• Hot targets for attackers and data thieves
• Ease of attack
• Vast amount of information
Attacks
• Most reliable attack is via malware
• Malware can
1. penetrate a host
2. extract information
3. stay hidden
4. send data to the attacker
• Attackers created smartphone malware
• Delivered as smartphone applications
Platforms
• Many smartphone platform
– Apple’s iOS
– Android
– Symbian
– Blackberry
• Android by far most popular with attackers
Why Android?
• 50.1% Smartphone users share in US
Why Android?
• 61% smartphone sales share in Q1,2012
Why Android?
Starting development
of Iphone OS apps
needs
• Mac Computer
• Sign-in Dev Program
• Wait for verification
• Pay fees
Why Android?
• Not only user share, sales are much above
any other platform
• Huge user base i.e. victims ;)
• Ease of malware development and hosting on
google play
• Have led to:
Headlines
• Android OS the “worst platform for malware”. - TG Daily August’11
• Android threats leapt 76% during the Q2-2011 - McAfee
• Most attacked mobile OS overtaking Symbian OS
• The most popular target for mobile malware developers
• Increasing target for cybercriminals
Malware Analysis
Windows
• 2 methods, dynamic and static
• Virtual machine or sandbox is used
• Static analysis - reverse engineer the application/malware using tools and techniques to re-create the actual code and algorithm
• Have to debug through assembly code to understand the algorithm
Android
• Same, dynamic and static
• Virtual machine with
android SDK
• In many cases static analysis
reveals the malware
behavior and very little
dynamic analysis is required
• Can be decompiled into
readable java code
Vs
What to expect?
• Lab setup, a VM with android SDK
installation.
• Tools required for the analysis
• Static Analysis
• Dynamic Analysis
• Patching the malware to own it
What not to expect?
• How to write an android malware
• How to spread it
• How to hack Android
Behavioral classification
Types of Android Malware
• Mobile Device Data Stealers
– most common
– aim to acquire different info from the infected device• OS version
• product ID
• International Mobile Equipment Identity (IMEI) number
• International Mobile Subscriber Identity (IMSI) number
– This stolen device info is encrypted and sent via HTTP POST to the attacker, can be used for future attacks .
• Rooting-capable
–malware infect to gain so-called root privileges
– remote users access to files and the devices’ flash memory
–With rooting malware drop copies of themselves onto their flash memory
– they can’t be detected and consequently deleted by antivirus products
• Premium Service Abusers
– hard coded predetermined premium numbers
– sends text messages
– affected users being charged for sms services
• Mobile Device Spies
– secretly monitor info stored on infected devices• GPS location
• save text and email messages
• Like data stealers, sends stolen data to specific URLs via HTTP POST.
• focus more on gathering personal data
One-click Billing Fraud
Android One-click Billing Fraud
• Mostly active on p0rn and gamer video sites
• Trying to view a video triggers a pop-up asking the user to download a malicious app.
• Gets the Android user account information, and sends them to the cybercriminals.
• Displays a pop-up showing the message– “We haven’t received your payment. Therefore, based on our policy,
we will have to charge you if you have not paid yet.”
• Also displays the information it stole in order to build credibility for it self, and better convince the victim to pay the amount.
• The pop-up is set to show every few minutes and keeps eating your money.
WHY DID I WRITE MY PAPER?
• Malware Analysis,
– important part of antimalware companies’ work.
• Mobile malware analysis is now equally important.
• Effective analysis can be used by law enforcement
agencies to catch law breakers
– i.e malware authors and attackers
• For fun, when you can pwn someone else’s malware
and control it.
• You get yourself full-blown malware without writing it.
ANDROID MAL-ANALYSIS
TOOLS OF TRADE
Tools - Static analysis
• Mobile Sandbox: provides static analysis of malware images
• IDA pro: Supports Android bytecode in version 6.1 and later
• APKInspector: Powerful GUI tool for analyzing Android applications.
• Dex2jar: For converting Android’s .dex format to Java’s .class format
• Jd-gui: A standalone graphical utility that displays Java source codes of .class files.
• Androguard: Reverse engineering and Malware analysis of Android applications.
• JAD: Java Decompiler
• Dexdump: Java .dex file format decompiler
• Smali: smali/baksmali is an assembler/disassembler for the dex format used by dalvik, Android’s Java VM
implementation.
Tools – Dynamic analysis
• Droidbox: An Android Application Sandbox for Dynamic Analysis
• The Android SDK: “A software development kit that enables developers to create applications for the Android platform. Using the Android SDK we can create a virtual android device almost identical in functionality and capabilities of an android telephone and using that virtual device as secure environment we can execute the malware and observe the behaviour of it.
• AndroidAuditTools: Dynamic Android analysis tools
LAB SETUP
• Traditional malware analysis includes a Virtual Machine
• We need a one as well
• Android SDK installed in VM
• Well documented installation details can be found here
http://developer.android.com/sdk/installing.html
• Would highlight one thing during installation
• Must select atleast one
version of the API
• API versions to develop
applications for different
android versions
• Separate SDK for
malwares targeted for a
particular version
• Demo
– android 2.3 (gingerbread)
ANALYSIS
Android Malware Acquisition
• Contagio MiniDump
(http://contagiominidump.blogspot.in/)
• Community driven
• Anyone can submit a sample
• It is made available to others
• Demo– Voodoo SimpleCarrierIQDetector
– supposed to detect presence of the Carrier IQ mobile diagnostic software on the system
– Chosen based on the ease of understanding
STATIC ANALYSIS
Mobile-sandbox.com
• Submit the apk to mobile-sandbox.com for analysis
• Report generated can be viewed at http://mobilesandbox.org/xml_report_static/?q=176
• Important information from report
Requested Permissions from Android Manifest: android.permission.READ_LOGSandroid.permission.SEND_SMS
Potentially dangerous Calls:sendSMSExecution of native codegetPackageInfo
Extraction
• Start our manual analysis
• Need to extract the apk to get its contents
• apk file is a zip file formatted package.
• Extraction done with win-rar or win-zip
• File of interest is classes.dex
dex2jar
• C:\> dex2jar.bat classes.dex
– Output: classes.dex � classes_dex2jar.jar
• Converts classes.dex file extracted from the
apk to jar file
JD-GUI
• To read the code from the .class file in the jar
• Open the jar file with JD-GUI
• Four .class files– Detect.class
• Code is trying to make out if CarrierIQ software is installed on the system based on some checks.
– R.class• Every android application contains this class file. Here it is used to
declare few variables
– Utils.class• Contains few utility method definitions like findFiles.
getCommandOutput etc
– Main.class• This is the most interesting class as it actually contains the malicious
code.
• The code looks like this
Code Analysis
• Four same command to send SMS to the number “81168” with four different SMS texts
– AT37
– MC49
– SP99
– SP93
• A Google search on the number shows that it a premium rate sms number that costs almost € 9/SMS
• This is how hackers make money with mobile malware
• Some malware listens to incoming messages
• Deletes them even before a user can read it if
• They are from the service providers which
would inform users about their balance or
billing charges.
I haz you
• I know the premium rate phone number
• Know the text message being sent
• If interested in catching the crooks,– find the country and the operator whom the number
belongs to
– persuade them to disclose the information on the attacker/malware author
– Google helps a lot with substantial information available publically regarding the same
• If you get the police involved, chances of catching the hax0r are big
Scam
• On Google I found a funny but very interesting Facebook scam around this
• Like other scam Facebook applications, – a user gets messages from his friends on Facebook asking him to
vote for his friend on some “Miss and Mister” contest giving an infected web link
– Following the link actually hacks the Facebook account rendering it unusable for the user
– Attacker then calls him/her up telling him that his account has been blocked for so and so reason
– Hence he has to send an SMS to the mentioned number “81168” with any of the 4 texts
– He will receive a code that has to be given to the caller(who is the hacker) to unlock his Facebook account.
PWNIFICATION
• Finished with the analysis
• Extracted information on malware author
• Lets own the malware and making it dance to
our tunes
• Following technique explains the process to
own the malware we just analyzed
– can be fairly generalized
Baksmali
• Program used to disassemble the dex files
• Disassembles the .dex file to .smali files
• Names similar to the .class files
• Can be opened in any text-editor
• C:\> baksmali-0.93.jar –o smali-out classes.dex
• File containing the malicious code
– main$1.smali
– From main.class, figured out in analysis phase
– Open in a text editor
• Change the destination number of the sms
– i.e first argument to sendTextMessage function
• Set it to your mobile number or any other
• Save the file
• Demo
– changing it to the port number of my android
emulator
Smali
• Used to compile the .smali files back to .dex file
• After making the desired changes to the smali file
• Save it, compile all the .smali files together to
classes.dex using
• C:\> smali-0.93.jar smali-out –o classes.dex
Packing
• Delete the META-INF folder– contains the SHA1 of the classes.dex
– will not match the changed classes.dex file
– apk signing information
– has to be changed
• Private key of original author not available
• Have to sign the apk with our private key
• With modified classes.dex, pack the files back to a .zip file using any packer utility
• Change extension from .zip to .apk
Signing
• Mandated by Google for an application (apk) to be signed by the owner/author’s private key
• Cannot install on an emulator or a device, if it is not signed
• Can use self-signed certificates to sign applications
• No certificate authority is needed
• To sign we need,
– Keytool
– Jarsigner
Keytool
• Comes as a part of jdk installation
• Used to create private key for signing
• C:\> keytool -genkey -v -keystore my-personal-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000
– prompts for passwords for the keystore and key
– and the Distinguished Name fields
Jarsigner
• Comes as a part of jdk installation
• Used to sign the apk with created keystore
• C:\> jarsigner -verbose -sigalg MD5withRSA -digestalg SHA1 -keystore my-release-key.keystore carrieriq.apk alias_name
– modifies the APK in-place
– creates META_INF folder with the signing details
– APK is now signed
• To verify if the apk is signed
• C:\> jarsigner –verify -verbose my_ carrieriq.apkalias_name
• If signed properly, it outputs “JAR verified”
• Voila!
• Got ourselves a malware
DYNAMIC ANALYSIS
Playing
• Install apk (malware) on the android SDK
• To verify the behavior that we modified
• Open two instances of the android emulator
• Install the new malware on one of them
• sms num modified should be the port
number of emulator other than with
malware install.
• Install and run the app
• As soon uninstall button is clicked
• SMS gets sent to the other emulator
I pwn your maal
• I modified your malware
• Customized it to my need
• Now I pwn you maal
• It will serve me now
• ☺ (evil grin)
CONCLUSION
• Overview of how android smartphone OS has become the most popular target for attackers
• Describes different types of malware being created for the android platform
• Attempts to explain – the lab setup
– tools required
– the static and dynamic malware analysis
– practically analyzing a real premium SMS sending malware
• After analysis
– Origin of malware is known
– We know how to own the malware
• In short
“I haz you and pwn your maal”.
Thanks
Questions??