I haz you and pwn your maal

Harsimran Walia

#WhoamI

• Research Scientist @ McAfee

• Expertise: Malware Analysis, Exploit

development and Vulnerability Analysis

• Twitter: b44nz0r

• Email: walia.harsimran@gmail.com

• Previous papers: Reversing Microsoft Patches

to Reveal Vulnerable code @ NullCon,2012

Disclaimer

• The research and views presented here are

solely mine and nothing to do with any of the

current and previous organizations, I work for

or associated with in any form

• The presentation is for educational purposes

only and no one can be held responsible for

any harm caused in any form due to use or

misuse of information presented here

Access Data?

• Use of smartphones, tablets, mobile devices

• No longer need to stay in one place

• Information on the go

• But,

Danger!

• Create a larger attack vector

• Treasure trove for attackers

• Hot targets for attackers and data thieves

• Ease of attack

• Vast amount of information

Attacks

• Most reliable attack is via malware

• Malware can

1. penetrate a host

2. extract information

3. stay hidden

4. send data to the attacker

• Attackers created smartphone malware

• Delivered as smartphone applications

Platforms

• Many smartphone platform

– Apple’s iOS

– Android

– Symbian

– Blackberry

• Android by far most popular with attackers

Why Android?

• 50.1% Smartphone users share in US

Why Android?

• 61% smartphone sales share in Q1,2012

Why Android?

Starting development

of Iphone OS apps

needs

• Mac Computer

• Sign-in Dev Program

• Wait for verification

• Pay fees

Why Android?

• Not only user share, sales are much above

any other platform

• Huge user base i.e. victims ;)

• Ease of malware development and hosting on

google play

• Have led to:

Headlines

• Android OS the “worst platform for malware”. - TG Daily August’11

• Android threats leapt 76% during the Q2-2011 - McAfee

• Most attacked mobile OS overtaking Symbian OS

• The most popular target for mobile malware developers

• Increasing target for cybercriminals

Malware Analysis

Windows

• 2 methods, dynamic and static

• Virtual machine or sandbox is used

• Static analysis - reverse engineer the application/malware using tools and techniques to re-create the actual code and algorithm

• Have to debug through assembly code to understand the algorithm

Android

• Same, dynamic and static

• Virtual machine with

android SDK

• In many cases static analysis

reveals the malware

behavior and very little

dynamic analysis is required

• Can be decompiled into

readable java code

Vs

What to expect?

• Lab setup, a VM with android SDK

installation.

• Tools required for the analysis

• Static Analysis

• Dynamic Analysis

• Patching the malware to own it

What not to expect?

• How to write an android malware

• How to spread it

• How to hack Android

Behavioral classification

Types of Android Malware

• Mobile Device Data Stealers

– most common

– aim to acquire different info from the infected device• OS version

• product ID

• International Mobile Equipment Identity (IMEI) number

• International Mobile Subscriber Identity (IMSI) number

– This stolen device info is encrypted and sent via HTTP POST to the attacker, can be used for future attacks .

• Rooting-capable

–malware infect to gain so-called root privileges

– remote users access to files and the devices’ flash memory

–With rooting malware drop copies of themselves onto their flash memory

– they can’t be detected and consequently deleted by antivirus products

• Premium Service Abusers

– hard coded predetermined premium numbers

– sends text messages

– affected users being charged for sms services

• Mobile Device Spies

– secretly monitor info stored on infected devices• GPS location

• save text and email messages

• Like data stealers, sends stolen data to specific URLs via HTTP POST.

• focus more on gathering personal data

One-click Billing Fraud

Android One-click Billing Fraud

• Mostly active on p0rn and gamer video sites

• Trying to view a video triggers a pop-up asking the user to download a malicious app.

• Gets the Android user account information, and sends them to the cybercriminals.

• Displays a pop-up showing the message– “We haven’t received your payment. Therefore, based on our policy,

we will have to charge you if you have not paid yet.”

• Also displays the information it stole in order to build credibility for it self, and better convince the victim to pay the amount.

• The pop-up is set to show every few minutes and keeps eating your money.

WHY DID I WRITE MY PAPER?

• Malware Analysis,

– important part of antimalware companies’ work.

• Mobile malware analysis is now equally important.

• Effective analysis can be used by law enforcement

agencies to catch law breakers

– i.e malware authors and attackers

• For fun, when you can pwn someone else’s malware

and control it.

• You get yourself full-blown malware without writing it.

ANDROID MAL-ANALYSIS

TOOLS OF TRADE

Tools - Static analysis

• Mobile Sandbox: provides static analysis of malware images

• IDA pro: Supports Android bytecode in version 6.1 and later

• APKInspector: Powerful GUI tool for analyzing Android applications.

• Dex2jar: For converting Android’s .dex format to Java’s .class format

• Jd-gui: A standalone graphical utility that displays Java source codes of .class files.

• Androguard: Reverse engineering and Malware analysis of Android applications.

• JAD: Java Decompiler

• Dexdump: Java .dex file format decompiler

• Smali: smali/baksmali is an assembler/disassembler for the dex format used by dalvik, Android’s Java VM

implementation.

Tools – Dynamic analysis

• Droidbox: An Android Application Sandbox for Dynamic Analysis

• The Android SDK: “A software development kit that enables developers to create applications for the Android platform. Using the Android SDK we can create a virtual android device almost identical in functionality and capabilities of an android telephone and using that virtual device as secure environment we can execute the malware and observe the behaviour of it.

• AndroidAuditTools: Dynamic Android analysis tools

LAB SETUP

• Traditional malware analysis includes a Virtual Machine

• We need a one as well

• Android SDK installed in VM

• Well documented installation details can be found here

http://developer.android.com/sdk/installing.html

• Would highlight one thing during installation

• Must select atleast one

version of the API

• API versions to develop

applications for different

android versions

• Separate SDK for

malwares targeted for a

particular version

• Demo

– android 2.3 (gingerbread)

ANALYSIS

Android Malware Acquisition

• Contagio MiniDump

(http://contagiominidump.blogspot.in/)

• Community driven

• Anyone can submit a sample

• It is made available to others

• Demo– Voodoo SimpleCarrierIQDetector

– supposed to detect presence of the Carrier IQ mobile diagnostic software on the system

– Chosen based on the ease of understanding

STATIC ANALYSIS

Mobile-sandbox.com

• Submit the apk to mobile-sandbox.com for analysis

• Report generated can be viewed at http://mobilesandbox.org/xml_report_static/?q=176

• Important information from report

Requested Permissions from Android Manifest: android.permission.READ_LOGSandroid.permission.SEND_SMS

Potentially dangerous Calls:sendSMSExecution of native codegetPackageInfo

Extraction

• Start our manual analysis

• Need to extract the apk to get its contents

• apk file is a zip file formatted package.

• Extraction done with win-rar or win-zip

• File of interest is classes.dex

dex2jar

• C:\> dex2jar.bat classes.dex

– Output: classes.dex � classes_dex2jar.jar

• Converts classes.dex file extracted from the

apk to jar file

JD-GUI

• To read the code from the .class file in the jar

• Open the jar file with JD-GUI

• Four .class files– Detect.class

• Code is trying to make out if CarrierIQ software is installed on the system based on some checks.

– R.class• Every android application contains this class file. Here it is used to

declare few variables

– Utils.class• Contains few utility method definitions like findFiles.

getCommandOutput etc

– Main.class• This is the most interesting class as it actually contains the malicious

code.

• The code looks like this

Code Analysis

• Four same command to send SMS to the number “81168” with four different SMS texts

– AT37

– MC49

– SP99

– SP93

• A Google search on the number shows that it a premium rate sms number that costs almost € 9/SMS

• This is how hackers make money with mobile malware

• Some malware listens to incoming messages

• Deletes them even before a user can read it if

• They are from the service providers which

would inform users about their balance or

billing charges.

I haz you

• I know the premium rate phone number

• Know the text message being sent

• If interested in catching the crooks,– find the country and the operator whom the number

belongs to

– persuade them to disclose the information on the attacker/malware author

– Google helps a lot with substantial information available publically regarding the same

• If you get the police involved, chances of catching the hax0r are big

Scam

• On Google I found a funny but very interesting Facebook scam around this

• Like other scam Facebook applications, – a user gets messages from his friends on Facebook asking him to

vote for his friend on some “Miss and Mister” contest giving an infected web link

– Following the link actually hacks the Facebook account rendering it unusable for the user

– Attacker then calls him/her up telling him that his account has been blocked for so and so reason

– Hence he has to send an SMS to the mentioned number “81168” with any of the 4 texts

– He will receive a code that has to be given to the caller(who is the hacker) to unlock his Facebook account.

PWNIFICATION

• Finished with the analysis

• Extracted information on malware author

• Lets own the malware and making it dance to

our tunes

• Following technique explains the process to

own the malware we just analyzed

– can be fairly generalized

Baksmali

• Program used to disassemble the dex files

• Disassembles the .dex file to .smali files

• Names similar to the .class files

• Can be opened in any text-editor

• C:\> baksmali-0.93.jar –o smali-out classes.dex

• File containing the malicious code

– main$1.smali

– From main.class, figured out in analysis phase

– Open in a text editor

• Change the destination number of the sms

– i.e first argument to sendTextMessage function

• Set it to your mobile number or any other

• Save the file

• Demo

– changing it to the port number of my android

emulator

Smali

• Used to compile the .smali files back to .dex file

• After making the desired changes to the smali file

• Save it, compile all the .smali files together to

classes.dex using

• C:\> smali-0.93.jar smali-out –o classes.dex

Packing

• Delete the META-INF folder– contains the SHA1 of the classes.dex

– will not match the changed classes.dex file

– apk signing information

– has to be changed

• Private key of original author not available

• Have to sign the apk with our private key

• With modified classes.dex, pack the files back to a .zip file using any packer utility

• Change extension from .zip to .apk

Signing

• Mandated by Google for an application (apk) to be signed by the owner/author’s private key

• Cannot install on an emulator or a device, if it is not signed

• Can use self-signed certificates to sign applications

• No certificate authority is needed

• To sign we need,

– Keytool

– Jarsigner

Keytool

• Comes as a part of jdk installation

• Used to create private key for signing

• C:\> keytool -genkey -v -keystore my-personal-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000

– prompts for passwords for the keystore and key

– and the Distinguished Name fields

Jarsigner

• Comes as a part of jdk installation

• Used to sign the apk with created keystore

• C:\> jarsigner -verbose -sigalg MD5withRSA -digestalg SHA1 -keystore my-release-key.keystore carrieriq.apk alias_name

– modifies the APK in-place

– creates META_INF folder with the signing details

– APK is now signed

• To verify if the apk is signed

• C:\> jarsigner –verify -verbose my_ carrieriq.apkalias_name

• If signed properly, it outputs “JAR verified”

• Voila!

• Got ourselves a malware

DYNAMIC ANALYSIS

Playing

• Install apk (malware) on the android SDK

• To verify the behavior that we modified

• Open two instances of the android emulator

• Install the new malware on one of them

• sms num modified should be the port

number of emulator other than with

malware install.

• Install and run the app

• As soon uninstall button is clicked

• SMS gets sent to the other emulator

I pwn your maal

• I modified your malware

• Customized it to my need

• Now I pwn you maal

• It will serve me now

• ☺ (evil grin)

CONCLUSION

• Overview of how android smartphone OS has become the most popular target for attackers

• Describes different types of malware being created for the android platform

• Attempts to explain – the lab setup

– tools required

– the static and dynamic malware analysis

– practically analyzing a real premium SMS sending malware

• After analysis

– Origin of malware is known

– We know how to own the malware

• In short

“I haz you and pwn your maal”.

Thanks

Questions??