Mobile Malware Defense
and possibly Anti-Forensics
Sheran A. Gunasekera <[email protected]>
IDSECCONF 2013, Surabaya, Indonesia1
Digital forensics - Analyzing & gathering evidence of incidents occurring on a digital device
Malware - Malicious software designed to disrupt or collect sensitive information from digital devices
2
In 2011, we saw unprecedented growth of mobile malware attacks with a 155 percent increase across all platforms. -- Daniel Hoffman (Juniper)
Malware
3
DetectionSignature based?
Unique characteristics
No signature, no detection
4
In 2012, 45 percent of the AV signatures failed to detect malware that used such basic transformation techniques -- Dark Reading Article [April 2013]
ACME Malware Detector
Malware Signatures
5
PWN3DAssume you’ve been infected
Helps you stay paranoid
6
ActorsYou
Your Mobile Device
The guy spying on you
7
Inbound & outbound email
Inbound & outbound SMS/MMS
Phone Call Logs
BBM Messages
Contact information
How does it work?
8
Crippling Malware
Relies on ex!ltrated data
Expects data to be accurate
But what if the data wasn’t accurate...?
9
Techniques
DDTS - Don’t Drop The Soap *
POEPFlood - Phony Object Escalation Process
FML - Flush My Log *
* Can be used for Anti-forensics
10
DDTS
Possible use for Anti-Forensics
Works on USB trigger
Use IOPortListener or USBPortListener
Trigger on event connectionRequested()
11
USB Connection •Flood Email•Flood SMS•Flood Contact•Flush Log
12
Hooking emailEmail Messages
Package: net.rim.blackberry.api.mail.event
Interface: FolderListener
Methods: messagesAdded()
- Intercept and forward all emails on the BlackBerry handheld
13
Listener
14
Listener
Flooder
15
16
Hooking Call Logs
17
Hooking Call Logs
18
Contact Flooder
Contact 1Contact 2Contact 3Contact 4
19
A note about keywordsFake email only as good as keywords
Build an algorithm to mine existing keywords
Think like the person that spies on you
If they search for “bank”,”password”,”pin”...
20
Log Files
Event LogLog Entry 1
Log Entry 2
Log Entry3
Log Entry n-2
Log Entry n-1
Log Entry n
...
16Kb Log Size
New entries written to the bottom
Old entries are ejected
21
FML
Event LogLog Entry 1
Crap
Crap
Crap
Crap
Crap
...
16Kb Log Size
FMLog attackwrites
fake data
Valid Entries are deleted
22
FML
BlackBerry Log Size - 16kb
Android LogCat size - 64kb
23
Why?
24
Why?
Unorthodox
Good wing-man for conventional
Frustrates the guy spying on you
25
Recap
• Assume you’re pwn3d
• Introduce controlled “noise” in your data
• Make it harder for the guy spying on us
• Sit back and laugh
26
Thanks
http://chirashi.zensay.com
@chopstick_
27
Top Related