anti virus and security apps
play

ANTI-VIRUS AND SECURITY APPS Stephan Huber, Siegfried Rasthofer, - PowerPoint PPT Presentation

Aug 23, 2022 •135 likes •636 views

(IN-)SECURITY OF SMARTPHONE ANTI-VIRUS AND SECURITY APPS Stephan Huber, Siegfried Rasthofer, Steven Arzt, Michael Trger, Andreas Wittmann, Philipp Roskosch, Daniel Magin, Joseph Varghese 1 Who are we Stephan Siegfried Mobile Security

  1. (IN-)SECURITY OF SMARTPHONE ANTI-VIRUS AND SECURITY APPS Stephan Huber, Siegfried Rasthofer, Steven Arzt, Michael Tröger, Andreas Wittmann, Philipp Roskosch, Daniel Magin, Joseph Varghese 1

  2. Who are we Stephan Siegfried • Mobile Security Researcher at • 4th year PhD Student at TU Fraunhofer SIT Darmstadt/ Fraunhofer SIT • Enjoys teaching students in • Static and Dynamic Code Android Hacking Analysis • @teamsik • @teamsik 2

  3. 3

  4. Security App Features on Mobile 4

  5. Security App Features on Mobile Secure Browsing 5

  6. Security App Features on Mobile Secure Browsing Signature Update 6

  7. Security App Features on Mobile Secure Browsing Signature Update Realtime Monitoring 7

  8. Security App Features on Mobile Secure Browsing Signature Update Premium Features Realtime Monitoring 8

  9. Security App Features on Mobile Secure Browsing Theft Protection Signature Update Premium Features Realtime Monitoring 9

  10. Security App Features on Mobile SPAM Protection SPAM Secure Browsing Theft Protection Signature Update Premium Features Realtime Monitoring 10

  11. Outline • Analyzed Apps • Excerpt of Implementation Flaws and Attack Types • Business Model • Local Denial of Service • Man-in-the-Middle Attacks • Overview of All Findings • Our Experiences during the Responsible Disclosure Process • Summary 11

  12. Analyzed Android Apps App GooglePlay Downloads AndroHelm 1-5m Malwarebytes 5-10m ESET 5-10m Avira 10-50m Kaspersky 10-50m McAfee 10-50m CM Security 100-500m 12

  13. Bussines Model Attack 13

  14. 14

  15. Client Side License Verification … this.toast("Thank you for upgrading to PRO!"); //shared pref value set to true this. prefs.putBoolean (" isPro ", true ); … 15

  16. Client Side License Verification … this.toast("Thank you for upgrading to PRO!"); //shared pref value set to true this. prefs.putBoolean (" isPro ", true ); … write value to .xml file <?xml version='1.0' encoding='utf-8' standalone='yes' ?> <map> <int name="dialogShowTimes" value="1" /> <boolean name="hasDatabase" value="true" /> <string name="lastFragment"></string> <boolean name=" isPro " value=" true " /> </map> 16

  17. Client Side License Verification … this.toast("Thank you for upgrading to PRO!"); //shared pref value set to true this. prefs.putBoolean (" isPro ", true ); … write value to .xml file <?xml version='1.0' encoding='utf-8' standalone='yes' ?> <map> <int name="dialogShowTimes" value="1" /> <boolean name="hasDatabase" value="true" /> <string name="lastFragment"></string> <boolean name=" isPro " value=" true " /> Every user can set this value ! </map> 17

  18. Local Denial of Service 18

  19. Inter App Communication Intent Intent Key: Value Key: Value Intent-Filter App A App B Android System 19

  20. Realtime Monitoring Attacker App Security App 20

  21. Realtime Monitoring Intent Attacker App Security App 21

  22. Realtime Monitoring CRASHED ! Attacker App Security App Log output: Java.lang.RuntimeException: Unable to start receiver com.androhelm.antivirus.receivers.SMSMonitor: java.lang.NullPointerException … com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:793) E/AndroidRuntime(16060): at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:560) E/AndroidRuntime(16060): Caused by: java.lang.NullPointerException com.androhelm.antivirus.receivers.SMSMonitor.onReceive(SMSMonitor.java:31)E/AndroidRuntime(16060): at E/AndroidRuntime(16060): ... 10 more 22

  23. Implementation Faults • Missing checks of intent payload , cause exceptions • Missing exception handling will crash whole application 24

  24. Implementation Faults • Missing checks of intent payload , cause exceptions • Missing e xception handling will crash whole application • Example: null-Intent 1)public void onReceive(Context c, Intent intent) { 2) //missing check if intent is null 3) Bundle bundle = intent.getExtras (); 4) if(bundle != null) { 5) Object o = bundle.get("pdus"); 25

  25. Man-in-the-Middle Attacks 26

  26. Man-in-the-Middle Attacks • Smartphone is a wireless medium mitm attacker • Communication over HTTP • No authentication • Broken self-made integrity protection security app update server • Broken self-made encryption • Communication over HTTPS • Broken certificate validation 27

  27. Rogue GSM Hotspot • Cost: ~ 300 $ nuand bladeRF SDR Powerbank (portable system) Pi for controlling and sniffing 28

  28. Mitm WI-FI Hotspot • Cost: ~60$ OR 29

  29. Arp-Spoofing • Cost: arpspoof , iptables and (mitm)-proxy are for free ! 30

  30. Remote Code Injection Example 31

  31. Special zip Entry /tmp$ unzip -l zipfile.zip Archive: zipfile.zip Length Date Time Name --------- ---------- ----- ---- 22 2016-06-28 13:49 ../../../tmp/dir2/badfile.txt 24 2016-06-28 13:43 file1.txt --------- ------- 46 2 files 32

  32. Unzip /tmp$ unzip zipfile.zip -d ./ dir1 / Archive: zipfile.zip warning: skipped "../" path component(s ) in ../../../tmp/dir2/badfile.txt extracting: ./dir1/tmp/ dir2 /badfile.txt extracting: ./dir1/file1.txt 33

  33. Unzip /tmp$ unzip zipfile.zip -d ./ dir1 / Archive: zipfile.zip warning: skipped "../" path component(s ) in ../../../tmp/dir2/badfile.txt extracting: ./dir1/tmp/ dir2 /badfile.txt extracting: ./dir1/file1.txt /tmp$ find /tmp/dir1/ /tmp/ dir1 / /tmp/ dir1 /file1.txt /tmp/ dir1 /tmp /tmp/ dir1 /tmp/dir2 /tmp/ dir1 /tmp/dir2/badfile.txt /tmp$ 34

  34. No escaping /tmp$ unzip -: zipfile.zip -d ./dir1/ Archive: zipfile.zip extracting: ./dir1/../../../tmp/dir2/ badfile.txt extracting: ./dir1/file1.txt 35

  35. No escaping /tmp$ unzip -: zipfile.zip -d ./dir1/ Archive: zipfile.zip extracting: ./dir1/../../../tmp/dir2/ badfile.txt extracting: ./dir1/file1.txt /tmp$ ls /tmp/dir1/ file1.txt /tmp$ ls /tmp/dir2/ badfile.txt 36

  36. Observed Update Traffic update process update process HTTP-traffic HTTP-traffic 37

  37. Observed Update Traffic update process update process HTTP-traffic HTTP-traffic GET-Requests of Application: … http://downloads7.xxxxxxxx-labs.com/bases/upd/upd-0607g.xml http://ipm.xxxxxxxx.com/600eb07a-2926-4407-b014-d3e8c77b0086.zip http://ipm. xxxxxxxx.com/eeea9321-5eac-4709-9046-8475ee951c82.zip http://downloads7.xxxxxxxx-abs.com/bases/mobile/ksrm//rootdetector.jar … 38

  38. Observed Update Traffic update process update process HTTP-traffic HTTP-traffic replace .zip file with attack file GET-Requests of Application: … http://downloads7.xxxxxxxx-labs.com/bases/upd/upd-0607g.xml http://ipm.xxxxxxxx.com/600eb07a-2926-4407-b014-d3e8c77b0086.zip http://ipm.xxxxxxxx.com/eeea9321-5eac-4709-9046-8475ee951c82.zip http://downloads7.xxxxxxxx-abs.com/bases/mobile/ksrm//rootdetector.jar … 39

  39. Content of the Attack File unzip -l 600eb07a-2926-4407-b014-d3e8c77b0086.zip Archive: 600eb07a-2926-4407-b014-d3e8c77b0086.zip Length Date Time Name --------- ---------- ----- ---- 16 2015-09-15 18:57 ../../../../../../../../../../../../../ ../../../../../../../../../data/data/com.kms.free/app_bases/pdm.jar 4042 2015-08-28 18:49 1000_768.css 6078 2015-08-28 18:49 AntiVirus_Premium.html 335 2015-08-28 18:49 [Content_Types].xml Payload 867 2015-08-28 18:49 meta.xml 3216 2015-08-28 18:49 respond.min.js 41

  40. Structure of Target App Folder ./app_bases/pdm.cfg ./app_bases/ pdm.jar . . contains classes.dex . (executable) . ./some_other_files . . . 42

  41. Unzip Received File ./app_bases/pdm.cfg ./app_bases/ pdm.jar . . contains classes.dex . (executable) . . ./app_ipm/600eb07a-2926-4407-b014-d3e8c77b0086/respond.min.js ./app_ipm/600eb07a-2926-4407-b014-d3e8c77b0086/[Content_Types].xml ./app_ipm/600eb07a-2926-4407-b014-d3e8c77b0086/1000_768.css ./app_ipm/600eb07a-2926-4407-b014-d3e8c77b0086/KISA_EN_Trial.html ./../../../../../../../../../../data/data/com.kms.free/app_bases/pdm.jar Advertisement files + attacker code extracted from zip archive ! 43

  42. Overwrite Original File ./app_bases/pdm.cfg Break out of source folder and overwrite original target file ! ./app_bases/ pdm.jar . . contains classes.dex . (executable) . . ./app_ipm/600eb07a-2926-4407-b014-d3e8c77b0086/respond.min.js ./app_ipm/600eb07a-2926-4407-b014-d3e8c77b0086/[Content_Types].xml ./app_ipm/600eb07a-2926-4407-b014-d3e8c77b0086/1000_768.css ./app_ipm/600eb07a-2926-4407-b014-d3e8c77b0086/KISA_EN_Trial.html ./../../../../../../../../../../data/data/com.kms.free/app_bases/pdm.jar Advertisement files + attacker code extracted from zip archive ! 44

  43. Injected Code ./app_bases/pdm.cfg ./app_bases/ pdm.jar Injected File with attacker code ! . . contains classes.dex . with injected code . . ./app_ipm/600eb07a-2926-4407-b014-d3e8c77b0086/respond.min.js ./app_ipm/600eb07a-2926-4407-b014-d3e8c77b0086/[Content_Types].xml ./app_ipm/600eb07a-2926-4407-b014-d3e8c77b0086/1000_768.css ./app_ipm/600eb07a-2926-4407-b014-d3e8c77b0086/KISA_EN_Trial.html Advertisement files transfered by a zip archive ! 45

Recommend

Security Analysis of Anti-Theft Solutions by Android Mobile Anti-Virus Apps Laurent Simon

Security Analysis of Anti-Theft Solutions by Android Mobile Anti-Virus Apps Laurent Simon

Security Analysis of Anti-Theft Solutions by Android Mobile Anti-Virus Apps Laurent Simon lmrs2@cam.ac.uk https://www.cl.cam.ac.uk/~lmrs2/ Talk outline Background Mobile Anti Virus (MAV) sample Lock Wipe 21/05/15 Laurent

481 views • 28 slides
anti-virus and anti-anti-virus 1 logistics: TRICKY HW assignment out infecting an

anti-virus and anti-anti-virus 1 logistics: TRICKY HW assignment out infecting an

anti-virus and anti-anti-virus 1 logistics: TRICKY HW assignment out infecting an executable 2 anti-virus techniques last time: signature-based detection regular expression-like matching snippets of virus(-like) code heuristic

1.79k views • 139 slides
Self-Protection Strategies Tunneling, Armored, and Retro Viruses CS4400/7440 Anti-anti-virus

Self-Protection Strategies Tunneling, Armored, and Retro Viruses CS4400/7440 Anti-anti-virus

Self-Protection Strategies Tunneling, Armored, and Retro Viruses CS4400/7440 Anti-anti-virus Techniques } Virus writers have devised numerous methods of resisting anti-virus software and making life difficult for anti-virus researchers }

554 views • 53 slides
anti-anti-virus (continued) 1 logistics: TRICKY HW assignment out infecting an executable

anti-anti-virus (continued) 1 logistics: TRICKY HW assignment out infecting an executable

anti-anti-virus (continued) 1 logistics: TRICKY HW assignment out infecting an executable 2 last time anti-virus: heuristic: malware messing up executables? key idea: wrong segment of executable? switching segments of the executable?

1.14k views • 102 slides
COMPUTER-INTERNET SECURITY How am I vulnerable? 1 COMPUTER-INTERNET SECURITY Virus

COMPUTER-INTERNET SECURITY How am I vulnerable? 1 COMPUTER-INTERNET SECURITY Virus

COMPUTER-INTERNET SECURITY How am I vulnerable? 1 COMPUTER-INTERNET SECURITY Virus Worm Trojan Spyware Adware Messenger Service 2 VIRUS VIRUS A virus must meet two A computer virus is a small criteria:

525 views • 23 slides
Awareness: An Anti-virus Program for Humans Gretchen Morris, CISSP DB Consulting Group, Inc.

Awareness: An Anti-virus Program for Humans Gretchen Morris, CISSP DB Consulting Group, Inc.

Awareness: An Anti-virus Program for Humans Gretchen Morris, CISSP DB Consulting Group, Inc. Integrated Awareness Efforts Website u News Articles u Security Tips u Calendar(s) u Newsletters u Posters u Webinars u Lunch and Learns

371 views • 19 slides
53-74% Average anti-virus effectiveness against new threats* * RAP Proactive 400 New threats

53-74% Average anti-virus effectiveness against new threats* * RAP Proactive 400 New threats

53-74% Average anti-virus effectiveness against new threats* * RAP Proactive 400 New threats every minute* * Merrill Lynch ...Causing $3T USD in costs, and expected to double by 2021* * CyberSecurity Ventures (2015) Todays threat

508 views • 35 slides
CONCEPT Standard Model CAPACI TY 9K, 12K, 18K &amp; 24K BTU Launched in 2011 The Concept

CONCEPT Standard Model CAPACI TY 9K, 12K, 18K &amp; 24K BTU Launched in 2011 The Concept

CONCEPT Standard Model CAPACI TY 9K, 12K, 18K &amp; 24K BTU Launched in 2011 The Concept Appealing Design to all consumers Anti-virus Filter Full High density anti-virus filters Triple Protectors Quality Protection Good Sleep I I

612 views • 26 slides
An introduction to the EU BULLY apps A blended approach to changing bullying behaviour 2 apps

An introduction to the EU BULLY apps A blended approach to changing bullying behaviour 2 apps

An introduction to the EU BULLY apps A blended approach to changing bullying behaviour 2 apps developed as resources to support anti-bullying programmes with young people in school and at home: 1. A multiple choice quiz 2. An online survey

257 views • 12 slides
INJECTING SECURITY INTO WEB APPS AT RUNTIME AJIN ABRAHAM SECURITY ENGINEER #WHOAMI

INJECTING SECURITY INTO WEB APPS AT RUNTIME AJIN ABRAHAM SECURITY ENGINEER #WHOAMI

INJECTING SECURITY INTO WEB APPS AT RUNTIME AJIN ABRAHAM SECURITY ENGINEER #WHOAMI Security Engineering @ Research on Runtime Application Self Defence Authored MobSF, Xenotix and NodeJSScan Teach Security: opsecx.com

906 views • 55 slides
KunYu Chen JunWei Song Security Researcher , Security Researcher Founder of Quark Engine

KunYu Chen JunWei Song Security Researcher , Security Researcher Founder of Quark Engine

Europython 2020 So, You Want to Build an Anti-Virus Engine? KunYu Chen JunWei Song Security Researcher , Security Researcher Founder of Quark Engine CoFounder of Quark Engine 2 Outline #1: Introduction of Malware Scoring System #2: Design

1.17k views • 53 slides
Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts,

Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts,

Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard Lion Team September 1, 2017 1 Cryptowall 2 This one? 3 Prevalence: Global ransomware Global Ransomware IPS Hits - February

647 views • 49 slides
Small Business Apps WHAT ARE MOBI LE APPS ? W h a t are mob i le apps ? A little bit of

Small Business Apps WHAT ARE MOBI LE APPS ? W h a t are mob i le apps ? A little bit of

WELCOME Small Business Apps WHAT ARE MOBI LE APPS ? W h a t are mob i le apps ? A little bit of information An App is a piece of so ware (a program) that needs to be installed on Mobile Apps are device specific, meaning that an App that runs

268 views • 12 slides
Technology Toolkit 4 Key Pillars Security Training Maximize Your Technology Impact Web Site

Technology Toolkit 4 Key Pillars Security Training Maximize Your Technology Impact Web Site

Technology Toolkit 4 Key Pillars Security Training Maximize Your Technology Impact Web Site Anti-Virus Administrators Desktops/Tablets Email Telephone (VOIP-Land Lines) Firewall Daily Staff Wireless Business Cards Web Policy

210 views • 8 slides
viruses 3 / anti-virus 1 Changelog Corrections made in this version not in fjrst posting: 8 Feb

viruses 3 / anti-virus 1 Changelog Corrections made in this version not in fjrst posting: 8 Feb

viruses 3 / anti-virus 1 Changelog Corrections made in this version not in fjrst posting: 8 Feb 2017: slide 31: visible space after negative foo example 8 Feb 2017: slide 35: [a-zA-Z]*ing instead of [a-zA-Z]ing 8 Feb 2017: slide 56: correct

1.32k views • 116 slides
Kernel Security Anti-Patterns: Low Hanging Fruit http://outflux.net/slides/2013/lss/fruit.pdf

Kernel Security Anti-Patterns: Low Hanging Fruit http://outflux.net/slides/2013/lss/fruit.pdf

Kernel Security Anti-Patterns: Low Hanging Fruit http://outflux.net/slides/2013/lss/fruit.pdf gholzer Linux Security Summit, New Orleans 2013 Kees Cook &lt;keescook@google.com&gt; (pronounced Case) Overview Anti-pattern awareness

254 views • 10 slides
CORONAVIRUS COVID-19 ABOUT THE VIRUS We all know about it, but not everyone knows how serious it

CORONAVIRUS COVID-19 ABOUT THE VIRUS We all know about it, but not everyone knows how serious it

CORONAVIRUS COVID-19 ABOUT THE VIRUS We all know about it, but not everyone knows how serious it is: The virus is offjcially called SARS-CoV-2 It is suspected that the virus was transmitted by animals to humans There are more than

838 views • 51 slides
Polymorphic &amp; Metamorphic Viruses CS4440/7440 Spring 2015 Evolution of Polymorphic Viruses

Polymorphic &amp; Metamorphic Viruses CS4440/7440 Spring 2015 Evolution of Polymorphic Viruses

Polymorphic &amp; Metamorphic Viruses CS4440/7440 Spring 2015 Evolution of Polymorphic Viruses (1) } Why polymorphism? } Anti-virus scanners detect viruses by looking for signatures (snippets of known virus code) } Virus writers

641 views • 40 slides
Boxing them in Buggy apps can crash other apps The Kernel App 1 App 2 App 3 Buggy apps can

Boxing them in Buggy apps can crash other apps The Kernel App 1 App 2 App 3 Buggy apps can

Boxing them in Buggy apps can crash other apps The Kernel App 1 App 2 App 3 Buggy apps can crash OS wants to be your friend Buggy apps can hog all resources Operating System Malicious apps can violate Reading and writing memory, privacy

548 views • 17 slides
SECURE-mode ZI Digital Security Training Session 2 June 2016 Why Digi SAVY? Your website

SECURE-mode ZI Digital Security Training Session 2 June 2016 Why Digi SAVY? Your website

SECURE-mode ZI Digital Security Training Session 2 June 2016 Why Digi SAVY? Your website Your social media How experiences your audience perceives you The way you answer the phone Your logo Anti virus The major certification and

341 views • 14 slides
CSCE 790 Computer Systems Security Firmware Security Professor Qiang Zeng Spring 2020

CSCE 790 Computer Systems Security Firmware Security Professor Qiang Zeng Spring 2020

CSCE 790 Computer Systems Security Firmware Security Professor Qiang Zeng Spring 2020 Previous Class Virus vs. Worm vs. Trojan Drive-by download Botnet Rootkit CSCE 790 Computer Systems Security 2 Trojan vs. Virus

302 views • 16 slides
Anti-Phishing Security Strategy Angelo P. E. Rosiello Agenda 1. Brief introduction to phishing

Anti-Phishing Security Strategy Angelo P. E. Rosiello Agenda 1. Brief introduction to phishing

Anti-Phishing Security Strategy Angelo P. E. Rosiello Agenda 1. Brief introduction to phishing 2. Strategic defense techniques 3. A new client based solution: DOMAntiPhish 4. Conclusions Nature of Phishing Statistics from the Anti

536 views • 31 slides
Security of diabetes monitoring apps Research project 1 Security and Network Engineering Edgar

Security of diabetes monitoring apps Research project 1 Security and Network Engineering Edgar

Security of diabetes monitoring apps Research project 1 Security and Network Engineering Edgar Bohte &amp; Roy Vermeulen Why diabetes? 2 3 The upside 4 Smartphone app security 5 Health data confidentiality 6 Diabetes data integrity

645 views • 28 slides
Grapevine Virus Tales of Woe Not Just One Tale 11% of all vineyards have at least one block with

Grapevine Virus Tales of Woe Not Just One Tale 11% of all vineyards have at least one block with

Grapevine Virus Tales of Woe Not Just One Tale 11% of all vineyards have at least one block with known virus Virus in New Vines Newly planted vineyards with 1- 10% virus coming directly from the nursery. (Leafroll and Red Blotch)

303 views • 9 slides

More recommend