how to do it wrong smartphone antivirus and security
play

How to do it Wrong: Smartphone Antivirus and Security Applications - PowerPoint PPT Presentation

Jan 03, 2024 •240 likes •751 views

How to do it Wrong: Smartphone Antivirus and Security Applications Under Fire Stephan Huber, Siegfried Rasthofer, Steven Arzt, Michael Trger, Andreas Wittmann, Philipp Roskosch, Daniel Magin 1 Who are we Stephan Siegfried Mobile

  1. How to do it Wrong: Smartphone Antivirus and Security Applications Under Fire Stephan Huber, Siegfried Rasthofer, Steven Arzt, Michael Tröger, Andreas Wittmann, Philipp Roskosch, Daniel Magin 1

  2. Who are we Stephan Siegfried • Mobile Security Researcher • 4th year PhD Student at TU at Fraunhofer SIT Darmstadt / Fraunhofer SIT • Enjoys drinking bavarian beer • Enjoys teaching students in Android Hacking • @teamsik 2

  3. Mobile Banking Security 3

  4. Spam Protection Privacy Advisor Malware Detection Engine Premium Secure Browsing Features Device Configuration Advisor 4

  5. 5

  6. App GooglePlay Downloads “Pseudo“ AV Apps AndroHelm 1-5 Mio Malwarebytes 5-10 Mio ESET 5-10 Mio Avira 10-50 Mio Kaspersky 10-50 Mio McAfee 10-50 Mio CM Security 100-500 Mio 6

  7. #Challenges Premium Upgrade for Free? Misuse Lost-Device Feature (Ransomware)? Remotely Influence Scan Engine Behavior? Remote Code Execution? 7

  8. Premium Upgrade for Free? (1/2 Examples) AndroHelm 8

  9. Free Premium the Simple Way 9

  10. Let‘s Have a Look at the Free App Interesting code snippet: … this.toast("Thank you for upgrading to PRO!"); //shared pref value set to true this. prefs.putBoolean (" isPro ", true ); key/value pair for xml file … SharedPreferences at first install: <?xml version='1.0' encoding='utf-8' standalone='yes' ?> <map> <int name="dialogShowTimes" value="1" /> <boolean name="hasDatabase" value="true" /> <string name="lastFragment"></string> <boolean name=" isPro " value=" true " /> </map> 10

  11. Changing XML File Without Root backup com.androhelm.antivirus.free2 adb restore com.androhelm.antivirus.free2 debug bridge * tar -xvf mybackup.tar nano com.androhelm.antivirus.free.preferences.xml *"h$ps://github.com/nelenkov/android:backup:extractor" 11

  12. Premium Upgrade for Free? (2/2 Examples) ESET 12

  13. ESET License Verification ? ESET Security App ESET Backend SSL/TLS Protection https - request containing credentials / license info There are known vulnerabilities for SSL/TLS, but is there an easier way? 13

  14. One"requirement"for"secure"communica?on"is"the"verifica?on"" of"the"SSL"cer?ficate!" final class jl implements X509TrustManager { … public void checkServerTrusted ( X509Certificate [] cert, String s) ! N throws CertificateException { E K O R //please insert verification here B } //end of the method }// end of the class 14

  15. ESET License Verification ? ESET Security App ESET Backend SSL/TLS Protection <NODE NAME="LicenseUsername" VALUE=" Fdax6a7wj/I+ZEet " TYPE="STRING"/> Base64"decoded" VALUE in"HEX : 15 d6 b1 e9 ae f0 8f f2 3e 64 47 ad <NODE NAME="LicensePassword" VALUE=" Fdax6a7wj/I= " TYPE="STRING"/> Base64"decoded" VALUE in"HEX : 15 d6 b1 e9 ae f0 8f f2 WTF? 15

  16. Let’s do some Crypto Analysis Classic chosen plaintext attack Plaintext) Cipher)(base64)) Cipher)(hexbyte)) a" ANY=" 0x0 0xd6 aa" ANa16Q==" 0x0 0xd6 0xb5 0xe9 aaaa" ANa16bzwmvI=" 0x0 0xd6 0xb5 0xe9 0xbc 0xf0 0x9a 0xf2 b" A9Y=" 0x3 0xd6 bbbb" A9a26b/wmfI=" 0x3 0xd6 0xb6 0xe9 0xbf 0xf0 0x99 0xf2 abc" ANa26b7w" 0x0 0xd6 0xb6 0xe9 0xbe 0xf0 cccc" Ata36b7wmPI=" 0x2 0xd6 0xb7 0xe9 0xbe 0xf0 0x98 0xf2 dddd" Bdaw6bnwn/I=" 0x5 0xd6 0xb0 0xe9 0xb9 0xf0 0x9f 0xf2 eeee" BNax6bjwnvI=" 0x4 0xd6 0xb1 0xe9 0xb8 0xf0 0x9e 0xf2 16

  17. Let’s do some Crypto Analysis Classic chosen plaintext attack Plaintext) Cipher)(base64)) Cipher)(hexbyte)) a" ANY=" 0x0 aa" ANa16Q==" 0x0 0xb5 aaaa" ANa16bzwmvI=" 0x0 0xb5 0xbc 0x9a b" A9Y=" 0x3 bbbb" A9a26b/wmfI=" 0x3 0xb6 0xbf 0x99 abc" ANa26b7w" 0x0 0xb6 0xbe cccc" Ata36b7wmPI=" 0x2 0xb7 0xbe 0x98 dddd" Bdaw6bnwn/I=" 0x5 0xb0 0xb9 0x9f eeee" BNax6bjwnvI=" 0x4 0xb1 0xb8 0x9e 17

  18. Let’s do some Crypto Analysis Clean up: Plaintext) Cipher)(base64)) Cipher)(hexbyte)) aaaa" ANa16bzwmvI=" 0x0 0xb5 0xbc 0x9a bbbb" A9a26b/wmfI=" 0x3 0xb6 0xbf 0x99 cccc" Ata36b7wmPI=" 0x2 0xb7 0xbe 0x98 abc" ANa26b7w" 0x0 0xb6 0xbe dddd" Bdaw6bnwn/I=" 0x5 0xb0 0xb9 0x9f eeee" BNax6bjwnvI=" 0x4 0xb1 0xb8 0x9e • 2nd byte is not required • No chaining • Looks like a simple substitution 18

  19. Here Comes the Key key[0] = ? a = 0x61 ? 0x0 Le#er% Decimal% Hex% 1.%Cipher% a" 97" 0x61" 0x0" b" 98" 0x62" 0x3" c" 99" 0x63" 0x2" 19

  20. Here Comes the Key key[0] = a = 0x61 a = 0x61 XOR 0x0 Le#er% Decimal% Hex% 1.%Cipher% a" 97" 0x61" 0x0" b" 98" 0x62" 0x3" c" 99" 0x63" 0x2" 20

  21. Here Comes the Key key[0] = a = 0x61 b = 0x62 XOR 0x3 Le#er% Decimal% Hex% 1.%Cipher% a" 97" 0x61" 0x0" b" 98" 0x62" 0x3" c" 99" 0x63" 0x2" 21

  22. Here Comes the Key key[0] = a = 0x61 c = 0x63 XOR 0x2 Le#er% Decimal% Hex% 1.%Cipher% a" 97" 0x61" 0x0" b" 98" 0x62" 0x3" c" 99" 0x63" 0x2" 22

  23. Here Comes the Key Cipher = 0x0 0xb5 0xbc 0x9a … XOR aaaa = 0x61 0x61 0x61 0x61 … Key = 0x61 0xd4 0xdd 0xfb … Le#er% Decimal% Hex% 1. Cipher% aaaa" 97"97"97"97" 0x61"0x61"0x61"0x61" 0x0"0xb5"0xbc"0x9a" 23

  24. ESET License Verification ESET Security App ESET Backend SSL/TLS Protection <NODE NAME="LicenseUsername" VALUE=" Fdax6a7wj/I+ZEet " TYPE="STRING"/> key = [0x61 0xd4 0xdd 0xfb 0x5b 0x35 0xb7 0x19 0xec 0x2b 0x42 0xd9 0x4b 0x7 …] Fdax6a7wj/I+ZEet test 24

  25. #Challenges ✔ Premium Upgrade for Free? Misuse Lost-Device Feature (Ransomware)? Remotely Influence Scan Engine Behavior? Remote Code Execution? 25

  26. Misuse Lost-Device Feature (Ransomware)? (1 Example) AndroHelm 26

  27. Misuse Lost-Device Feature What is a lost-device feature? • Device Location • Remote Alarm • Remote Wipe • Remote Lock • … Can we abuse “Remote Lock“ or “Wipe“? 27

  28. Remote Communication With Smartphone ? Examples: • Google Cloud Messaging (GCM) • Push Service Provider • SMS Messages 28

  29. Androhelm Anti-Theft SMS Protocol • Anti-theft feature is enabled • User sends SMS command Feature not enabled, still possible to bypass the authentication? 29

  30. Remote Protocol with Activated Anti-Theft true check check wait for incoming wait for incoming split at split at execute execute password password SMS SMS [SPACE] [SPACE] command command false command := “wipe“ myPass[SPACE]wipe[SPACE] SMS_PASSWORD := “myPass“ //Stored password execute(command) command := “wipe“ pwd := “myPass“ pwd == SMS_PASSWORD? “myPass“ == “myPass“ 30

  31. Remote Protocol Deactivated Anti-Theft true check check wait for incoming wait for incoming execute execute split at split at password password SMS SMS command command [SPACE] [SPACE] false Attacker command := “wipe“ [SPACE]wipe[SPACE]somestring SMS_PASSWORD := ““ //default password execute(command) command := “wipe“ pwd := ““ pwd == SMS_PASSWORD? ““ == ““ empty string as pwd SMS_PASSWORD is empty 31

  32. #Challenges ✔ Premium Upgrade for Free? ✔ Misuse Lost-Device Feature (Ransomware)? Remotely Influence Scan Engine Behavior? Remote Code Execution? 32

  33. Remotely Influence Scan Engine Behavior? (1 Example) Malwarebytes 33

  34. Unprotected Signature Updates Man-in-the-Middle Attacker Malwarebytes App Malwarebytes Backend (signature) update request (signature) update request TI028Z%th5Y’uX4>dQz… = = TI028Z%th5Y'uX4>dQz… remove signatures 34

  35. #Challenges ✔ Premium Upgrade for Free? ✔ Misuse Lost-Device Feature (Ransomware)? ✔ Remotely Influence Scan Engine Behavior? Remote Code Execution? 35

  36. Remote Code Execution? (1 Example) Kaspersky 36

  37. Zip Directory Traversal Special filename for a zip entry /tmp$ unzip -l zipfile.zip Archive: zipfile.zip Length Date Time Name --------- ---------- ----- ---- 22 2016-06-28 13:49 ../../../tmp/dir2/badfile.txt 24 2016-06-28 13:43 file1.txt --------- ------- 46 2 files 37

  38. What happens if we unzip? /tmp$ unzip zipfile.zip -d ./ dir1 / Archive: zipfile.zip warning: skipped "../" path component(s) in ../../../tmp/dir2/badfile.txt extracting: ./dir1/tmp/dir2/badfile.txt extracting: ./dir1/file1.txt /tmp$ find /tmp/dir1/ /tmp/ dir1 / /tmp/ dir1 /file1.txt /tmp/ dir1 /tmp /tmp/ dir1 /tmp/dir2 /tmp/ dir1 /tmp/dir2/badfile.txt /tmp$ 38

Recommend

AI in Antivirus What AI do in your antivirus Who I am? Arcangelo Saracino Student of Computer

AI in Antivirus What AI do in your antivirus Who I am? Arcangelo Saracino Student of Computer

AI in Antivirus What AI do in your antivirus Who I am? Arcangelo Saracino Student of Computer Science at Uniba Three years of experience in web development Cybersecurity and Linux appassionate Mail: saracinoarcangelo@gmail.com Outline

363 views • 18 slides
Why Antivirus Software whoami IT-Security Consultant Doing pentesting since two years

Why Antivirus Software whoami IT-Security Consultant Doing pentesting since two years

Why Antivirus Software whoami IT-Security Consultant Doing pentesting since two years This talk is based on private research Before that experience as windows/linux/network admin, a little as web developer and so on...

1.06k views • 49 slides
CSC591-006 Smartphone OS Security Introduction Spring 2012 Prof. William Enck NC State --

CSC591-006 Smartphone OS Security Introduction Spring 2012 Prof. William Enck NC State --

CSC591-006 Smartphone OS Security Introduction Spring 2012 Prof. William Enck NC State -- Department of Computer Science Page 1 Why Study Smartphone Security? New platform / theyre popular / its a buzzword Resource constrained

536 views • 40 slides
Lecture 8a: Smartphone Sensing Emmanuel Agu Smartphone Sensing Recall: Smartphone Sensors

Lecture 8a: Smartphone Sensing Emmanuel Agu Smartphone Sensing Recall: Smartphone Sensors

Mobile and Ubiquitous Computing on Smartphones Lecture 8a: Smartphone Sensing Emmanuel Agu Smartphone Sensing Recall: Smartphone Sensors Typical smartphone sensors today accelerometer, compass, GPS, microphone, camera, proximity

898 views • 68 slides
antivirus systems Intruducion Attila Marosi OSCE, OSCP, ECSA, CEH IT security expert at

antivirus systems Intruducion Attila Marosi OSCE, OSCP, ECSA, CEH IT security expert at

Easy ways to bypass antivirus systems Intruducion Attila Marosi OSCE, OSCP, ECSA, CEH IT security expert at GovCERT-Hungary (SSNS) Email: attila.marosi@gmail.com Web: http://marosi.hu Twitter: @0xmaro Why? All of us use

285 views • 16 slides
This PIN Can Be Easily Guessed Analyzing the Security of Smartphone Unlock PINs Philipp Markert,

This PIN Can Be Easily Guessed Analyzing the Security of Smartphone Unlock PINs Philipp Markert,

This PIN Can Be Easily Guessed Analyzing the Security of Smartphone Unlock PINs Philipp Markert, Daniel V. Bailey, Maximilian Golla, Markus Drmuth, and Adam J. Aviv May 18, 2020 | 41st IEEE Symposium on Security and Privacy Overview ?!

355 views • 18 slides
The Privacy and CyLab Security Behaviors of Smartphone Engineering &amp; App Developers

The Privacy and CyLab Security Behaviors of Smartphone Engineering &amp; App Developers

The Privacy and CyLab Security Behaviors of Smartphone Engineering &amp; App Developers Public Policy Rebecca Balebako, Abigail Marsh, Jialiu Lin, Jason Hong, Lorrie Faith y &amp; c S a e v c i u r P r i t e y l b L a

646 views • 26 slides
Wireless Security: A Perspective (aka. What Weve Done Wrong, and Some of What We Can Do About

Wireless Security: A Perspective (aka. What Weve Done Wrong, and Some of What We Can Do About

Wireless Security: A Perspective (aka. What Weve Done Wrong, and Some of What We Can Do About It) Wade Trappe Agenda Agenda Tales from the Dark Side of Security Wireless in Particular Decomposing the Problem into Problems

697 views • 40 slides
AppsPlayground: Automatic Security Analysis of Smartphone Applications Vaibhav Rastogi , Yan Chen,

AppsPlayground: Automatic Security Analysis of Smartphone Applications Vaibhav Rastogi , Yan Chen,

AppsPlayground: Automatic Security Analysis of Smartphone Applications Vaibhav Rastogi , Yan Chen, and William Enck Lab for Internet and Security Technology, Northwestern University North Carolina State University h li S i i 1

1.22k views • 19 slides
Analyzing End-Users Knowledge and Feelings Surrounding Smartphone Security and Privacy May

Analyzing End-Users Knowledge and Feelings Surrounding Smartphone Security and Privacy May

Analyzing End-Users Knowledge and Feelings Surrounding Smartphone Security and Privacy May 21st 2015 Lydia Kraus*, Tobias Fiebig*, Viktor Miruchna*, Sebastian Mller*, Asaf Shabtai+ * Technische Universitt Berlin + Ben-Gurion University

397 views • 18 slides
Hey, You, Get Off of My Market: RAFAEL MICHAEL CS 682- ADVANCED SECURITY TOPICS Smartphone

Hey, You, Get Off of My Market: RAFAEL MICHAEL CS 682- ADVANCED SECURITY TOPICS Smartphone

Hey, You, Get Off of My Market: RAFAEL MICHAEL CS 682- ADVANCED SECURITY TOPICS Smartphone users over the years Leading app stores 2019 Smartphones are becoming increasingly ubiquitous With great popularity Comes great

385 views • 37 slides
CS 4518 Mobile and Ubiquitous Computing Smartphone Sensing Emmanuel Agu Smartphone Sensors

CS 4518 Mobile and Ubiquitous Computing Smartphone Sensing Emmanuel Agu Smartphone Sensors

CS 4518 Mobile and Ubiquitous Computing Smartphone Sensing Emmanuel Agu Smartphone Sensors Typical smartphone sensors today accelerometer, compass, GPS, microphone, camera, proximity Future sensors? Heart rate monitor,

825 views • 20 slides
Overview Security Maintenance Practices and Principles Securing Operating Systems Patches,

Overview Security Maintenance Practices and Principles Securing Operating Systems Patches,

Overview Security Maintenance Practices and Principles Securing Operating Systems Patches, Fixes, Revisions Antivirus Software Post-Install Security Checklist: Windows/UNIX File System Security Issues Chapter 10 User

361 views • 8 slides
Computing Security @ Carnegie Mellon University John K. Lerchey Information Security Office

Computing Security @ Carnegie Mellon University John K. Lerchey Information Security Office

Computing Security @ Carnegie Mellon University John K. Lerchey Information Security Office lerchey@andrew.cmu.edu Start with the Basics Patching Antivirus and anti-malware software Strong passwords Be aware of Theft

301 views • 9 slides
Smartphone Sensors Using raw smartphone sensor data in the classroom Albert Schueller Department

Smartphone Sensors Using raw smartphone sensor data in the classroom Albert Schueller Department

JMM Denver 2020 Smartphone Sensors Using raw smartphone sensor data in the classroom Albert Schueller Department of Mathematics and Statistics Overview Introduce a collection of useful technologies that have a broad range of applications and

289 views • 15 slides
Computing Security @ Carnegie Mellon University Allison MacFarlan Wiam Younes &amp; Training

Computing Security @ Carnegie Mellon University Allison MacFarlan Wiam Younes &amp; Training

Computing Security @ Carnegie Mellon University Allison MacFarlan Wiam Younes &amp; Training and Awareness Information Security Coordinator Engineer Five Computing Security Tips Back to the Basics Patching Antivirus and

342 views • 11 slides
Smartphone Imaging Trends Brian Klug Sr. Smartphone Editor, AnandTech.com Thursday, February 7,

Smartphone Imaging Trends Brian Klug Sr. Smartphone Editor, AnandTech.com Thursday, February 7,

Smartphone Imaging Trends Brian Klug Sr. Smartphone Editor, AnandTech.com Thursday, February 7, 13 Background B.S. - Optical Sciences &amp; Engineering, University of Arizona Imaging Technology Lab with Steward Observatory Worlds first curved

560 views • 44 slides
CSE 154 LECTURE 25: WEB SECURITY Our current view of security until now, we have assumed:

CSE 154 LECTURE 25: WEB SECURITY Our current view of security until now, we have assumed:

CSE 154 LECTURE 25: WEB SECURITY Our current view of security until now, we have assumed: valid user input non-malicious users nothing will ever go wrong this is unrealistic! The real world in order to write secure code,

445 views • 18 slides
CSE 154 LECTURE 26: WEB SECURITY Our current view of security until now, we have assumed:

CSE 154 LECTURE 26: WEB SECURITY Our current view of security until now, we have assumed:

CSE 154 LECTURE 26: WEB SECURITY Our current view of security until now, we have assumed: valid user input non-malicious users nothing will ever go wrong this is unrealistic! The real world in order to write secure code,

210 views • 18 slides
CSc 337 LECTURE 24: SECURITY Our current view of security until now, we have assumed:

CSc 337 LECTURE 24: SECURITY Our current view of security until now, we have assumed:

CSc 337 LECTURE 24: SECURITY Our current view of security until now, we have assumed: valid user input non-malicious users nothing will ever go wrong this is unrealistic! The real world in order to write secure code, we

211 views • 18 slides
Antivirus Engine Giorgos Vasiliadis and Sotiris Ioannidis FORTH-ICS, Greece RAID10, 15

Antivirus Engine Giorgos Vasiliadis and Sotiris Ioannidis FORTH-ICS, Greece RAID10, 15

GrAVity: A Massively Parallel Antivirus Engine Giorgos Vasiliadis and Sotiris Ioannidis FORTH-ICS, Greece RAID10, 15 September 2010 Overview Increase the processing throughput of virus scanning applications, using the Graphics

563 views • 28 slides
Conce Concept of pt of T TAP(T AP(Tar arge geted ted Antivir Antivirus us Pr Prop ophy

Conce Concept of pt of T TAP(T AP(Tar arge geted ted Antivir Antivirus us Pr Prop ophy

Conce Concept of pt of T TAP(T AP(Tar arge geted ted Antivir Antivirus us Pr Prop ophy hylax laxis) is) Drug dis istr tributions an and re remote te con onsulta tation jus just t before th the ou outb tbreak Isao

669 views • 7 slides
Defences Structure of the Courts What is a Crime? a public wrong Wrong committed

Defences Structure of the Courts What is a Crime? a public wrong Wrong committed

Defences Structure of the Courts What is a Crime? a public wrong Wrong committed against the common good or public interest causes harm to society, not just the individual 3 features that make something a public wrong:

474 views • 25 slides
Privacy in the Smartphone Age Di Ma NSF US/Mid-East Workshop on Trustworthiness in Emerging

Privacy in the Smartphone Age Di Ma NSF US/Mid-East Workshop on Trustworthiness in Emerging

Privacy in the Smartphone Age Di Ma NSF US/Mid-East Workshop on Trustworthiness in Emerging Distributed Systems and Networks June 4-6, 2012 Istanbul, Turkey The issue Privacy in the smartphone age I s important because smartphones

233 views • 6 slides

More recommend