Obfuscated Financial Fraud Android Malware : Detection and Behavior - PowerPoint PPT Presentation

Obfuscated Financial Fraud Android Malware 
 : Detection and Behavior Tracking In Seung, Yang (KrCERT/CC, KISA) DeepSEC IDSC 2016 Friday, 11 November 2016

Analysis Team at KrCERT/CC, KISA Mobile malware analyst In Seung, Yang Who am I

Agenda Trends of Financial Fraud Android Malware in Korea Detection and Incident Response(KrCERT/CC) 1) Methods of Dissemination 2) Types of Malicious Apps 3) How to leak victim's data Obfuscated Android Malware in Korea Remote-control Behaviors Tracking

source : Mobile malware evolution 2015 (Kaspersky, 16.2) Number of new malicious Number of attacked countries is growing Mobile Malware Evolution 16,586 7,030 2015 2014 17,000 12,750 8,500 4,250 0 banking Trojans Number of mobile 295,539 884,774 2015 2014 900,000 675,000 450,000 225,000 0 mobile programs 137 
 90 
 (2014) (2015)

Recently, SMS Phishing in Europe [ source :, THE LATEST ANDROID OVERLAY MALWARE SPREADING VIA SMS PHISHING IN EUROPE, FireEye Report, 16.6.28 ] Overview App Name / Package Name

Code structure and manifest file of obfuscated code Recently, SMS Phishing in Europe(Cont.)

Smartphone banking users in Korea 134% Smartphone Smartphone Population users banking users 46 million 51 million 68 million (*) Including multiple banks app users

Security Policy on Financial Services Sector in Korea ② ⑤ ③ Security Number Card ① ID Card TRANSLATION : TRANSLATION : ID card *This table is used for internet banking 
 Name: Hong Kil-Dong, as well as telebanking service. Social Security Number: 000000 - 0000000 Address: Seoul, OOO Gu, OOO Dong Two-Factor Authentication TRANSLATION : The certification number for your SMS Authentication [896*** ]. From OObank Certificate (NPKI, National Public ④ OTP Number Key Infrastructure)

Financial Fraud Android Malware Timeline in Korea Cyber 
 Bypassing Intelligence Service Obstructing 
 Financial Fraud a Protection Plan Attack Analysis Inducing Bypassing Leaking Commercial Eliminati Deletion Change 
 Voice Stealing ARS people to input official Packer/ on of Obstruc phishing C2 IP SMS authentication their bank authentication Protecter AntiVirus tion connection authentication confirmation information certificate 2014 2013 2015 2012 2016 Banking Apps Guidance on Prohibiting changing Smishing Providing Smishing dissemination pharming originated number Block Apps by Prevention Guide protection (Feb 2014) Pre-loaded (Mar 2015) (Mar 2013) (Sep 2014)

Financial Fraud Malware(PC) Timeline in Korea Phishing Pharming PAC 
 iframe VPN Compromised Home router Memory hosts hosts.ics (Proxy Auto- DNS Vulnerability (monitor I.E) tunneling Patch Config) 2013 2014 2004 2007 2015 2016

1) Methods of Dissemination

How do bad guys infect victim ’ s device in korea? • Smishing(SMS Phishing) is a form of criminal activity using social engineering technique This is DeepSec 2016! We Send SMS Download provide app including program list and material. Go for it! http://www.deepsec-***.com DeepSec 
 2016 Collect 
 “Smishing” Install FakeApp phone numbers

1) Methods of Dissemination Victim Hacker Input for their phone number at Phishing Site Compair saved phone number in server 
 w/ sending number. • Smishing • Fake validation process for getting victim’s trust • Exist : Download Financial Fraud Malware • Not Exist : Nothing (just show error message)

Chrome Adobe Install Flash 
 Player Settings Domestic Delivery Service Mobile Invitation 
 for Wedding Domestic Supreme 
 Prosecutors' Office Fake Apps in Korea Domestic Capital Company

Phishing Site(user verification page) CVC numbers 
 1) Methods of Dissemination Steal Victim Card Credentials for checking your point. your card company 
 TRANSLATION : Please select 
 Social Security Number Name 
 TRANSLATION : 
 Fake Check Card Point App Certificate(NPKI) Password SMS Phishing Password 
 Card valid expiration date 
 Card Number 
 http://ka.do/**** Please Check it. 
 one hour. Customer OOO, Point Gift will be sent within TRANSLATION : 
 * Bad guys request victim’s name, phone number for getting trust. • Smishing • Card Point (Aug 2016) [ 포인트선물이 1 시간내에도착예 정이니 OOO 고객님확인하시길 바랍니다 http://ka.do/**** 
 TRANSLATION : 
 Check Card Points TRANSLATION :

1) Methods of Dissemination 실시간속보세월호침 • Smishing • Sewol ferry disaster (Apr 2014) 4/21 4/23 4/19 5/2 4/22 4/24 4/16 4/17 4/18 [ 연합뉴스 ] 여객선 [[GO! 현장 ] 구조 단원고 학생 • 교사 [ 속보 ] 세월호 3 호 23 일 9 시경 실종자 실시간 속보 세월호 미안합니다 잊지 않겠습 세월호 기부 ( 세월호 ) 침몰사고 된 6 살 어린이 몰 사망자 25 명 늘어 침몰 사망자 55 명 더 78 명 생존 확인 창 생존자 2 명 발 6 명 구조성공이다 . 상황 조회 니다 세월호 침몰사고 “ 아기 아기 아기 ” 더보기 http:// 늘어 동영상보기 . http://ww.tl/ 견 http:// ㅊㅋㅊㅋ http:// 3yu.net/y7* 구조현황 동영상 희생자를 추모합니다 6T*** http://goo.gl/ http://ww.tl/ www.mxc.kr/15g** Hosisting**.info goo.gl/lcWg** goo.gl/kCmMV* goo.gl/NzO99** cKJGn2** 6** Inquiry into the [Breaking Six missing I am very sorry. [Yonhap News] Real-time breaking Real-time breaking The survival of 78 [[GO! Site] A six- situation of donation News] Two people I won’t forget. Video of the news: 25 more news: 55 more students and year-old child after the Sewol survivors found successfully I remember the rescue status of deaths from the deaths from the teachers of Danwon rescued. accident. http:// at window #3 of rescued around victims of the the sinking Ferry sinking of Sewol. sinking of Sewol. High School “Baby, baby, REDIRACTED Sewol. http:// 9 o’clock on the accident of sinking Sewol. http:// More: http:// Hosisting 
 confirmed. http:// baby” http:// REDIRACTED 23 rd . http:// Sewol. http:// REDIRACTED REDIRACTED http://REDIRACTED REDIRACTED REDIRACTED REDIRACTED REDIRACTED

1) Methods of Dissemination Compromised Web Server 
 (same server) Mobile User Android Malware (fake app) PC User PC Malware (pharming) • Website • Compromised Web Server (Mar 2016) Uploaded WebShell - Header Signature(GIF) - Using File Upload Vulnerability Hacker

1) Methods of Dissemination • Website • Compromised online bus ticket booking site (Apr 2014) TRANSLATION : http://REDIRACTED Page TRANSLATION : One malicious code was found. content : Necessary updates for Google Play. To remove it, please delete the following app.

1) Methods of Dissemination • Market • Credit card management app (Apr 2014) Bank Card Capital Company Company Company TRANSLATION : All banks, All cards

1) Methods of Dissemination • P2P • ‘The Interview’ app turns out to be banking Trojan (Dec 2014) TRANSLATION : 
 Check manufacturing information, 
 ‘The Interview’ Smartphone “Arirang” or tablet PC “Samjiyon” (Android-based) Free distribution TRANSLATION : “Page loading … Please access TRANSLAMTION : 
 large number of Views after a while! Thank you.” Movie ‘The Interview’

1) Methods of Dissemination • SNS • Twitter (Jul 2014) TRANSLATION : An undisclosed video on TRANSLATION : Disclosure of the video Yu Byung-Eun’s will found in his secret of the final communication with the fire safe box. Please download it to let the department helicopter that assisted world know. http://REDIACTED. Sewol before its crash http:// REDIACTED.

1) Methods of Dissemination from hacker’s server victim’s account are used 
 After stealing SMS authentication, Authentication Number [274021] TRANSLATION:[Naver] Input information for getting account (case1) Bring personal fake banking trojans Download additional 
 (case2) Download malware (outdated firmware, default-password) Vulnerability Attack 
 PC User using Active X pharming malware 
 Installation Mobile User Home Router for viral marketing. • IoT • Home router vulnerability attack

2) Types of malicious apps

2) Types of malicious apps • Financial Mobile Malware Evolution Steal certificate Downloader Dropper Call Forwarding Avoid Banking 
 ARS Authentication TRANSLATION : Notification. A new version has been introduced. Please use it after reinstallation.

2) Types of malicious apps • Financial Mobile Malware Evolution (Cont.) Disguised as Credit Manage app Scan Security Card TRANSLATION:Bank: Please scan the security card code of the account TRANSLATION: you want to request. Relaxation security card TRANSLATION : 
 applied. The assurance ALL BANK, ALL CARD security card, which is the best security medium, was applied to prevent electronic financial fraud.

2) Types of malicious apps Voice Phishing Group 
 (Case1) Phishig Attack Voice (call victims) (Case2) • Financial Mobile Malware Evolution (Cont.) Voice Phishing Connection TRANSLATION : Name 
 Phone Number 
 Birth date 
 TRANSLATION : Company Name 
 Notification. (Application/ Salary 
 request) received. Please Required money contact the call center for detailed inquiries. TRANSLATION : Because an identity confirmation procedure will follow shortly through the number provided below, please be sure to answer your phone.