we know what you did this summer android banking trojan
play

We know what you did this summer: Android Banking Trojan exposing - PowerPoint PPT Presentation

Mar 16, 2024 •270 likes •626 views

We know what you did this summer: Android Banking Trojan exposing its sins in the cloud Siegfried Rasthofer (TU Darmstadt / CASED) Eric Bodden (TU Darmstadt / Fraunhofer SIT) Carlos Castillo (Intel Security) Alex Hinchliffe (Intel Security)

  1. We know what you did this summer: Android Banking Trojan exposing its sins in the cloud Siegfried Rasthofer (TU Darmstadt / CASED) Eric Bodden (TU Darmstadt / Fraunhofer SIT) Carlos Castillo (Intel Security) Alex Hinchliffe (Intel Security) Stephan Huber (Fraunhofer SIT) 01.10.2015 | Virus Bulletin 2015 | 1

  2. Siegfried Rasthofer • 3rd year PhD-Student at TU Darmstadt • Research interest in Static-/dynamic code analyses • Found 2 AOSP exploits, various App security vulnerabilities Prof. Dr. Eric Bodden • Professor at TU Darmstadt • Research interest in Static-/dynamic code analyses • Heading the Secure Software Engineering Group at Fraunhofer SIT and Technische Universität Darmstadt Carlos Castillo • Mobile Security Researcher at Intel Security. • Hacking Exposed 7 co-author (Hacking Android). • ESET Latin America’s Best Antivirus Research winner 2009. Alex Hinchliffe • Mobile Security Research Manager at Intel Security • Co-developer of cloud based Anti-Malware technology, Artemis • Project partner of MobSec, S 2 Lab, Royal Holloway University, London 01.10.2015 | Virus Bulletin 2015 | 2

  3. Backend-as-a-Service 56 Mio. data records “publicly“ available (BlackHat EU 2015) 01.10.2015 | Virus Bulletin 2015 | 3

  4. Backend-as-a-Service Malware?? 01.10.2015 | Virus Bulletin 2015 | 4

  5. Backend-as-a-Service (1) Android iOS BaaS JavaScript ... ... 01.10.2015 | Virus Bulletin 2015 | 5

  6. Backend-as-a-Service (2) Push Noti fica tions Data Storage User Administration Social Network 01.10.2015 | Virus Bulletin 2015 | 6

  7. ID Keys != Authentication Keys! Use Proper Access Control Parse.initialize(this, APPLICATION_ID, CLIENT_KEY); Rules on the Server Side! ParseObject sms = new ParseObject("Intercepted SMS"); sms.put("message", "Hi VB2015"); 01.10.2015 | Virus Bulletin 2015 | 7

  8. HAVOC: Automatic Exploit Generator 01.10.2015 | Virus Bulletin 2015 | 8

  9. Malware using Facebook‘s Parse 294,817 malware apps from 2015 scanned 78 Apps with potential Push Notification misuse 16 Apps with data storage misuse 5 Android/OpFake variants 4 Android/Marry variants 5 parse.com accounts exposed 3 common tables 01.10.2015 | Virus Bulletin 2015 | 9

  10. OpFake – App Execution and Main Service Phone Boot Rings Completed App Executed Start Main Service Hide Icon Channels : - D-<deviceId > Locally save Main end - “Everyone” URL (C& C) - Country (SIM ISO) - “welcome” - IMEI Subscribe to Parse - SIM Country Push notifications - SIM Operator Execute Async Tasks - Phone Number - API Save Parse Install - Brand Information - Model - is_worked (true) - IMEI - worked _task (true) - SIM Country Leak Device - is_root - Phone Number Information to C 2C - SIM Operator server /bn/reg.php - Balance Execute Content Receiver Schedule system every minute (60 segs) alarm 01.10.2015 | Virus Bulletin 2015 | 10

  11. OpFake – System Alarm every Minute Execute Content Query Parse table System Alarm imei == Device ID No end Receiver NewTasks by Device ID No Locally save new Yes Yes If active _4 - imei C&C server URL Get task from C &C - balance server /bn/gettask .php If type == task and Push Task Execute New Task No imei == Device ID Open URL in default If active _3 Yes Intercept != null browser : from NewTasks - type - task: type and args Save executed task in - hash: identifier TaskManager table - Imei: device id No No - response: empty Yes Yes Send SMS to all contacts Yes No If active _2 If active _1 with phone number end Yes Report executed Send SMS to Set intercept task ID to /bn/ number _1 with Yes task == intercept flag onoff / settask .php content prefix _1 end No 01.10.2015 | Virus Bulletin 2015 | 11

  12. OpFake – Execute New tasks No Download APK from Yes task == install No task == new_server No task == url No task == ussd No task == sms URL to SD card No Yes Yes Yes Yes End Attempt to install app Device with root Locally save new C&C Open URL using default Send USSD message No Send text message using user interface Privileges? server URL web browser using URI tel : * Delete NewTask Eventually Yes Delete NewTask Eventually Remount system Set read/write Eventually Copy APK in folder Remount partition Silently install the Launch recently Launch recently partition as read / permissions for the /newmainpack /app/ again as read -only APK using pm install installed app installed app write copied APK file End 01.10.2015 | Virus Bulletin 2015 | 12

  13. OpFake – SMS Message Received - from - content Save response - to: imei Save message in Query TaskManager (from:body) in - type: service/other SmsReceiver table by task hash TaskManager - is_card: if content contains cc # - intype: incoming Yes SMS message Process SMS Intercept flag Is a response to a Yes No End received message on? previous SMS sent? No - imei No - phone: from Send message data to No - message Parse Push channel “T” - type: incoming Extract from message Send message to /bn/ Origin contains Yes body the balance and save_message.php 088011 or 000100? save it locally 01.10.2015 | Virus Bulletin 2015 | 13

  14. NewTasks Schema NewTask Record imei task objectId createdAt updatedAt sms origin destination content date intercept values (on/off) date new_server imei URL date install imei URL of the APK date package name 01.10.2015 | Virus Bulletin 2015 | 14

  15. Exposed Malware Parse.com Accounts NewTasks – Commands received commands sms intercept new_server install 60.337 57.760 48.622 48.616 25.738 25.723 10.139 9.397 2.555 742 40 0 0 4 1 0 11 1 3 5 0 35 10 12 0 ACCOUNT A ACCOUNT B ACCOUNT C ACCOUNT D ACCOUNT E 01.10.2015 | Virus Bulletin 2015 | 15

  16. Exposed Malware Parse.com Accounts NewTasks – Examples of commands delivered sms • send sms to number 900 with content “BALANS” • send sms to number 900 with content <confirmation_code> • send sms to number 3116 with content “card < card_number> <exp_month> <exp_year > <CVV>” intercept • on/off new_server • hxxp://newwelcome00.ru • hxxp://newelcome00.ru install • Android/OpFake delivering Android/Marry: • hxxp://newwelcome00.ru/appru.apk (marry.adobe.net.threadsync). • hxxp://newwelcome00.ru/app.apk (marry.adobe.net.nightbuid). • hxxp://notingen.ru/Player.apk (com.adobe.net) • hxxp:// швждаыдлпждв 01.10.2015 | Virus Bulletin 2015 | 16

  17. 10000 15000 20000 25000 01.10.2015 | Virus Bulletin 2015 | 17 5000 Exposed Malware Parse.com Accounts NewTasks – Command created by date 0 13.06.2015 14.06.2015 15.06.2015 16.06.2015 17.06.2015 Account A 18.06.2015 19.06.2015 20.06.2015 21.06.2015 22.06.2015 Account B 23.06.2015 24.06.2015 25.06.2015 26.06.2015 Account C 27.06.2015 28.06.2015 29.06.2015 30.06.2015 01.07.2015 Account D 02.07.2015 03.07.2015 04.07.2015 05.07.2015 06.07.2015 Account E 07.07.2015 08.07.2015 09.07.2015 10.07.2015 11.07.2015 12.07.2015 13.07.2015 14.07.2015

  18. SmsReceived Schema SmsReceived Record body from objectId intype is_card updatedAt type createdAt • from: origin of the text message (phone number/company name) • intype: incoming/outgoing • to: device identifier of the infected device • is_card: true/false if the message contains a credit card number • type: • service: origin is a company (e.g. MegaFon) • other: origin is another phone number (personal messages) 01.10.2015 | Virus Bulletin 2015 | 18

  19. Exposed Malware Parse.com Accounts SmsReceiver – # Intercepted SMS messages # messages ACCOUNT E 60.030 ACCOUNT B 41.105 ACCOUNT A 40.054 ACCOUNT C 28.067 ACCOUNT D 2.000 01.10.2015 | Virus Bulletin 2015 | 19

  20. Exposed Malware Parse.com Accounts SmsReceiver – Credit card numbers in incoming SMS messages # credit card numbers ACCOUNT D 126 ACCOUNT E 19 ACCOUNT B 10 ACCOUNT A 9 ACCOUNT C 5 01.10.2015 | Virus Bulletin 2015 | 20

  21. Exposed Malware Parse.com Accounts SmsReceived – Messages by date 20000 18000 16000 14000 12000 10000 8000 6000 4000 2000 0 Account A Account B Account C Account D Account E 01.10.2015 | Virus Bulletin 2015 | 21

  22. TaskManager Schema TaskManager Record task hash objectId updatedAt imei type response createdAt sms privat_start intercept install sms destination destination empty on/off URL/file.apk text text (response) (command) 01.10.2015 | Virus Bulletin 2015 | 22

  23. Exposed Malware Parse.com Accounts TaskManager – Command Executed requests responses sms intercept install 20.554 19.859 3.615 1.123 1.113 658 565 565 204 204 149 35 1 32 3 0 31 0 0 0 0 17 26 1 0 ACCOUNT A ACCOUNT B ACCOUNT C ACCOUNT D ACCOUNT E 01.10.2015 | Virus Bulletin 2015 | 23

Recommend

We know what you did this summer Android Banking Trojans Exposing Its Sins in The Cloud

We know what you did this summer Android Banking Trojans Exposing Its Sins in The Cloud

We know what you did this summer Android Banking Trojans Exposing Its Sins in The Cloud Siegfried Rasthofer (TU Darmstadt / CASED) Eric Bodden (TU Darmstadt / Fraunhofer SIT) Carlos Castillo (Intel Security) Alex Hinchliffe (Intel

510 views • 39 slides
Phishing and Banking Trojan Cases Affecting Brazil Cristine Hoepers cristine@cert.br

Phishing and Banking Trojan Cases Affecting Brazil Cristine Hoepers cristine@cert.br

Phishing and Banking Trojan Cases Affecting Brazil Cristine Hoepers cristine@cert.br Centro de Estudos, Resposta e Tratamento de Incidentes de Segurana no Brasil Ncleo de Informao e Coordenao do Ponto BR Comit Gestor da

417 views • 24 slides
Trojan Horse Zion Maxwell and Kaylie Davis The Trojan horse The Greeks had a war against the

Trojan Horse Zion Maxwell and Kaylie Davis The Trojan horse The Greeks had a war against the

Trojan Horse Zion Maxwell and Kaylie Davis The Trojan horse The Greeks had a war against the Trojans for ten years. The Torjan horse So they build the Trojan horse the Greeks Gene The Trojan horse After they built it they put a

392 views • 5 slides
Secure Communication in Client-Server Android Apps With a bias towards mobile banking

Secure Communication in Client-Server Android Apps With a bias towards mobile banking

Secure Communication in Client-Server Android Apps With a bias towards mobile banking applications. AFRICA HACKON CONFERENCE, 2016. Convergent Security. whoami Masters Candidate Ethical Hacker Web Developer Jazz fan

599 views • 20 slides
Developers Google Maps Android API v2 Make your Android app pop with Google Maps Android API v2

Developers Google Maps Android API v2 Make your Android app pop with Google Maps Android API v2

Developers Google Maps Android API v2 Make your Android app pop with Google Maps Android API v2 Anthony Morris Jan-Felix Schmakeit Tech Lead, Android Maps API Android Developer Relations Code, Slides, Worksheet: http://goo.gl/MfY67 Welcome!

687 views • 49 slides
Introduction to Android Development What is Android? Android is the customizable, easy to

Introduction to Android Development What is Android? Android is the customizable, easy to

Introduction to Android Development What is Android? Android is the customizable, easy to use operating system that powers more than a billion devices across the globe - from phones and tablets to watches, TV, cars and more to come.

464 views • 21 slides
CS619 Android 101 BENCE CSERNA Android: Manifest example Android: Manifest &lt;manifest

CS619 Android 101 BENCE CSERNA Android: Manifest example Android: Manifest &lt;manifest

Project #1: Color Guess Game CS619 Android 101 BENCE CSERNA Android: Manifest example Android: Manifest &lt;manifest xmlns:android=&quot;http://schemas.android.com/apk/res/android&quot; package=&quot;net.cserna.bence.colorguess

201 views • 3 slides
What other Android APIs may be useful for ubicomp? Speaking to Android Ref: Professional Android 4

What other Android APIs may be useful for ubicomp? Speaking to Android Ref: Professional Android 4

What other Android APIs may be useful for ubicomp? Speaking to Android Ref: Professional Android 4 Development, Meier, Ch 11, pg 437 Speech recognition: Accept inputs as speech (instead of typing) e.g. dragon dictate app? Note: Google

333 views • 16 slides
Android AsyncTask AsyncTask Android AsyncTask is an abstract class provided by Android

Android AsyncTask AsyncTask Android AsyncTask is an abstract class provided by Android

Android AsyncTask AsyncTask Android AsyncTask is an abstract class provided by Android which gives us the liberty to perform heavy tasks in the background and keep the UI thread light thus making the application more responsive. Basic

240 views • 5 slides
Trojan Horses Seemingly useful program that contains code that does harmful things When

Trojan Horses Seemingly useful program that contains code that does harmful things When

Trojan Horses Seemingly useful program that contains code that does harmful things When you run it, the Greeks creep out and slaughter your system Lecture 12 Page 1 CS 236 Online Basic Trojan Horses A program you pick up somewhere

581 views • 23 slides
Android Android Application Development - Ashwin Agenda Android Platform Overview

Android Android Application Development - Ashwin Agenda Android Platform Overview

Android Android Application Development - Ashwin Agenda Android Platform Overview Installation Building Blocks Application Development Development Tools Source walk through Introduction to Android Open software

978 views • 49 slides
CS371m - Mobile Computing Android Overview and Android Development Environment What is Android?

CS371m - Mobile Computing Android Overview and Android Development Environment What is Android?

CS371m - Mobile Computing Android Overview and Android Development Environment What is Android? A software stack for mobile devices that includes An operating system Middleware Key Applications Uses Linux to provide core

1.49k views • 70 slides
CS378 - Mobile Computing Android Overview and Android Development Environment What is Android?

CS378 - Mobile Computing Android Overview and Android Development Environment What is Android?

CS378 - Mobile Computing Android Overview and Android Development Environment What is Android? A software stack for mobile devices that includes An operating system Middleware Key Applications Uses Linux to provide core

583 views • 31 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
CS 528 Mobile and Ubiquitous Computing Lecture 3: Android UI, WebView, Android Activity Lifecycle

CS 528 Mobile and Ubiquitous Computing Lecture 3: Android UI, WebView, Android Activity Lifecycle

CS 528 Mobile and Ubiquitous Computing Lecture 3: Android UI, WebView, Android Activity Lifecycle Emmanuel Agu Android UI Design Example GeoQuiz App Reference: Android Nerd Ranch, pgs 1 32 App presents questions to test users knowledge

1k views • 96 slides
HOST Hardware Trojans III ECE 525 Seminal Trojan Detection Method D. Agrawal, S. Baktir, D.

HOST Hardware Trojans III ECE 525 Seminal Trojan Detection Method D. Agrawal, S. Baktir, D.

HOST Hardware Trojans III ECE 525 Seminal Trojan Detection Method D. Agrawal, S. Baktir, D. Karakoyunlu, P. Rohatgi, B. Sunar, Trojan Detection using IC Fingerprinting, Symposium on Security and Privacy, 2007, pp. 296 - 310 They use noise

543 views • 37 slides
POTSDAM SUMMER ACADEMY JULY 2006 Program : Banking, Insurance and the Public Sector: Empirical

POTSDAM SUMMER ACADEMY JULY 2006 Program : Banking, Insurance and the Public Sector: Empirical

POTSDAM SUMMER ACADEMY JULY 2006 Program : Banking, Insurance and the Public Sector: Empirical Evidence and Policy Advice Course : Financing the Welfare State: Economical Social Protection Lecturer : Professor Glenn Withers, ANU &lt;

769 views • 38 slides
POTSDAM SUMMER ACADEMY JULY 2006 Program : Banking, Insurance and the Public Sector: Empirical

POTSDAM SUMMER ACADEMY JULY 2006 Program : Banking, Insurance and the Public Sector: Empirical

POTSDAM SUMMER ACADEMY JULY 2006 Program : Banking, Insurance and the Public Sector: Empirical Evidence and Policy Advice Course : Financing the Welfare State: Economical Social Protection Lecturer : Professor Glenn Withers, ANU 1

602 views • 46 slides
Services Android Services A Service is an application component that runs in the background, not

Services Android Services A Service is an application component that runs in the background, not

Lesson 22 Lesson 22 Android Android Services Victor Matos Cleveland State University Cleveland State University Notes are based on: Android Developers http://developer.android.com/index.html Portions of this page are reproduced from work

692 views • 26 slides
Android Pre-requisites 1 Android To Dos Make sure you have working

Android Pre-requisites 1 Android To Dos Make sure you have working

Android Pre-requisites 1 Android To Dos Make sure you have working install of Android Studio Make sure it works by running Hello, world App On emulator

666 views • 24 slides
Android Michael Greifeneder Image source: Android homepage Inhalt Overwiew Hardware

Android Michael Greifeneder Image source: Android homepage Inhalt Overwiew Hardware

Android Michael Greifeneder Image source: Android homepage Inhalt Overwiew Hardware Software Development Tools Basics Debugging/Emulator Location Demo Android And Me Why I like Android Blend of Linux

1.01k views • 25 slides
CS 403X Mobile and Ubiquitous Computing Lecture 2: Introduction to Android Emmanuel Agu What is

CS 403X Mobile and Ubiquitous Computing Lecture 2: Introduction to Android Emmanuel Agu What is

CS 403X Mobile and Ubiquitous Computing Lecture 2: Introduction to Android Emmanuel Agu What is Android? Android is worlds leading mobile operating system Google: Owns Android, maintains it, extends it Distributes Android OS,

589 views • 35 slides
CS 528 Mobile and Ubiquitous Computing Lecture 2: Android Introduction and Setup Emmanuel Agu

CS 528 Mobile and Ubiquitous Computing Lecture 2: Android Introduction and Setup Emmanuel Agu

CS 528 Mobile and Ubiquitous Computing Lecture 2: Android Introduction and Setup Emmanuel Agu What is Android? Android is worlds leading mobile operating system Google: Owns Android, maintains it, extends it Distributes Android

388 views • 38 slides
CS 528 Mobile and Ubiquitous Computing Lecture 1b: Introduction to Android Emmanuel Agu What is

CS 528 Mobile and Ubiquitous Computing Lecture 1b: Introduction to Android Emmanuel Agu What is

CS 528 Mobile and Ubiquitous Computing Lecture 1b: Introduction to Android Emmanuel Agu What is Android? Android is worlds leading mobile operating system Open source (https://source.android.com/setup/) Google: Owns Android,

652 views • 43 slides

More recommend