We know what you did this summer: Android Banking Trojan exposing its sins in the cloud Siegfried Rasthofer (TU Darmstadt / CASED) Eric Bodden (TU Darmstadt / Fraunhofer SIT) Carlos Castillo (Intel Security) Alex Hinchliffe (Intel Security) Stephan Huber (Fraunhofer SIT) 01.10.2015 | Virus Bulletin 2015 | 1
Siegfried Rasthofer • 3rd year PhD-Student at TU Darmstadt • Research interest in Static-/dynamic code analyses • Found 2 AOSP exploits, various App security vulnerabilities Prof. Dr. Eric Bodden • Professor at TU Darmstadt • Research interest in Static-/dynamic code analyses • Heading the Secure Software Engineering Group at Fraunhofer SIT and Technische Universität Darmstadt Carlos Castillo • Mobile Security Researcher at Intel Security. • Hacking Exposed 7 co-author (Hacking Android). • ESET Latin America’s Best Antivirus Research winner 2009. Alex Hinchliffe • Mobile Security Research Manager at Intel Security • Co-developer of cloud based Anti-Malware technology, Artemis • Project partner of MobSec, S 2 Lab, Royal Holloway University, London 01.10.2015 | Virus Bulletin 2015 | 2
Backend-as-a-Service 56 Mio. data records “publicly“ available (BlackHat EU 2015) 01.10.2015 | Virus Bulletin 2015 | 3
Backend-as-a-Service Malware?? 01.10.2015 | Virus Bulletin 2015 | 4
Backend-as-a-Service (1) Android iOS BaaS JavaScript ... ... 01.10.2015 | Virus Bulletin 2015 | 5
Backend-as-a-Service (2) Push Noti fica tions Data Storage User Administration Social Network 01.10.2015 | Virus Bulletin 2015 | 6
ID Keys != Authentication Keys! Use Proper Access Control Parse.initialize(this, APPLICATION_ID, CLIENT_KEY); Rules on the Server Side! ParseObject sms = new ParseObject("Intercepted SMS"); sms.put("message", "Hi VB2015"); 01.10.2015 | Virus Bulletin 2015 | 7
HAVOC: Automatic Exploit Generator 01.10.2015 | Virus Bulletin 2015 | 8
Malware using Facebook‘s Parse 294,817 malware apps from 2015 scanned 78 Apps with potential Push Notification misuse 16 Apps with data storage misuse 5 Android/OpFake variants 4 Android/Marry variants 5 parse.com accounts exposed 3 common tables 01.10.2015 | Virus Bulletin 2015 | 9
OpFake – App Execution and Main Service Phone Boot Rings Completed App Executed Start Main Service Hide Icon Channels : - D-<deviceId > Locally save Main end - “Everyone” URL (C& C) - Country (SIM ISO) - “welcome” - IMEI Subscribe to Parse - SIM Country Push notifications - SIM Operator Execute Async Tasks - Phone Number - API Save Parse Install - Brand Information - Model - is_worked (true) - IMEI - worked _task (true) - SIM Country Leak Device - is_root - Phone Number Information to C 2C - SIM Operator server /bn/reg.php - Balance Execute Content Receiver Schedule system every minute (60 segs) alarm 01.10.2015 | Virus Bulletin 2015 | 10
OpFake – System Alarm every Minute Execute Content Query Parse table System Alarm imei == Device ID No end Receiver NewTasks by Device ID No Locally save new Yes Yes If active _4 - imei C&C server URL Get task from C &C - balance server /bn/gettask .php If type == task and Push Task Execute New Task No imei == Device ID Open URL in default If active _3 Yes Intercept != null browser : from NewTasks - type - task: type and args Save executed task in - hash: identifier TaskManager table - Imei: device id No No - response: empty Yes Yes Send SMS to all contacts Yes No If active _2 If active _1 with phone number end Yes Report executed Send SMS to Set intercept task ID to /bn/ number _1 with Yes task == intercept flag onoff / settask .php content prefix _1 end No 01.10.2015 | Virus Bulletin 2015 | 11
OpFake – Execute New tasks No Download APK from Yes task == install No task == new_server No task == url No task == ussd No task == sms URL to SD card No Yes Yes Yes Yes End Attempt to install app Device with root Locally save new C&C Open URL using default Send USSD message No Send text message using user interface Privileges? server URL web browser using URI tel : * Delete NewTask Eventually Yes Delete NewTask Eventually Remount system Set read/write Eventually Copy APK in folder Remount partition Silently install the Launch recently Launch recently partition as read / permissions for the /newmainpack /app/ again as read -only APK using pm install installed app installed app write copied APK file End 01.10.2015 | Virus Bulletin 2015 | 12
OpFake – SMS Message Received - from - content Save response - to: imei Save message in Query TaskManager (from:body) in - type: service/other SmsReceiver table by task hash TaskManager - is_card: if content contains cc # - intype: incoming Yes SMS message Process SMS Intercept flag Is a response to a Yes No End received message on? previous SMS sent? No - imei No - phone: from Send message data to No - message Parse Push channel “T” - type: incoming Extract from message Send message to /bn/ Origin contains Yes body the balance and save_message.php 088011 or 000100? save it locally 01.10.2015 | Virus Bulletin 2015 | 13
NewTasks Schema NewTask Record imei task objectId createdAt updatedAt sms origin destination content date intercept values (on/off) date new_server imei URL date install imei URL of the APK date package name 01.10.2015 | Virus Bulletin 2015 | 14
Exposed Malware Parse.com Accounts NewTasks – Commands received commands sms intercept new_server install 60.337 57.760 48.622 48.616 25.738 25.723 10.139 9.397 2.555 742 40 0 0 4 1 0 11 1 3 5 0 35 10 12 0 ACCOUNT A ACCOUNT B ACCOUNT C ACCOUNT D ACCOUNT E 01.10.2015 | Virus Bulletin 2015 | 15
Exposed Malware Parse.com Accounts NewTasks – Examples of commands delivered sms • send sms to number 900 with content “BALANS” • send sms to number 900 with content <confirmation_code> • send sms to number 3116 with content “card < card_number> <exp_month> <exp_year > <CVV>” intercept • on/off new_server • hxxp://newwelcome00.ru • hxxp://newelcome00.ru install • Android/OpFake delivering Android/Marry: • hxxp://newwelcome00.ru/appru.apk (marry.adobe.net.threadsync). • hxxp://newwelcome00.ru/app.apk (marry.adobe.net.nightbuid). • hxxp://notingen.ru/Player.apk (com.adobe.net) • hxxp:// швждаыдлпждв 01.10.2015 | Virus Bulletin 2015 | 16
10000 15000 20000 25000 01.10.2015 | Virus Bulletin 2015 | 17 5000 Exposed Malware Parse.com Accounts NewTasks – Command created by date 0 13.06.2015 14.06.2015 15.06.2015 16.06.2015 17.06.2015 Account A 18.06.2015 19.06.2015 20.06.2015 21.06.2015 22.06.2015 Account B 23.06.2015 24.06.2015 25.06.2015 26.06.2015 Account C 27.06.2015 28.06.2015 29.06.2015 30.06.2015 01.07.2015 Account D 02.07.2015 03.07.2015 04.07.2015 05.07.2015 06.07.2015 Account E 07.07.2015 08.07.2015 09.07.2015 10.07.2015 11.07.2015 12.07.2015 13.07.2015 14.07.2015
SmsReceived Schema SmsReceived Record body from objectId intype is_card updatedAt type createdAt • from: origin of the text message (phone number/company name) • intype: incoming/outgoing • to: device identifier of the infected device • is_card: true/false if the message contains a credit card number • type: • service: origin is a company (e.g. MegaFon) • other: origin is another phone number (personal messages) 01.10.2015 | Virus Bulletin 2015 | 18
Exposed Malware Parse.com Accounts SmsReceiver – # Intercepted SMS messages # messages ACCOUNT E 60.030 ACCOUNT B 41.105 ACCOUNT A 40.054 ACCOUNT C 28.067 ACCOUNT D 2.000 01.10.2015 | Virus Bulletin 2015 | 19
Exposed Malware Parse.com Accounts SmsReceiver – Credit card numbers in incoming SMS messages # credit card numbers ACCOUNT D 126 ACCOUNT E 19 ACCOUNT B 10 ACCOUNT A 9 ACCOUNT C 5 01.10.2015 | Virus Bulletin 2015 | 20
Exposed Malware Parse.com Accounts SmsReceived – Messages by date 20000 18000 16000 14000 12000 10000 8000 6000 4000 2000 0 Account A Account B Account C Account D Account E 01.10.2015 | Virus Bulletin 2015 | 21
TaskManager Schema TaskManager Record task hash objectId updatedAt imei type response createdAt sms privat_start intercept install sms destination destination empty on/off URL/file.apk text text (response) (command) 01.10.2015 | Virus Bulletin 2015 | 22
Exposed Malware Parse.com Accounts TaskManager – Command Executed requests responses sms intercept install 20.554 19.859 3.615 1.123 1.113 658 565 565 204 204 149 35 1 32 3 0 31 0 0 0 0 17 26 1 0 ACCOUNT A ACCOUNT B ACCOUNT C ACCOUNT D ACCOUNT E 01.10.2015 | Virus Bulletin 2015 | 23
Recommend
More recommend