we know what you did this summer
play

We know what you did this summer Android Banking Trojans Exposing - PowerPoint PPT Presentation

Jul 17, 2023 •110 likes •510 views

We know what you did this summer Android Banking Trojans Exposing Its Sins in The Cloud Siegfried Rasthofer (TU Darmstadt / CASED) Eric Bodden (TU Darmstadt / Fraunhofer SIT) Carlos Castillo (Intel Security) Alex Hinchliffe (Intel

  1. “We know what you did this summer” Android Banking Trojans Exposing Its Sins in The Cloud Siegfried Rasthofer (TU Darmstadt / CASED) Eric Bodden (TU Darmstadt / Fraunhofer SIT) Carlos Castillo (Intel Security) Alex Hinchliffe (Intel Security) 3.12.2015 | AVAR 2015 | 1

  2. Siegfried Rasthofer • 3rd year PhD-Student at TU Darmstadt • Research interest in Static-/dynamic code analyses • Found 2 AOSP exploits, various App security vulnerabilities Prof. Dr. Eric Bodden • Professor at TU Darmstadt • Research interest in Static-/dynamic code analyses • Heading the Secure Software Engineering Group at Fraunhofer SIT and Technische Universität Darmstadt Carlos Castillo • Mobile Security Researcher at Intel Security. • Hacking Exposed 7 co-author (Hacking Android). • ESET Latin America’s Best Antivirus Research winner 2009. Alex Hinchliffe • Mobile Security Research Manager at Intel Security • Co-developer of cloud based Anti-Malware technology, Artemis • Project partner of MobSec, S 2 Lab, Royal Holloway University, London 3.12.2015 | AVAR 2015 | 2

  3. Backend-as-a-Service 56 Mio. data records “publicly“ available (BlackHat EU 2015) 3.12.2015 | AVAR 2015 | 3

  4. Backend-as-a-Service 3.12.2015 | AVAR 2015 | 4

  5. Agenda • Backend-as-a-Service • Developers exposing BaaS resources • Android Malware using Facebook Parse • Android/OpFake and Android/Marry • Exposed Android Malware Facebook Parse accounts • Financial Fraud by Android/Marry • Responsible disclosure • Conclusions 3.12.2015 | AVAR 2015 | 5

  6. Backend-as-a-Service (1) APP Cloud BaaS SDK 3.12.2015 | AVAR 2015 | 6

  7. Backend-as-a-Service (2) Android iOS BaaS JavaScript ... 3.12.2015 | AVAR 2015 | 7

  8. Backend-as-a-Service (3) Push Noti fica tions Data Storage User Administration Social Network 3.12.2015 | AVAR 2015 | 8

  9. BaaS Amazon Tutorial SDK DB connection AmazonS3Client s3Client = new AmazonS3Client( new BasicAWSCredentials( “ACCESS_KEY_ID“ , “SECRET_KEY“ ) ); “ When you access AWS programmatically, you use an access key to verify your identity and the identity of your applications. An access key consists of an access key ID and a secret access key. Anyone who has your access key has the same level of access to your AWS resources that you do. “ Source: http://docs.aws.amazon.com/ 3.12.2015 | AVAR 2015 | 9

  10. App Authentication Model “Hi, I am app Identification App <Application ID>” Server “My <Secret Key> Authentication is in the app” ??? ?? Identification Authentication = 3.12.2015 | AVAR 2015 | 10

  11. HAVOC: Automatic Exploit Generator 3.12.2015 | AVAR 2015 | 11

  12. Malware using Facebook‘s Parse 294,817 malware apps scanned 9 Android malware samples 5 Parse accounts 3 tables 3.12.2015 | AVAR 2015 | 12

  13. OpFake – App Execution Icon Hidden 3.12.2015 | AVAR 2015 | 13

  14. OpFake – MainService Started Phone Rings OR Boot Completed 3.12.2015 | AVAR 2015 | 14

  15. OpFake – Main Service Functionality Leak device data Subscribe to Push Save installation Schedule a to a remote C&C Notifications data in Parse System Alarm server • D-<device_id> • IMEI • Device data • Execute code every 60 • “Everyone” • Country • device is rooted? seconds • Country • Phone Number • device is active? • “welcome” • Network Operator • Balance 3.12.2015 | AVAR 2015 | 15

  16. OpFake – “Traditional” C&C cycle Infected Device Command and Control Server Request Change C&C Send task for execution Intercept Open URL Report Send SMS 3.12.2015 | AVAR 2015 | 16

  17. OpFake – Parse C&C cycle Infected Device Parse BaaS Query NewTasks new_server intercept Send task for execution sms ussd Save task in TaskManager url Task deleted install in NewTasks 3.12.2015 | AVAR 2015 | 17

  18. OpFake – SMS Received Send message Save data in Parse data to Parse SmsReceiver table Push channel “T” • origin • IMEI • content • origin • IMEI • content • type • type (incoming) • is_card 3.12.2015 | AVAR 2015 | 18

  19. OpFake – Intercept flag Intercept is ON Intercept is OFF • Check if it is a • Leak SMS message response from a to remote server previous command • If origin is a specific • Find the executed network operator, task in TaskManager extract balance Parse table • Update the record with the response 3.12.2015 | AVAR 2015 | 19

  20. NewTasks Schema NewTask Record imei task objectId createdAt updatedAt sms origin destination content date intercept values (on/off) date new_server imei URL date install imei URL of the APK date package name 3.12.2015 | AVAR 2015 | 20

  21. Exposed Malware Parse.com Accounts NewTasks – Commands received but never consumed 3.12.2015 | AVAR 2015 | 21

  22. Exposed Malware Parse.com Accounts NewTasks – Command created by date 3.12.2015 | AVAR 2015 | 22

  23. SmsReceived Schema SmsReceived Record body from objectId intype is_card updatedAt type createdAt 3.12.2015 | AVAR 2015 | 23

  24. Exposed Malware Parse.com Accounts Number of Intercepted SMS messages in SmsReceiver Parse table ACCOUNT E (OPFAKE) 60,030 ACCOUNT B (OPFAKE) 41,105 ACCOUNT A (OPFAKE) 40,054 ACCOUNT C (OPFAKE) 28,067 ACCOUNT D (MARRY) 2,000 3.12.2015 | AVAR 2015 | 24

  25. Exposed Malware Parse.com Accounts Number of credit cards numbers in SMS messages in SmsReceiver ACCOUNT D (MARRY) 126 ACCOUNT E (OPFAKE) 19 ACCOUNT B (OPFAKE) 10 ACCOUNT A (OPFAKE) 9 ACCOUNT C (OPFAKE) 5 3.12.2015 | AVAR 2015 | 25

  26. TaskManager Schema TaskManager Record task hash objectId updatedAt imei type response createdAt sms privat_start intercept install sms destination destination empty on/off URL/file.apk text text (response) (command) 3.12.2015 | AVAR 2015 | 26

  27. Exposed Malware Parse.com Accounts TaskManager – Command Executed 3.12.2015 | AVAR 2015 | 27

  28. Android/Marry 3.12.2015 | AVAR 2015 | 28

  29. Exposed Malware Parse.com Accounts Number of SMS requests by targeted companies in Account D (Marry) 900 (SBERBANK) 5350 10060 (PRIVATBANK) 141 7494 (QIWI) 70 6996 (MTC) 53 7878 (BEELINE) 51 3116 (ROSTELECOMO) 37 159 (TELE2) 33 79037672265 (ALFA-BANK) 16 100 (MEGAFON) 10 5335 (SVYAZNOYBANK) 1 3.12.2015 | AVAR 2015 | 29

  30. Sberbank SMS Banking Commands in TaskManager From: 900 To: 900 To: 900 From: 900 VISA1234 (ON) INFO BALANCE 1234 VISA1234: $100 VISA7894 (OFF) 3.12.2015 | AVAR 2015 | 30

  31. Sberbank SMS Banking Commands in TaskManager From: 900 To: 900 From: 900 To: 900 Send code 1111 PEVEROD Transfer processed 1111 to confirm transfer 1234 (origin) 7894 (destination) 50 (amount) 3.12.2015 | AVAR 2015 | 31

  32. Sberbank SMS Banking Commands in TaskManager Phone 456789 Phone 123456 Phone 123456 Phone 456789 From: 900 To: 900 To: 900 From: 900 Send code 999 to 999 ZAPROS Transfer processed confirm transfer 123456 (phone #) to 456789 100 (amount) 3.12.2015 | AVAR 2015 | 32

  33. Sberbank SMS Banking Commands in TaskManager From: 900 To: 900 From: 900 To: 900 Send code 555 TEL Payment processed 555 to confirm payment 123456 (phone #) 50 (amount) 3.12.2015 | AVAR 2015 | 33

  34. Exposed Malware Parse.com Accounts Top Sberbank Commands – Task (TaskManager table) in Account D BALANCE 4956 INFO 59 TRANSFER 37 REQUEST 22 PAY TEL 18 3.12.2015 | AVAR 2015 | 34

  35. Exposed Malware Parse.com Accounts Top Sberbank fraud responses – Task (TaskManager table) - Account D BALANCE 607 INFO 123 TEL ASKED 88 TEL PROCESSED 75 TRANSFER PROCESSED 36 TRANSFER ACCEPTED 30 TRANSFER ASKED 26 3.12.2015 | AVAR 2015 | 35

  36. Exposed Malware Parse.com Accounts Unique Device IDs per table 3.12.2015 | AVAR 2015 | 36

  37. Responsible Disclosure 2015-08-03: Reported finding to Facebook 2015-08-05: Facebook replied with “ ... This issue does not qualify as a part of our bounty program.. .“ 2015-08-05: Facebook asked for more details 2015-08-06: We provided more details and Facebook blocked all Parse accounts 2015-08-28: Facebook offered room for collaboration Facebook‘s responsible disclosure system only works with a Facebook account 3.12.2015 | AVAR 2015 | 37

  38. Conclusions • Android Banking Trojans stores and exposes its data in BaaS solutions • By default no authentication is needed to access BaaS data • Android Banking Trojans are actively performing financial fraud via SMS. • In less than a month, thousands of people were victims of financial fraud 3.12.2015 | AVAR 2015 | 38

  39. Siegfried Rasthofer Carlos Castillo Secure Software Engineering Group Intel Security Email: siegfried.rasthofer@cased.de Email: carlos.castillo@intel.com Blog: http://sse-blog.ec-spride.de Twitter: @carlosacastillo Website: http://sse.ec-spride.de Twitter: @CodeInspect 3.12.2015 | AVAR 2015 | 39

Recommend

SUMMER BRAIN GAIN: REIMAGINING SUMMER LEARNING What is the problem? Why Summer Matters There is

SUMMER BRAIN GAIN: REIMAGINING SUMMER LEARNING What is the problem? Why Summer Matters There is

SUMMER BRAIN GAIN: REIMAGINING SUMMER LEARNING What is the problem? Why Summer Matters There is no other time of year when inequalities are greater in the United States than during the summer months. Why Summer Matters In the summer, 43

219 views • 18 slides
AT THE FRONTIERS Update &amp; Summer 2018 Edition ATF SUMMER 2017 ATF SUMMER 2017 3 cities:

AT THE FRONTIERS Update &amp; Summer 2018 Edition ATF SUMMER 2017 ATF SUMMER 2017 3 cities:

AT THE FRONTIERS Update &amp; Summer 2018 Edition ATF SUMMER 2017 ATF SUMMER 2017 3 cities: Torino, Ragusa, Reggio Calabria Shifts of two weeks 55 volunteers in total (Spain, Italy, Portugal, Belgium, UK, France, Germany)

324 views • 11 slides
Summer School 2020 Canterbury Whats a summer school? summer sciool noun [C] /sm

Summer School 2020 Canterbury Whats a summer school? summer sciool noun [C] /sm

Summer School 2020 Canterbury Whats a summer school? summer sciool noun [C] /sm skul/ 1. Classes taken during the summer that make it possible to 2. An academic excursion that allows you to move more quickly towards a

258 views • 13 slides
Summer Salary MARCH 20, 2019 Todays Agenda What is Summer Salary? Key Considerations

Summer Salary MARCH 20, 2019 Todays Agenda What is Summer Salary? Key Considerations

Summer Salary MARCH 20, 2019 Todays Agenda What is Summer Salary? Key Considerations Completing the Summer Salary EAF Processing Summer Salary Payments Questions What is Summer Salary? During the summer service period,

421 views • 17 slides
Partners: Summer Village of Birchcliff Town of Sylvan Lake Summer Village of Half Moon Bay

Partners: Summer Village of Birchcliff Town of Sylvan Lake Summer Village of Half Moon Bay

Partners: Summer Village of Birchcliff Town of Sylvan Lake Summer Village of Half Moon Bay Lacombe County Summer Village of Jarvis Bay Red Deer County Summer Village of Norglenwold Alberta Environment and Water Summer Village of Sunbreaker

506 views • 27 slides
Moving Communities and Programs Forward for Summer Learning Katie Willse National Summer

Moving Communities and Programs Forward for Summer Learning Katie Willse National Summer

Moving Communities and Programs Forward for Summer Learning Katie Willse National Summer Learning Association NSLA seeks to: Improve the quality of summer learning opportunities Expand access to summer learning Increase demand for

697 views • 32 slides
Making Summer Eats work for your Community Agenda The creation of Summer Eats The

Making Summer Eats work for your Community Agenda The creation of Summer Eats The

Making Summer Eats work for your Community Agenda The creation of Summer Eats The importance of branding Tools designed just for you this summer Stories from the field Using social media to maximize impact Q&amp;A 2

579 views • 53 slides
ACPSD SUMMER LEARNING 2019 INSTRUCTIONAL SERVICES DIVISION Goal for Summer Learning: To

ACPSD SUMMER LEARNING 2019 INSTRUCTIONAL SERVICES DIVISION Goal for Summer Learning: To

ACPSD SUMMER LEARNING 2019 INSTRUCTIONAL SERVICES DIVISION Goal for Summer Learning: To connect ACPSD families with community- or school-based resources for continued learning throughout the summer Prevent summer learning loss

576 views • 30 slides
Summer 2016 Recreation Preview Summer Program Guide 48 pages Printed 44,000 Mailed

Summer 2016 Recreation Preview Summer Program Guide 48 pages Printed 44,000 Mailed

Summer 2016 Recreation Preview Summer Program Guide 48 pages Printed 44,000 Mailed 42,000 Also posted at www.playmedford.com Core Programs Summer day camps Park N Play (mobile recreation) Swim lessons/aquatics

428 views • 9 slides
SUMMER 16 Whats new ? LETS GIVE OUR GM A SUMMER 2016 WITHOUT CONSTRAINTS AND NOT OR ! NEW

SUMMER 16 Whats new ? LETS GIVE OUR GM A SUMMER 2016 WITHOUT CONSTRAINTS AND NOT OR ! NEW

Sales Opening SUMMER 16 Whats new ? LETS GIVE OUR GM A SUMMER 2016 WITHOUT CONSTRAINTS AND NOT OR ! NEW BUSINESS WEAPONS TO HELP YOU REACH YOUR S16 OBJECTIVES 1. Your top priorities 2. Think about diversification 3. NEW EBB formula ! 4.

1.2k views • 94 slides
ANY PLANS FOR THE SUMMER? Summer School More than 250 students last year Intercultural

ANY PLANS FOR THE SUMMER? Summer School More than 250 students last year Intercultural

ANY PLANS FOR THE SUMMER? Summer School More than 250 students last year Intercultural Atmosphere A mixture of learning and socialising Students and teachers alike built strong working and social relationships Positive

759 views • 59 slides
Summer Lunch Program Summer Lunch Presentation for Food Security Task Force 12/4/19 1 Agenda

Summer Lunch Program Summer Lunch Presentation for Food Security Task Force 12/4/19 1 Agenda

Summer Lunch Program Summer Lunch Presentation for Food Security Task Force 12/4/19 1 Agenda Overview of Summer Lunches Successes Data Points Current Challenges Next steps 2 Overview: What is the Summer Lunch

511 views • 11 slides
Summer school program summer 2012. Campus De Nayer J. De Nayerlaan 5 BE2860 Sint Katelijne

Summer school program summer 2012. Campus De Nayer J. De Nayerlaan 5 BE2860 Sint Katelijne

TEMPUS PROMENG Practice oriented Master Programmes in Engineering in RU, UA and UZ Summer school program summer 2012. Campus De Nayer J. De Nayerlaan 5 BE2860 Sint Katelijne Waver, Belgium Tuesday 21/8: 9 am, welcome to the summer

349 views • 8 slides
Summer Weather Safety Know Your Risk Take Action Be a Force of Nature Summer Weather Safety

Summer Weather Safety Know Your Risk Take Action Be a Force of Nature Summer Weather Safety

Summer Weather Safety Know Your Risk Take Action Be a Force of Nature Summer Weather Safety Summer Weather Hazards Tornadoes, Thunderstorms, and Lightning Flooding Heat Hurricanes Tsunamis Rip Currents Wildfire and

486 views • 31 slides
Summer School and Summer Programs 2014 District Effectiveness Report Summer School Locations:

Summer School and Summer Programs 2014 District Effectiveness Report Summer School Locations:

Summer School and Summer Programs 2014 District Effectiveness Report Summer School Locations: To provide high To provide high qual quality cu y curricul rriculum, instruction, and m, instruction, and assessme assessment To support

342 views • 16 slides
Take It Outside: Summer Reading Challenge 2020 Can you take on the outdoor summer reading

Take It Outside: Summer Reading Challenge 2020 Can you take on the outdoor summer reading

Take It Outside: Summer Reading Challenge 2020 Can you take on the outdoor summer reading challenge tasks? To learn to read is to light a fire; every syllable that is spelled out is a spark. Victor Hugo What do you think this quote

361 views • 6 slides
On-Line Summer Peer Mentoring : g Keeping the Connection from Summer Orientation to Welcome

On-Line Summer Peer Mentoring : g Keeping the Connection from Summer Orientation to Welcome

On-Line Summer Peer Mentoring : g Keeping the Connection from Summer Orientation to Welcome Weekend Presented at the Annual Conference on the First-Year Experience Orlando, FL ~ February 9, 2009 F From new student d to successful

584 views • 43 slides
ISA FUNDING 101 What is the International Summer Award? The International Summer Award (ISA)

ISA FUNDING 101 What is the International Summer Award? The International Summer Award (ISA)

ISA FUNDING 101 What is the International Summer Award? The International Summer Award (ISA) was created to support Yale College students who receive financial aid during the academic year to participate in at least one international

649 views • 19 slides
WHAT HAVE WHAT HAVE I LEARNED I LEARNED AT THE AT THE DISC DISC SUMMER SCHOOL? SUMMER

WHAT HAVE WHAT HAVE I LEARNED I LEARNED AT THE AT THE DISC DISC SUMMER SCHOOL? SUMMER

WHAT HAVE WHAT HAVE I LEARNED I LEARNED AT THE AT THE DISC DISC SUMMER SCHOOL? SUMMER SCHOOL? Christos G. Cassandras CODES Lab. - Boston University WHY HYBRID SYSTEMS ? COMPLEXITY ( PHYSICAL , BUT MOSTLY OPERATIONAL/ORGANIZATIONAL )

691 views • 11 slides
The Tru-Nut Company Summer 2018 TRU-NUT POWDERED PEANUT BUTTER SUMMER 2018 ABOUT TRU-NUT

The Tru-Nut Company Summer 2018 TRU-NUT POWDERED PEANUT BUTTER SUMMER 2018 ABOUT TRU-NUT

The Tru-Nut Company Summer 2018 TRU-NUT POWDERED PEANUT BUTTER SUMMER 2018 ABOUT TRU-NUT Tru-Nut products are Tru-Nut believes that you produced in Leesburg, FL and shouldnt have to sacrifice shipped out of Columbus, GA. great taste to

223 views • 10 slides
5/12/2012 Partners: Summer Village of Birchcliff Town of Sylvan Lake Lacombe County Summer Village

5/12/2012 Partners: Summer Village of Birchcliff Town of Sylvan Lake Lacombe County Summer Village

5/12/2012 Partners: Summer Village of Birchcliff Town of Sylvan Lake Lacombe County Summer Village of Half Moon Bay Summer Village of Jarvis Bay Red Deer County Alberta Environment and Water Summer Village of Norglenwold Alberta Sustainable

282 views • 14 slides
Summer School In In Antimicrobial Resistance (A (AMR) and Stewardship (A (AMS) Our University

Summer School In In Antimicrobial Resistance (A (AMR) and Stewardship (A (AMS) Our University

Universitas 21 Health Scie iences Summer School In In Antimicrobial Resistance (A (AMR) and Stewardship (A (AMS) Our University Our City Summer School Obje jectives After the completion of the summer school students should be able to:

305 views • 11 slides
NH Summer Peak Loads are expected to continue to grow: While NHs summer (&amp; annual) load

NH Summer Peak Loads are expected to continue to grow: While NHs summer (&amp; annual) load

NH Summer Peak Loads are expected to continue to grow: While NHs summer (&amp; annual) load factor continues to decline: New England Transmission Regional Network Service (RNS) Rates History 30 Slide prepared by NHPUC Comm. Clifton Below

264 views • 7 slides
2015 Vancouver Summer Program 2 An Introduction to the VSP The Vancouver Summer Program (VSP) is

2015 Vancouver Summer Program 2 An Introduction to the VSP The Vancouver Summer Program (VSP) is

2015 Vancouver Summer Program 2 An Introduction to the VSP The Vancouver Summer Program (VSP) is a four week academic program offered by various Faculties at the University of British Columbia, Canada for cohorts of students from partner

537 views • 18 slides

More recommend