we know what you did this summer
play

We know what you did this summer Android Banking Trojans Exposing - PowerPoint PPT Presentation

We know what you did this summer Android Banking Trojans Exposing Its Sins in The Cloud Siegfried Rasthofer (TU Darmstadt / CASED) Eric Bodden (TU Darmstadt / Fraunhofer SIT) Carlos Castillo (Intel Security) Alex Hinchliffe (Intel


  1. “We know what you did this summer” Android Banking Trojans Exposing Its Sins in The Cloud Siegfried Rasthofer (TU Darmstadt / CASED) Eric Bodden (TU Darmstadt / Fraunhofer SIT) Carlos Castillo (Intel Security) Alex Hinchliffe (Intel Security) 3.12.2015 | AVAR 2015 | 1

  2. Siegfried Rasthofer • 3rd year PhD-Student at TU Darmstadt • Research interest in Static-/dynamic code analyses • Found 2 AOSP exploits, various App security vulnerabilities Prof. Dr. Eric Bodden • Professor at TU Darmstadt • Research interest in Static-/dynamic code analyses • Heading the Secure Software Engineering Group at Fraunhofer SIT and Technische Universität Darmstadt Carlos Castillo • Mobile Security Researcher at Intel Security. • Hacking Exposed 7 co-author (Hacking Android). • ESET Latin America’s Best Antivirus Research winner 2009. Alex Hinchliffe • Mobile Security Research Manager at Intel Security • Co-developer of cloud based Anti-Malware technology, Artemis • Project partner of MobSec, S 2 Lab, Royal Holloway University, London 3.12.2015 | AVAR 2015 | 2

  3. Backend-as-a-Service 56 Mio. data records “publicly“ available (BlackHat EU 2015) 3.12.2015 | AVAR 2015 | 3

  4. Backend-as-a-Service 3.12.2015 | AVAR 2015 | 4

  5. Agenda • Backend-as-a-Service • Developers exposing BaaS resources • Android Malware using Facebook Parse • Android/OpFake and Android/Marry • Exposed Android Malware Facebook Parse accounts • Financial Fraud by Android/Marry • Responsible disclosure • Conclusions 3.12.2015 | AVAR 2015 | 5

  6. Backend-as-a-Service (1) APP Cloud BaaS SDK 3.12.2015 | AVAR 2015 | 6

  7. Backend-as-a-Service (2) Android iOS BaaS JavaScript ... 3.12.2015 | AVAR 2015 | 7

  8. Backend-as-a-Service (3) Push Noti fica tions Data Storage User Administration Social Network 3.12.2015 | AVAR 2015 | 8

  9. BaaS Amazon Tutorial SDK DB connection AmazonS3Client s3Client = new AmazonS3Client( new BasicAWSCredentials( “ACCESS_KEY_ID“ , “SECRET_KEY“ ) ); “ When you access AWS programmatically, you use an access key to verify your identity and the identity of your applications. An access key consists of an access key ID and a secret access key. Anyone who has your access key has the same level of access to your AWS resources that you do. “ Source: http://docs.aws.amazon.com/ 3.12.2015 | AVAR 2015 | 9

  10. App Authentication Model “Hi, I am app Identification App <Application ID>” Server “My <Secret Key> Authentication is in the app” ??? ?? Identification Authentication = 3.12.2015 | AVAR 2015 | 10

  11. HAVOC: Automatic Exploit Generator 3.12.2015 | AVAR 2015 | 11

  12. Malware using Facebook‘s Parse 294,817 malware apps scanned 9 Android malware samples 5 Parse accounts 3 tables 3.12.2015 | AVAR 2015 | 12

  13. OpFake – App Execution Icon Hidden 3.12.2015 | AVAR 2015 | 13

  14. OpFake – MainService Started Phone Rings OR Boot Completed 3.12.2015 | AVAR 2015 | 14

  15. OpFake – Main Service Functionality Leak device data Subscribe to Push Save installation Schedule a to a remote C&C Notifications data in Parse System Alarm server • D-<device_id> • IMEI • Device data • Execute code every 60 • “Everyone” • Country • device is rooted? seconds • Country • Phone Number • device is active? • “welcome” • Network Operator • Balance 3.12.2015 | AVAR 2015 | 15

  16. OpFake – “Traditional” C&C cycle Infected Device Command and Control Server Request Change C&C Send task for execution Intercept Open URL Report Send SMS 3.12.2015 | AVAR 2015 | 16

  17. OpFake – Parse C&C cycle Infected Device Parse BaaS Query NewTasks new_server intercept Send task for execution sms ussd Save task in TaskManager url Task deleted install in NewTasks 3.12.2015 | AVAR 2015 | 17

  18. OpFake – SMS Received Send message Save data in Parse data to Parse SmsReceiver table Push channel “T” • origin • IMEI • content • origin • IMEI • content • type • type (incoming) • is_card 3.12.2015 | AVAR 2015 | 18

  19. OpFake – Intercept flag Intercept is ON Intercept is OFF • Check if it is a • Leak SMS message response from a to remote server previous command • If origin is a specific • Find the executed network operator, task in TaskManager extract balance Parse table • Update the record with the response 3.12.2015 | AVAR 2015 | 19

  20. NewTasks Schema NewTask Record imei task objectId createdAt updatedAt sms origin destination content date intercept values (on/off) date new_server imei URL date install imei URL of the APK date package name 3.12.2015 | AVAR 2015 | 20

  21. Exposed Malware Parse.com Accounts NewTasks – Commands received but never consumed 3.12.2015 | AVAR 2015 | 21

  22. Exposed Malware Parse.com Accounts NewTasks – Command created by date 3.12.2015 | AVAR 2015 | 22

  23. SmsReceived Schema SmsReceived Record body from objectId intype is_card updatedAt type createdAt 3.12.2015 | AVAR 2015 | 23

  24. Exposed Malware Parse.com Accounts Number of Intercepted SMS messages in SmsReceiver Parse table ACCOUNT E (OPFAKE) 60,030 ACCOUNT B (OPFAKE) 41,105 ACCOUNT A (OPFAKE) 40,054 ACCOUNT C (OPFAKE) 28,067 ACCOUNT D (MARRY) 2,000 3.12.2015 | AVAR 2015 | 24

  25. Exposed Malware Parse.com Accounts Number of credit cards numbers in SMS messages in SmsReceiver ACCOUNT D (MARRY) 126 ACCOUNT E (OPFAKE) 19 ACCOUNT B (OPFAKE) 10 ACCOUNT A (OPFAKE) 9 ACCOUNT C (OPFAKE) 5 3.12.2015 | AVAR 2015 | 25

  26. TaskManager Schema TaskManager Record task hash objectId updatedAt imei type response createdAt sms privat_start intercept install sms destination destination empty on/off URL/file.apk text text (response) (command) 3.12.2015 | AVAR 2015 | 26

  27. Exposed Malware Parse.com Accounts TaskManager – Command Executed 3.12.2015 | AVAR 2015 | 27

  28. Android/Marry 3.12.2015 | AVAR 2015 | 28

  29. Exposed Malware Parse.com Accounts Number of SMS requests by targeted companies in Account D (Marry) 900 (SBERBANK) 5350 10060 (PRIVATBANK) 141 7494 (QIWI) 70 6996 (MTC) 53 7878 (BEELINE) 51 3116 (ROSTELECOMO) 37 159 (TELE2) 33 79037672265 (ALFA-BANK) 16 100 (MEGAFON) 10 5335 (SVYAZNOYBANK) 1 3.12.2015 | AVAR 2015 | 29

  30. Sberbank SMS Banking Commands in TaskManager From: 900 To: 900 To: 900 From: 900 VISA1234 (ON) INFO BALANCE 1234 VISA1234: $100 VISA7894 (OFF) 3.12.2015 | AVAR 2015 | 30

  31. Sberbank SMS Banking Commands in TaskManager From: 900 To: 900 From: 900 To: 900 Send code 1111 PEVEROD Transfer processed 1111 to confirm transfer 1234 (origin) 7894 (destination) 50 (amount) 3.12.2015 | AVAR 2015 | 31

  32. Sberbank SMS Banking Commands in TaskManager Phone 456789 Phone 123456 Phone 123456 Phone 456789 From: 900 To: 900 To: 900 From: 900 Send code 999 to 999 ZAPROS Transfer processed confirm transfer 123456 (phone #) to 456789 100 (amount) 3.12.2015 | AVAR 2015 | 32

  33. Sberbank SMS Banking Commands in TaskManager From: 900 To: 900 From: 900 To: 900 Send code 555 TEL Payment processed 555 to confirm payment 123456 (phone #) 50 (amount) 3.12.2015 | AVAR 2015 | 33

  34. Exposed Malware Parse.com Accounts Top Sberbank Commands – Task (TaskManager table) in Account D BALANCE 4956 INFO 59 TRANSFER 37 REQUEST 22 PAY TEL 18 3.12.2015 | AVAR 2015 | 34

  35. Exposed Malware Parse.com Accounts Top Sberbank fraud responses – Task (TaskManager table) - Account D BALANCE 607 INFO 123 TEL ASKED 88 TEL PROCESSED 75 TRANSFER PROCESSED 36 TRANSFER ACCEPTED 30 TRANSFER ASKED 26 3.12.2015 | AVAR 2015 | 35

  36. Exposed Malware Parse.com Accounts Unique Device IDs per table 3.12.2015 | AVAR 2015 | 36

  37. Responsible Disclosure 2015-08-03: Reported finding to Facebook 2015-08-05: Facebook replied with “ ... This issue does not qualify as a part of our bounty program.. .“ 2015-08-05: Facebook asked for more details 2015-08-06: We provided more details and Facebook blocked all Parse accounts 2015-08-28: Facebook offered room for collaboration Facebook‘s responsible disclosure system only works with a Facebook account 3.12.2015 | AVAR 2015 | 37

  38. Conclusions • Android Banking Trojans stores and exposes its data in BaaS solutions • By default no authentication is needed to access BaaS data • Android Banking Trojans are actively performing financial fraud via SMS. • In less than a month, thousands of people were victims of financial fraud 3.12.2015 | AVAR 2015 | 38

  39. Siegfried Rasthofer Carlos Castillo Secure Software Engineering Group Intel Security Email: siegfried.rasthofer@cased.de Email: carlos.castillo@intel.com Blog: http://sse-blog.ec-spride.de Twitter: @carlosacastillo Website: http://sse.ec-spride.de Twitter: @CodeInspect 3.12.2015 | AVAR 2015 | 39

Recommend


More recommend