Presentation is loading. Please wait.

Presentation is loading. Please wait.

Android Malware in Practice Part II. Demo Recap SMSBypasser Here we hijacked the SMS text and sent it to our website This application could filter sms.

Similar presentations


Presentation on theme: "Android Malware in Practice Part II. Demo Recap SMSBypasser Here we hijacked the SMS text and sent it to our website This application could filter sms."— Presentation transcript:

1 Android Malware in Practice Part II

2 Demo Recap SMSBypasser Here we hijacked the SMS text and sent it to our website This application could filter sms when required MaliciousSDcardScanner No significant security permissions were required to gain access to the sdcard location Security exploit? Swift Key-logger Simply piggy backing and altering some one else's malware development.ie/blog/2013/03/06/inserting-keyloggercode-in- android-swiftkey-using-apktool/ development.ie/blog/2013/03/06/inserting-keyloggercode-in- android-swiftkey-using-apktool/

3 High Risk Android Permissions android.permission.SEND_SMS / RECEIVE_SMS android.permission.SYSTEM_ALERT_WINDOW android.permission.READ_CONTACTS / WRITE_CONTACTS android. permission.READ_CALENDAR / WRITE_CALENDAR android.permission.CALL_PHONE android.permission.READ_LOGS android.permission.ACCESS_FINE_LOCATION android.permission.GET_TASKS android.permission.RECEIVE_BOOT_COMPLETED android.permission.CHANGE_WIFI_STATE com.android.browser.permission.READ_HISTORY_BOOKMARKS / WRITE_HISTORY_BOOKMARKS List built-in permissions $ pm list permissions -f Sourced from Google IO 2012 and marakana.com

4 Thoughts… We have based our attacks using knowledge of the android stack using the Android framework These attacks are relatively simple yet effective to a naive user Would AntiVirus or Google Bouncer detect these malicious apps?

5 Corporate Migration BYOD (Bring Your Own Device) means that smartphones are now being accepted into a protected internal network Consider how we might mitigate malware and how companies attempt to refute such malware from their platforms/environment

6 Malware Detection and Prevention Static analysis of an applications code can provide insight into its intentions Antivirus software carries out static analysis of applications and protects against files that match binary signatures This type of protection is often inadequate!

7 Malware Detection and Prevention Rootkits are also difficult to discover depending on the sophistication of the attack Rootkits which attack the kernel memory are able to advise other application with a tainted view of the system, hence disguising itself cleverly

8 Reactive Most reactive approaches to application protection requires a runtime overhead to be incurred Overhead is a significant design consideration especially when targeting mobile devices

9 strace strace is a unix base tool that allow following of all system call made by an application Tracing the steps we can often see the system call along with arguments passed https://github.com/adetaylor/strace-android

10 Volatility Deep memory analysis of the dalvik machine provides application information associate with its runtime For example we can snoop an application and determine if data being sent is malware by reading into a intent and deciphering if it has a malicious payload or target Links https://code.google.com/p/volatility/ analysis-the-chuli-malware/ analysis-the-chuli-malware/

11 Android Filesystem Layout (Recap) ~ $ adb shell mount rootfs / rootfs ro,relatime 0 0 tmpfs /dev tmpfs rw,nosuid,relatime,mode= devpts /dev/pts devpts rw,relatime,mode= proc /proc proc rw,relatime 0 0 sysfs /sys sysfs rw,relatime 0 0 none /acct cgroup rw,relatime,cpuacct 0 0 tmpfs /mnt/asec tmpfs rw,relatime,mode=755,gid= tmpfs /mnt/obb tmpfs rw,relatime,mode=755,gid= none /dev/cpuctl cgroup rw,relatime,cpu 0 0 /dev/block/mmcblk0p9 /system ext4 ro,noatime,barrier=1,data=ordered 0 0 /dev/block/mmcblk0p12 /data ext4 rw,nosuid,nodev,noatime,barrier=1,journal_async_commit, data=ordered,noauto_da_alloc,discard 0 0 /dev/block/mmcblk0p8 /cache ext4 rw,nosuid,nodev,noatime,barrier=1,journal_async_commit, data=ordered 0 0 /dev/block/mmcblk0p3 /efs ext4 rw,nosuid,nodev,noatime,barrier=1,journal_async_commit, data=ordered 0 0 /sys/kernel/debug /sys/kernel/debug debugfs rw,relatime 0 0 /dev/fuse /mnt/sdcard fuse rw,nosuid,nodev,relatime,user_id=1023,group_id=1023,.... /dev/block/vold/179:17 /mnt/extSdCard vfat rw,dirsync,nosuid,nodev,noexec,noatime,nodiratime, uid=1000,gid=1023,...

12 Android Filesystem Layout (Recap) The mounts of interest / - root of the filesystem hierarchy /system - the ROM that holds all system binaries and files /data - RW location for user applications /cache - transient data space for user applications /efs - phone specific information like IMEI number /mnt/sdcard - fat32 filesystem with no inbuilt security

13 Android Open Source Project Android Open Source Project is a commitment from Google to freely provide the Android source code to developers Developers can download a vanilla based version of Android (eg Jelly Bean) using repo (git wrapper application) Developers can then customise the software to fit the requirements of their targeted hardware and audience

14 Rooting the device Why root a device? develop new features update to latest software (OS) provide security fixes remove bloatware get superuser access to hardware (overclocking) some applications require full access (backup software, AV?)

15 Rooting how? Attacking the OS Carry out an exploit to grant one time root access Remount '/system' as Read/Write Provide a mechanism to easily gain future root access

16 One time Exploits Here we briefly review some of the one time exploits required to gain initial root access ueventd - similar to udev (CVE ) vold (CVE ) rageagainstthecage(CVE-2010-EASY) Zimperlich (similar to CVE-2010-EASY) Ashmem (CVE ) suid on /proc/pid/mem (CVE )

17 Allowing for future root access (I) Once the exploit has successfully given access we need to set the system up so that we can change to root privileges on demand Remount /system $ mount -o remount,rw /dev/null /system

18 Allowing for future root access (II) We can either Create a copy of the shell binary as su and place setuid permissions to allow users to run as root or Cross compile and build your own su binary, then place in /system/bin/ The su-binary can be found within the AOSP source tree

19 References Android: Google IO: https://sites.google.com/site/io/https://sites.google.com/site/io/ Marakana: Genome project

20 Questions?


Download ppt "Android Malware in Practice Part II. Demo Recap SMSBypasser Here we hijacked the SMS text and sent it to our website This application could filter sms."

Similar presentations


Ads by Google