Presentation is loading. Please wait.

Presentation is loading. Please wait.

Android Malware in Practice

Published byKaiden Rex Modified over 10 years ago

Similar presentations

Presentation on theme: "Android Malware in Practice"— Presentation transcript:

1 Android Malware in Practice
Part I

2 Android Filesystem Layout
~ $ adb shell mount rootfs / rootfs ro,relatime 0 0 tmpfs /dev tmpfs rw,nosuid,relatime,mode= devpts /dev/pts devpts rw,relatime,mode= proc /proc proc rw,relatime 0 0 sysfs /sys sysfs rw,relatime 0 0 none /acct cgroup rw,relatime,cpuacct 0 0 tmpfs /mnt/asec tmpfs rw,relatime,mode=755,gid= tmpfs /mnt/obb tmpfs rw,relatime,mode=755,gid= none /dev/cpuctl cgroup rw,relatime,cpu 0 0 /dev/block/mmcblk0p9 /system ext4 ro,noatime,barrier=1,data=ordered 0 0 /dev/block/mmcblk0p12 /data ext4 rw,nosuid,nodev,noatime,barrier=1,journal_async_commit, data=ordered,noauto_da_alloc,discard 0 0 /dev/block/mmcblk0p8 /cache ext4 rw,nosuid,nodev,noatime,barrier=1,journal_async_commit, data=ordered 0 0 /dev/block/mmcblk0p3 /efs ext4 rw,nosuid,nodev,noatime,barrier=1,journal_async_commit, /sys/kernel/debug /sys/kernel/debug debugfs rw,relatime 0 0 /dev/fuse /mnt/sdcard fuse rw,nosuid,nodev,relatime,user_id=1023,group_id=1023,.... /dev/block/vold/179:17 /mnt/extSdCard vfat rw,dirsync,nosuid,nodev,noexec,noatime,nodiratime, uid=1000,gid=1023,...

3 Android Filesystem Layout
The mounts of interest / - root of the filesystem hierarchy /system - the ROM that holds all system binaries /data - RW location for user applications /cache - transient data space for user applications /efs - phone specific information like IMEI number /mnt/sdcard - fat32 filesystem with no inbuilt security

4 Application locations
System applications /system/app/<AppName>.apk User applications /data/app/<AppName>.apk (preloaded) /data/app/<AppPkgName>-1.apk (downloaded) /mnt/secure/asec/<AppPkgName>-1.apk (sdcard)

5 App Signing All apps are signed with a key to provide android with the ability to distinguish distributors of software Possible to group applications in the same security context when two applications are signed with same key giving identical digital signature

6 Android Debug Bridge Android Debug Bridge allows the developer access to the Android device connected via usb or IP Once connected to a device, ADB provides developers an interface to interact with a rich suite of tools to manage the device

7 ADB Push / Pull Using ADB we are able to transfer files from/to the device Pull test.txt off the device and place in pwd adb pull /mnt/sdcard/test.txt [local location] Push local test.txt to sdcard on the device adb push ./test.txt /mnt/sdcard

8 Android Manual Install
Manually install application adb push com.myapp.hello.apk /data/app/ (Permissions need to be changed to 0644) adb install com.myapp.hello.apk Manually uninstall application adb uninstall com.myapp.hello

9 Package Manager pm is a tool that is provided to manage and provide details about applications and permissions. List all applications pm list packages Find location of an application pm path com.myapp.helloworld List available permissions pm list permissions -f

10 Activity Manager: Sending Intents
The activity manager provides the mechanism to start an instance of a graphic application using adb we are able to start applications via am start -a android.intent.action.CALL -d tel:

11 Service Manager The service manager can also be invoked via command line to send messages service call isms 5 s16 "+??????????" i32 0 i32 0 s16 "SMS TEXT HERE"

12 Android Startup

13 init (1) Responsible for creating mounts and file permissions associated with mount Reads initrc file which contains these directories, mounts and file permissions Responsible for further starting other processes/daemons

14 daemons (2) Native linux daemons such as the following are started by init netd (manages network connections) vold (manages volumes such as sdcard) usbd (manages USB connections) debuggerd (debug processes - coredump) rild (manages communication with the radio) zygote

15 zygote (3) init launches zygote which loads classes and listen for requests to spawn new applications through an instance of a dalvik virtual machine Utilises copy-on-write memory references when forking its process to reduce memory footprint

16 Runtime/Service Manager (4a/b)
init starts android runtime process which initialises the Service Manager Service Manager is the context manager for binder that is responsible for service registration and lookups Android runtime then sends a start signal for zygote to create an instance of System Service (Android Services)

17 dalvik (5) Zygote has received a signal to instantiate a dalvik virtual machine instance for the Android System Server

18 System Server (6) Zygote forks itself with appropriate permissions and starts the System Server instance Its role is to bootstrap all the android services required by the android framework which provide services to applications

19 Native System Services (7)
Native System Services are services that integrate with the operating system to provide low latency and high availability services such as the audio and surface flinger Audio Slinger provides audio management and multiplexing while Surface Flinger is the composition framework to display graphics

20 Native System Services (7) continued
Native System Services register themselves with Service Manager allowing them to be available through IPC for other applications or processes

21 Android System Services (8)
Android System Services provide high level framework services for applications These services like Native System Services register themselves with Service Manager allowing for IPC communication from Android applications and other services

22 Android Development Android provides users familiar with Java an easy route to build mobile applications. Google provides a SDK and NDK which enable the developer to call upon rich libraries and tools.

23 Software Development Kit (SDK)
The android Software development kit provides libraries and tools to develop standard java applications. Some of the tools allow for automatic installation of various android platforms and their associated libraries - eg. Ice Cream Sandwich. Included in the ADT bundle is the SDK and an eclipse environment configured and setup for building/developing Android applications.

24 Native Development Kit (NDK)
Android allows for native libraries to be used with the android environment. These libraries are C/C++ based and give developers greater performance gains for intensive hardware operations.

25 Repackaging howto: reverse engineering an application –
open the apk archive to access smali- $ apktool d com.hello out OR run dedexer (convert apk to jar archive) run a java decompiler or use jdgui

26 Insert the payload Still have key signing issue
But users can be unaware of the dangers

27 Reverse Engineering Links

28 Malicious App 1: SMS DEMO

29 Malicious App 2: Photo/Sdcard
DEMO

30 Malicious App 3: Keyswift
DEMO Reference:

31 Notes These attacks were aimed at Samsung devices which have been known to implement their own sdk libraries for android. These have not been tested as vigorously as would be liked and have been proven to provide further vulnerabilities.

32 Permissions Concerns android.permission.SEND_SMS / RECEIVE_SMS
android.permission.SYSTEM_ALERT_WINDOW android.permission.READ_CONTACTS / WRITE_CONTACTS android. permission.READ_CALENDAR / WRITE_CALENDAR android.permission.CALL_PHONE android.permission.READ_LOGS android.permission.ACCESS_FINE_LOCATION android.permission.GET_TASKS android.permission.RECEIVE_BOOT_COMPLETED android.permission.CHANGE_WIFI_STATE com.android.browser.permission.READ_HISTORY_BOOKMARKS / WRITE_HISTORY_BOOKMARKS Sourced from Google IO 2012 and marakana.com

33 References Android: http://developer.android.com/index.html
Google IO: Marakana: Genome project

34 Questions?

Download ppt "Android Malware in Practice"

Similar presentations

© 2011 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Ashish Mishra Automation Lifecycle of Mobile Applications.

© 2011 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. Ashish Mishra Automation Lifecycle of Mobile Applications.
Android Application Development A Tutorial Driven Course.

Android Application Development A Tutorial Driven Course.
Google Android Introduction to Mobile Computing. Android is part of the build a better phone process Open Handset Alliance produces Android Comprises.

Google Android Introduction to Mobile Computing. Android is part of the build a better phone process Open Handset Alliance produces Android Comprises.
Programming with Android: SDK install and initial setup Luca Bedogni Marco Di Felice Dipartimento di Scienze dellInformazione Università di Bologna.

Programming with Android: SDK install and initial setup Luca Bedogni Marco Di Felice Dipartimento di Scienze dellInformazione Università di Bologna.
Programming with Android: System Architecture

Programming with Android: System Architecture
Android OS : Core Concepts Dr. Jeyakesavan Veerasamy Sr. Lecturer University of Texas at Dallas

Android OS : Core Concepts Dr. Jeyakesavan Veerasamy Sr. Lecturer University of Texas at Dallas
 Android is a software platform and operating system for mobile devices, based on the Linux kernel, developed by Google. It allows developers to write.

 Android is a software platform and operating system for mobile devices, based on the Linux kernel, developed by Google. It allows developers to write.
Android Platform Overview (1)

Android Platform Overview (1)
Aurasium: Practical Policy Enforcement for Android Applications By Yaoqi USENIX Security Symposium 2012.

Aurasium: Practical Policy Enforcement for Android Applications By Yaoqi USENIX Security Symposium 2012.
Android: An Open Software Platform for Mobile Devices

Android: An Open Software Platform for Mobile Devices
Programming with Android: SDK install and initial setup Luca Bedogni Marco Di Felice Dipartimento di Informatica: Scienza e Ingegneria Università di Bologna.

Programming with Android: SDK install and initial setup Luca Bedogni Marco Di Felice Dipartimento di Informatica: Scienza e Ingegneria Università di Bologna.
Implementation of an Android Phone Based Video Streamer 2010 IEEE/ACM International Conference on Green Computing and Communications 2010 IEEE/ACM International.

Implementation of an Android Phone Based Video Streamer 2010 IEEE/ACM International Conference on Green Computing and Communications 2010 IEEE/ACM International.
Android Malware in Practice Part II. Demo Recap SMSBypasser Here we hijacked the SMS text and sent it to our website This application could filter sms.

Android Malware in Practice Part II. Demo Recap SMSBypasser Here we hijacked the SMS text and sent it to our website This application could filter sms.
Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.

Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.
DEPARTMENT OF COMPUTER ENGINEERING

DEPARTMENT OF COMPUTER ENGINEERING
© 2010 MindTree Limited CONFIDENTIAL: For limited circulation only Slide 1 CONFIDENTIAL: For limited circulation only An automaton that is created from.

© 2010 MindTree Limited CONFIDENTIAL: For limited circulation only Slide 1 CONFIDENTIAL: For limited circulation only An automaton that is created from.
Mobile Application Development

Mobile Application Development
Google Android as a mobile development platform T-110.7111 Internet Technologies for Mobile Computing Olli Mäkinen.

Google Android as a mobile development platform T Internet Technologies for Mobile Computing Olli Mäkinen.
This work is licensed under the Creative Commons Attribution 4.0 International License. To view a copy of this license, visit

This work is licensed under the Creative Commons Attribution 4.0 International License. To view a copy of this license, visit
2. Setting Up Your Android Development Environment.

2. Setting Up Your Android Development Environment.

Similar presentations

Ads by Google