Enhancing Mobile Malware: an Android RAT Case Study › slides › 2014 › enhancing... ·...
Transcript of Enhancing Mobile Malware: an Android RAT Case Study › slides › 2014 › enhancing... ·...
![Page 1: Enhancing Mobile Malware: an Android RAT Case Study › slides › 2014 › enhancing... · exploits used by Framaroot within the RAT application…. • The embedded version is "silent“](https://reader036.fdocuments.in/reader036/viewer/2022070804/5f0361187e708231d408ec95/html5/thumbnails/1.jpg)
BSIDES VIENNA 2014
November 22
Enhancing Mobile Malware:
an Android RAT Case Study
![Page 2: Enhancing Mobile Malware: an Android RAT Case Study › slides › 2014 › enhancing... · exploits used by Framaroot within the RAT application…. • The embedded version is "silent“](https://reader036.fdocuments.in/reader036/viewer/2022070804/5f0361187e708231d408ec95/html5/thumbnails/2.jpg)
2
About
Marco LanciniSecurity Consultant, CEFRIEL
@lancinimarco
Roberto PuricelliSecurity Consultant, CEFRIEL
@robywankenoby
![Page 3: Enhancing Mobile Malware: an Android RAT Case Study › slides › 2014 › enhancing... · exploits used by Framaroot within the RAT application…. • The embedded version is "silent“](https://reader036.fdocuments.in/reader036/viewer/2022070804/5f0361187e708231d408ec95/html5/thumbnails/3.jpg)
Introduction
![Page 4: Enhancing Mobile Malware: an Android RAT Case Study › slides › 2014 › enhancing... · exploits used by Framaroot within the RAT application…. • The embedded version is "silent“](https://reader036.fdocuments.in/reader036/viewer/2022070804/5f0361187e708231d408ec95/html5/thumbnails/4.jpg)
4
Demonstrate how it is possible to easily create
powerful malware, combining public available attack
toolkits and exploits of known vulnerabilities
Intro
GOAL
HOW
Given the source code of a mobile RAT, it is possible to
extend its features, adapting and modifying its
behavior (hiding malicious features, adding exploits)
POCAndroRAT++, a proof-of-concept mobile malware,
embedded in a legitimate application, that enhances
the features of a well-know RAT application
![Page 5: Enhancing Mobile Malware: an Android RAT Case Study › slides › 2014 › enhancing... · exploits used by Framaroot within the RAT application…. • The embedded version is "silent“](https://reader036.fdocuments.in/reader036/viewer/2022070804/5f0361187e708231d408ec95/html5/thumbnails/5.jpg)
5
ASD
Mobile malware evolution
![Page 6: Enhancing Mobile Malware: an Android RAT Case Study › slides › 2014 › enhancing... · exploits used by Framaroot within the RAT application…. • The embedded version is "silent“](https://reader036.fdocuments.in/reader036/viewer/2022070804/5f0361187e708231d408ec95/html5/thumbnails/6.jpg)
6
Mobile malware is a (relatively) new trend
• Actually almost 10 years of samples
Mobile malware evolution
[1] http://www.sophos.com/en-us/medialibrary/PDFs/other/sophos-mobile-security-threat-report.pdf
![Page 7: Enhancing Mobile Malware: an Android RAT Case Study › slides › 2014 › enhancing... · exploits used by Framaroot within the RAT application…. • The embedded version is "silent“](https://reader036.fdocuments.in/reader036/viewer/2022070804/5f0361187e708231d408ec95/html5/thumbnails/7.jpg)
7
• Infected 60 different
legitimate apps in the Android
Market
• Breached the Android
security sandbox, installed
additional software, and stole
data
• Created a botnet
DroidDream
![Page 8: Enhancing Mobile Malware: an Android RAT Case Study › slides › 2014 › enhancing... · exploits used by Framaroot within the RAT application…. • The embedded version is "silent“](https://reader036.fdocuments.in/reader036/viewer/2022070804/5f0361187e708231d408ec95/html5/thumbnails/8.jpg)
8
• A.k.a. Eurograbber
• Widespread in Europe
• Bypass 2FA (SMS OTP)
• 36M € stolen
Zitmo
![Page 9: Enhancing Mobile Malware: an Android RAT Case Study › slides › 2014 › enhancing... · exploits used by Framaroot within the RAT application…. • The embedded version is "silent“](https://reader036.fdocuments.in/reader036/viewer/2022070804/5f0361187e708231d408ec95/html5/thumbnails/9.jpg)
9
Why Android is the most targeted
platform?
• Wide-spread
• “Open” philosophy
• Lacks of controls
Android is the prime target
[1] http://blog.kaspersky.com/mobile-malware-evolution-2013/
![Page 10: Enhancing Mobile Malware: an Android RAT Case Study › slides › 2014 › enhancing... · exploits used by Framaroot within the RAT application…. • The embedded version is "silent“](https://reader036.fdocuments.in/reader036/viewer/2022070804/5f0361187e708231d408ec95/html5/thumbnails/10.jpg)
10
Social engineering plays a big role
in the exploit
• By installing a trojan app that
perform unauthorized
operations
• The malware is “embedded
in the app”
How to get compromised?
Renowned for not making controls over published applications
Used to spread malicious applications disguised as famous ones
Anzhi Market
![Page 11: Enhancing Mobile Malware: an Android RAT Case Study › slides › 2014 › enhancing... · exploits used by Framaroot within the RAT application…. • The embedded version is "silent“](https://reader036.fdocuments.in/reader036/viewer/2022070804/5f0361187e708231d408ec95/html5/thumbnails/11.jpg)
11
What can an attacker do?
[1] https://www.f-secure.com/documents/996508/1030743/Mobile_Threat_Report_Q1_2014_print.pdf
Surveillance• SMS• Call logs• Audio• Camera• Location
Impersonation• SMS redirection• Send emails• Post to social media
Financial• Send premium rate SMS• Steal transaction auth
numbers (TANs)• Extortion via ransomware• Fake antivirus
Data Theft• Stored files• Account details• Contacts• Call logs• Phone number• IMEI
Malicious Activity• Add new features• Edit configurations• Install new apps• Launch DDoS attacks• Click fraud
![Page 12: Enhancing Mobile Malware: an Android RAT Case Study › slides › 2014 › enhancing... · exploits used by Framaroot within the RAT application…. • The embedded version is "silent“](https://reader036.fdocuments.in/reader036/viewer/2022070804/5f0361187e708231d408ec95/html5/thumbnails/12.jpg)
How to build a powerful malware?
![Page 13: Enhancing Mobile Malware: an Android RAT Case Study › slides › 2014 › enhancing... · exploits used by Framaroot within the RAT application…. • The embedded version is "silent“](https://reader036.fdocuments.in/reader036/viewer/2022070804/5f0361187e708231d408ec95/html5/thumbnails/13.jpg)
13
What’s new in Android Malware?
The cutting edge of mobile malware
Remote Access Trojan? Interesting, let’s Google it…
![Page 14: Enhancing Mobile Malware: an Android RAT Case Study › slides › 2014 › enhancing... · exploits used by Framaroot within the RAT application…. • The embedded version is "silent“](https://reader036.fdocuments.in/reader036/viewer/2022070804/5f0361187e708231d408ec95/html5/thumbnails/14.jpg)
14
I’m feeling lucky...• First result gave us a possible
trojan name
AndroRAT• Open source proof of concept
• Powerful features
• “Easy like Sunday Morning”!!!!
Remote Access Trojan
Ok, we just need to find the
code…
• Let’s try GitHub
![Page 15: Enhancing Mobile Malware: an Android RAT Case Study › slides › 2014 › enhancing... · exploits used by Framaroot within the RAT application…. • The embedded version is "silent“](https://reader036.fdocuments.in/reader036/viewer/2022070804/5f0361187e708231d408ec95/html5/thumbnails/15.jpg)
15
AndroRAT Source Code
Still lucky…
• Lots of different working versions
![Page 16: Enhancing Mobile Malware: an Android RAT Case Study › slides › 2014 › enhancing... · exploits used by Framaroot within the RAT application…. • The embedded version is "silent“](https://reader036.fdocuments.in/reader036/viewer/2022070804/5f0361187e708231d408ec95/html5/thumbnails/16.jpg)
16
AndroRAT
How it works
• Java “server” application
• Android service on the phone
The application itself is not so
attractive
• We can embed it into another one,
it’s easy
• A game, or another app could be
effective for our target
If we could just exploit the
certificate validation in Android..
![Page 17: Enhancing Mobile Malware: an Android RAT Case Study › slides › 2014 › enhancing... · exploits used by Framaroot within the RAT application…. • The embedded version is "silent“](https://reader036.fdocuments.in/reader036/viewer/2022070804/5f0361187e708231d408ec95/html5/thumbnails/17.jpg)
17
Injection of malicious code
If we could just exploit the
certificate validation in Android..
![Page 18: Enhancing Mobile Malware: an Android RAT Case Study › slides › 2014 › enhancing... · exploits used by Framaroot within the RAT application…. • The embedded version is "silent“](https://reader036.fdocuments.in/reader036/viewer/2022070804/5f0361187e708231d408ec95/html5/thumbnails/18.jpg)
18
Android Master Key Vulnerability
• Allows to: "modify APK code without breaking an application’s cryptographic signature, to turn any legitimate application into a malicious Trojan, completely unnoticed by the app store, the phone, or the end user“
• Android can be tricked into believing the app is unchanged even if it has been
• Corrected with Android 4.4
Injection of malicious code
[1] BlackHat US 2013: http://bluebox.com/corporate-blog/bluebox-uncovers-android-master-key/
JarVerifier
This only applies to resources
already existing in the original
APK (new resources cannot
be introduced)
This allows to change any of the resources
contained in an APK (manifest, Java
classes, graphical assets) and replace them
with ones of choice
It's possible to
decompile an app and
to inject code in it
![Page 19: Enhancing Mobile Malware: an Android RAT Case Study › slides › 2014 › enhancing... · exploits used by Framaroot within the RAT application…. • The embedded version is "silent“](https://reader036.fdocuments.in/reader036/viewer/2022070804/5f0361187e708231d408ec95/html5/thumbnails/19.jpg)
19
• Let’s embed our RAT into a benign application
• The purpose here is to simulate the attack, not to do it for real..
• AndroRAT has been injected into a *fake* application of BSides
• Not available in any store
• New features were added (AndroRAT++)
A real example…
![Page 20: Enhancing Mobile Malware: an Android RAT Case Study › slides › 2014 › enhancing... · exploits used by Framaroot within the RAT application…. • The embedded version is "silent“](https://reader036.fdocuments.in/reader036/viewer/2022070804/5f0361187e708231d408ec95/html5/thumbnails/20.jpg)
DEMO Scenario
![Page 21: Enhancing Mobile Malware: an Android RAT Case Study › slides › 2014 › enhancing... · exploits used by Framaroot within the RAT application…. • The embedded version is "silent“](https://reader036.fdocuments.in/reader036/viewer/2022070804/5f0361187e708231d408ec95/html5/thumbnails/21.jpg)
21
1) Installation of a malicious APK
2) Remote control of the phone
3) Leverage the botnet (DoS attacks)
4) Privilege escalation
5) Exfiltration of sensitive data
6) Silent installation of new
applications
7) Interception of communications
Scenario
1
1
2
3
4
5
6
7
![Page 22: Enhancing Mobile Malware: an Android RAT Case Study › slides › 2014 › enhancing... · exploits used by Framaroot within the RAT application…. • The embedded version is "silent“](https://reader036.fdocuments.in/reader036/viewer/2022070804/5f0361187e708231d408ec95/html5/thumbnails/22.jpg)
23
1) Installation of a malicious APK
2) Remote control of the phone
3) Leverage the botnet (DoS attacks)
4) Privilege escalation
5) Exfiltration of sensitive data
6) Silent installation of new
applications
7) Interception of communications
Scenario
1
2
1
2
3
4
5
6
7
Androrat + some configurations
+
![Page 23: Enhancing Mobile Malware: an Android RAT Case Study › slides › 2014 › enhancing... · exploits used by Framaroot within the RAT application…. • The embedded version is "silent“](https://reader036.fdocuments.in/reader036/viewer/2022070804/5f0361187e708231d408ec95/html5/thumbnails/23.jpg)
25
1) Installation of a malicious APK
2) Remote control of the phone
3) Leverage the botnet
4) escalation
5) Exfiltration of sensitive data
6) Silent installation of new
applications
7) Interception of communications
Scenario
1
3
2
1
2
3
4
5
6
7
++
Add some coding
+
![Page 24: Enhancing Mobile Malware: an Android RAT Case Study › slides › 2014 › enhancing... · exploits used by Framaroot within the RAT application…. • The embedded version is "silent“](https://reader036.fdocuments.in/reader036/viewer/2022070804/5f0361187e708231d408ec95/html5/thumbnails/24.jpg)
26
• Bulk actions allow to execute a
command on all the controlled
devices
• If the attacker compromises a large
number of devices, a botnet is
created
• The resources of infected devices
could be used to carry out attacks on
third-party services
Denial of Service 3
![Page 25: Enhancing Mobile Malware: an Android RAT Case Study › slides › 2014 › enhancing... · exploits used by Framaroot within the RAT application…. • The embedded version is "silent“](https://reader036.fdocuments.in/reader036/viewer/2022070804/5f0361187e708231d408ec95/html5/thumbnails/25.jpg)
27
1) Installation of a malicious APK
2) Remote control of the phone
3) Leverage the botnet (DoS attacks)
4) Privilege escalation
5) Exfiltration of sensitive data
6) Silent installation of new
applications
7) Interception of communications
Scenario
1
3
4
2
1
2
3
4
5
6
7
++
We need more… root power!
…but how? Let’s find an easy way
![Page 26: Enhancing Mobile Malware: an Android RAT Case Study › slides › 2014 › enhancing... · exploits used by Framaroot within the RAT application…. • The embedded version is "silent“](https://reader036.fdocuments.in/reader036/viewer/2022070804/5f0361187e708231d408ec95/html5/thumbnails/26.jpg)
28
Privilege escalation 4
I’m feeling lucky (AGAIN!!!!)...• First result gave us an application that can easily root an Android phone
Framaroot• Not open source, but we can get the APK from XDA
• One-click root
• Works from Android 2.0 to 4.2…good enough!
[1] http://forum.xda-developers.com/apps/framaroot/root-framaroot-one-click-apk-to-root-t2130276
![Page 27: Enhancing Mobile Malware: an Android RAT Case Study › slides › 2014 › enhancing... · exploits used by Framaroot within the RAT application…. • The embedded version is "silent“](https://reader036.fdocuments.in/reader036/viewer/2022070804/5f0361187e708231d408ec95/html5/thumbnails/27.jpg)
29
• We can also embed the
exploits used by Framaroot
within the RAT application….
• The embedded version is
"silent“
• The attacker can root the
devices remotely
Framaroot
Several exploits
are available in
Framaroot
The exploit install an
administrative shellWe can now execute
system commands
from within our code
4
![Page 28: Enhancing Mobile Malware: an Android RAT Case Study › slides › 2014 › enhancing... · exploits used by Framaroot within the RAT application…. • The embedded version is "silent“](https://reader036.fdocuments.in/reader036/viewer/2022070804/5f0361187e708231d408ec95/html5/thumbnails/28.jpg)
31
1) Installation of a malicious APK
2) Remote control of the phone
3) Leverage the botnet (DoS attacks)
4) Privilege escalation
5) Exfiltration of sensitive data
6) Silent installation of new
applications
7) Interception of communications
Scenario
1
3
4
2
5
1
2
3
4
5
6
7
++
Add some more code…
+
![Page 29: Enhancing Mobile Malware: an Android RAT Case Study › slides › 2014 › enhancing... · exploits used by Framaroot within the RAT application…. • The embedded version is "silent“](https://reader036.fdocuments.in/reader036/viewer/2022070804/5f0361187e708231d408ec95/html5/thumbnails/29.jpg)
33
1) Installation of a malicious APK
2) Remote control of the phone
3) Leverage the botnet (DoS attacks)
4) Privilege escalation
5) Exfiltration of sensitive data
6) Silent installation of new
applications
7) Interception of communications
Scenario
1
3
4
2
5
6
1
2
3
4
5
6
7
++
Still some code…
![Page 30: Enhancing Mobile Malware: an Android RAT Case Study › slides › 2014 › enhancing... · exploits used by Framaroot within the RAT application…. • The embedded version is "silent“](https://reader036.fdocuments.in/reader036/viewer/2022070804/5f0361187e708231d408ec95/html5/thumbnails/30.jpg)
34
I just have to choose the application…
• The purpose is always to make money
Which application to install?
![Page 31: Enhancing Mobile Malware: an Android RAT Case Study › slides › 2014 › enhancing... · exploits used by Framaroot within the RAT application…. • The embedded version is "silent“](https://reader036.fdocuments.in/reader036/viewer/2022070804/5f0361187e708231d408ec95/html5/thumbnails/31.jpg)
36
1) Installation of a malicious APK
2) Remote control of the phone
3) Leverage the botnet (DoS attacks)
4) Privilege escalation
5) Exfiltration of sensitive data
6) Silent installation of new
applications
7) Interception of communications
Scenario
1
3
4
2
5
7
6
1
2
3
4
5
6
7
++
![Page 32: Enhancing Mobile Malware: an Android RAT Case Study › slides › 2014 › enhancing... · exploits used by Framaroot within the RAT application…. • The embedded version is "silent“](https://reader036.fdocuments.in/reader036/viewer/2022070804/5f0361187e708231d408ec95/html5/thumbnails/32.jpg)
37
ProxyDroid
• Used to set the proxy (HTTP/SOCKS4/SOCKS5) on Android devices
• The app has been modified
• The GUI has been stripped entirely
• When launched, sets the proxy and exit
• The app is installed and run automatically
ProxyDroid 7
![Page 33: Enhancing Mobile Malware: an Android RAT Case Study › slides › 2014 › enhancing... · exploits used by Framaroot within the RAT application…. • The embedded version is "silent“](https://reader036.fdocuments.in/reader036/viewer/2022070804/5f0361187e708231d408ec95/html5/thumbnails/33.jpg)
Conclusions
![Page 34: Enhancing Mobile Malware: an Android RAT Case Study › slides › 2014 › enhancing... · exploits used by Framaroot within the RAT application…. • The embedded version is "silent“](https://reader036.fdocuments.in/reader036/viewer/2022070804/5f0361187e708231d408ec95/html5/thumbnails/34.jpg)
40
Maybe it’s just a bit of luck, but we demonstrated that
it’s easy to create a powerful Android-based malware…
What we did
Take an
app
Add
malware
++
Make it
bad
![Page 35: Enhancing Mobile Malware: an Android RAT Case Study › slides › 2014 › enhancing... · exploits used by Framaroot within the RAT application…. • The embedded version is "silent“](https://reader036.fdocuments.in/reader036/viewer/2022070804/5f0361187e708231d408ec95/html5/thumbnails/35.jpg)
43
“ “Marco Lancini
Security Consultant, CEFRIEL
@lancinimarco
Roberto PuricelliSecurity Consultant, CEFRIEL
@robywankenoby