$30 off During Our Annual Pro Sale. View Details »

Enhancing Mobile Malware: an Android RAT Case Study - BSides Vienna 2014

Marco Lancini
November 22, 2014

Enhancing Mobile Malware: an Android RAT Case Study - BSides Vienna 2014

Me and Roberto Puricelli delivered a talk based on this presentation at BSides Vienna 2014 (http://bsidesvienna.at/) in Vienna (November 22nd, 2014).

Description:
Cyber-attacks are quite common nowadays: data breaches, malware, botnets, phishing are some of the (buzz)words we hear almost constantly in the media. Indeed, while these attacks were once carried out by “white hat” hackers, whose purpose was to bypass security systems as a hobby or intellectual challenge, now they are performed mostly by criminals, with the aim of making profit. The constantly growing interest in this sector enables the proliferation of attack toolkits, sold also in underground markets, potentially allowing more people to perform cyber-attacks. Moreover, the discover of new vulnerabilities is often accompanied by blog posts or proof of concepts from researchers or security firms that demonstrate the technical details of their exploits. Despite their purpose of raising awareness, these information could also be used to perform attacks.

In this context, the goal of this talk is to demonstrate how it is possible to easily create powerful malware, combining public available attack toolkits and exploits of known vulnerabilities. In particular, we focused on mobile devices as the latest trends show how these kinds of terminals are becoming more often target of attacks. Remote Access Toolkits (RATs) for mobile devices are widespread and they could be considered an enabler for attacks aimed to obtain the control of the device itself. Moreover, given the source code of a RAT, it is possible to extend its features, adapting or modifying its behavior to the attacker's needs; for example “hiding” malicious features inside another application, or adding exploits in order to escalate privileges thus obtaining access to the administrative device’s features.

Therefore, we propose a proof-of-concept mobile malware, embedded in a legitimate application, that enhances the features of a well-know RAT application. The attack scenario that we propose is then subdivided into several incremental phases.

The first step is the installation of a malicious application from an alternative (non-official) store, which allows the attacker to remotely control the device. In general this is a common user behavior, especially in case of such paid applications, which are then provided free of charge.

The RAT, once installed, allows the attacker to control the phone remotely, obtaining access to certain sensitive information (such as contacts, calls & SMS logs, photos, files stored on the SD card, GPS geolocation), and potentially using the device for malicious purposes (create alerts, open links in the browser, make calls or send SMS, take pictures, use the microphone to intercept environmental audio, intercept calls). Moreover, if the attacker compromises a consistent number of devices, he could use them to create a botnet to perform attacks against third parties (e.g., DDOS attack against a website).

Subsequently, the attacker can also attempt to escalate his privileges in order to gain complete access to the device's resources. Embedding exploits for known kernel or driver vulnerabilities in the RAT, the attacker can then silently obtain root privileges and, therefore, complete access to the device. This allows, in addition to gaining access to many additional features (like the complete access to the internal memory, the possibility to install other packages, and to edit configurations), also a number of new attacks, like the exfiltration of protected system files, the "transparent" installation of new applications, or the interception of all the communications (e.g., performing a MITM attack by configuring a system proxy on the device).

In the talk we will describe the process that led us to realize the proof-of-concept of a mobile malware, starting from the public sources of a mobile RAT, to the integration of new and customized functionalities. We will also show a live demo of the proof-of-concept, following the steps described above.

Marco Lancini

November 22, 2014
Tweet

More Decks by Marco Lancini

Other Decks in Technology

Transcript

  1. BSIDES VIENNA 2014
    November 22
    Enhancing Mobile Malware:
    an Android RAT Case Study

    View Slide

  2. 2
    About
    Marco Lancini
    Security Consultant, CEFRIEL
    @lancinimarco
    Roberto Puricelli
    Security Consultant, CEFRIEL
    @robywankenoby

    View Slide

  3. Introduction

    View Slide

  4. 4
    Demonstrate how it is possible to easily create
    powerful malware, combining public available attack
    toolkits and exploits of known vulnerabilities
    Intro
    GOAL
    HOW
    Given the source code of a mobile RAT, it is possible to
    extend its features, adapting and modifying its
    behavior (hiding malicious features, adding exploits)
    POC
    AndroRAT++, a proof-of-concept mobile malware,
    embedded in a legitimate application, that enhances
    the features of a well-know RAT application

    View Slide

  5. 5
    ASD
    Mobile malware evolution

    View Slide

  6. 6
    Mobile malware is a (relatively) new trend
    • Actually almost 10 years of samples
    Mobile malware evolution
    [1] http://www.sophos.com/en-us/medialibrary/PDFs/other/sophos-mobile-security-threat-report.pdf

    View Slide

  7. 7
    • Infected 60 different
    legitimate apps in the Android
    Market
    • Breached the Android
    security sandbox, installed
    additional software, and stole
    data
    • Created a botnet
    DroidDream

    View Slide

  8. 8
    • A.k.a. Eurograbber
    • Widespread in Europe
    • Bypass 2FA (SMS OTP)
    • 36M € stolen
    Zitmo

    View Slide

  9. 9
    Why Android is the most targeted
    platform?
    • Wide-spread
    • “Open” philosophy
    • Lacks of controls
    Android is the prime target
    [1] http://blog.kaspersky.com/mobile-malware-evolution-2013/

    View Slide

  10. 10
    Social engineering plays a big role
    in the exploit
    • By installing a trojan app that
    perform unauthorized
    operations
    • The malware is “embedded
    in the app”
    How to get compromised?
    Renowned for not making controls over published applications
    Used to spread malicious applications disguised as famous ones
    Anzhi Market

    View Slide

  11. 11
    What can an attacker do?
    [1] https://www.f-secure.com/documents/996508/1030743/Mobile_Threat_Report_Q1_2014_print.pdf
    Surveillance
    • SMS
    • Call logs
    • Audio
    • Camera
    • Location
    Impersonation
    • SMS redirection
    • Send emails
    • Post to social media
    Financial
    • Send premium rate SMS
    • Steal transaction auth
    numbers (TANs)
    • Extortion via ransomware
    • Fake antivirus
    Data Theft
    • Stored files
    • Account details
    • Contacts
    • Call logs
    • Phone number
    • IMEI
    Malicious Activity
    • Add new features
    • Edit configurations
    • Install new apps
    • Launch DDoS attacks
    • Click fraud

    View Slide

  12. How to build a
    powerful malware?

    View Slide

  13. 13
    What’s new in Android Malware?
    The cutting edge of mobile malware
    Remote Access Trojan? Interesting, let’s Google it…

    View Slide

  14. 14
    I’m feeling lucky...
    • First result gave us a possible
    trojan name
    AndroRAT
    • Open source proof of concept
    • Powerful features
    • “Easy like Sunday Morning”!!!!
    Remote Access Trojan
    Ok, we just need to find the
    code…
    • Let’s try GitHub

    View Slide

  15. 15
    AndroRAT Source Code
    Still lucky…
    • Lots of different working versions

    View Slide

  16. 16
    AndroRAT
    How it works
    • Java “server” application
    • Android service on the phone
    The application itself is not so
    attractive
    • We can embed it into another one,
    it’s easy
    • A game, or another app could be
    effective for our target
    If we could just exploit the
    certificate validation in Android..

    View Slide

  17. 17
    Injection of malicious code
    If we could just exploit the
    certificate validation in Android..

    View Slide

  18. 18
    Android Master Key Vulnerability
    • Allows to: "modify APK code without breaking an application’s
    cryptographic signature, to turn any legitimate application into a malicious
    Trojan, completely unnoticed by the app store, the phone, or the end user“
    • Android can be tricked into believing the app is unchanged even if it has
    been
    • Corrected with Android 4.4
    Injection of malicious code
    [1] BlackHat US 2013: http://bluebox.com/corporate-blog/bluebox-uncovers-android-master-key/
    JarVerifier
    This only applies to resources
    already existing in the original
    APK (new resources cannot
    be introduced)
    This allows to change any of the resources
    contained in an APK (manifest, Java
    classes, graphical assets) and replace them
    with ones of choice
    It's possible to
    decompile an app and
    to inject code in it

    View Slide

  19. 19
    • Let’s embed our RAT into a benign
    application
    • The purpose here is to simulate the
    attack, not to do it for real..
    • AndroRAT has been injected into a
    *fake* application of BSides

    Not available in any store 
    • New features were added
    (AndroRAT++)
    A real example…

    View Slide

  20. DEMO Scenario

    View Slide

  21. 21
    1) Installation of a malicious APK
    2) Remote control of the phone
    3) Leverage the botnet (DoS attacks)
    4) Privilege escalation
    5) Exfiltration of sensitive data
    6) Silent installation of new
    applications
    7) Interception of communications
    Scenario
    1
    1
    2
    3
    4
    5
    6
    7

    View Slide

  22. 23
    1) Installation of a malicious APK
    2) Remote control of the phone
    3) Leverage the botnet (DoS attacks)
    4) Privilege escalation
    5) Exfiltration of sensitive data
    6) Silent installation of new
    applications
    7) Interception of communications
    Scenario
    1
    2
    1
    2
    3
    4
    5
    6
    7
    Androrat + some configurations
    +

    View Slide

  23. 25
    1) Installation of a malicious APK
    2) Remote control of the phone
    3) Leverage the botnet
    4) escalation
    5) Exfiltration of sensitive data
    6) Silent installation of new
    applications
    7) Interception of communications
    Scenario
    1
    3
    2
    1
    2
    3
    4
    5
    6
    7
    ++
    Add some coding
    +

    View Slide

  24. 26
    • Bulk actions allow to execute a
    command on all the controlled
    devices
    • If the attacker compromises a large
    number of devices, a botnet is
    created
    • The resources of infected devices
    could be used to carry out attacks on
    third-party services
    Denial of Service 3

    View Slide

  25. 27
    1) Installation of a malicious APK
    2) Remote control of the phone
    3) Leverage the botnet (DoS attacks)
    4) Privilege escalation
    5) Exfiltration of sensitive data
    6) Silent installation of new
    applications
    7) Interception of communications
    Scenario
    1
    3
    4
    2
    1
    2
    3
    4
    5
    6
    7
    ++
    We need more… root power!
    …but how? Let’s find an easy way

    View Slide

  26. 28
    Privilege escalation 4
    I’m feeling lucky (AGAIN!!!!)...
    • First result gave us an application that can easily root an Android phone
    Framaroot
    • Not open source, but we can get the APK from XDA
    • One-click root
    • Works from Android 2.0 to 4.2…good enough!
    [1] http://forum.xda-developers.com/apps/framaroot/root-framaroot-one-click-apk-to-root-t2130276

    View Slide

  27. 29
    • We can also embed the
    exploits used by Framaroot
    within the RAT application….
    • The embedded version is
    "silent“
    • The attacker can root the
    devices remotely
    Framaroot
    Several exploits
    are available in
    Framaroot
    The exploit install an
    administrative shell
    We can now execute
    system commands
    from within our code
    4

    View Slide

  28. 31
    1) Installation of a malicious APK
    2) Remote control of the phone
    3) Leverage the botnet (DoS attacks)
    4) Privilege escalation
    5) Exfiltration of sensitive data
    6) Silent installation of new
    applications
    7) Interception of communications
    Scenario
    1
    3
    4
    2
    5
    1
    2
    3
    4
    5
    6
    7
    ++
    Add some more code…
    +

    View Slide

  29. 33
    1) Installation of a malicious APK
    2) Remote control of the phone
    3) Leverage the botnet (DoS attacks)
    4) Privilege escalation
    5) Exfiltration of sensitive data
    6) Silent installation of new
    applications
    7) Interception of communications
    Scenario
    1
    3
    4
    2
    5
    6
    1
    2
    3
    4
    5
    6
    7
    ++
    Still some code…

    View Slide

  30. 34
    I just have to choose the application…
    • The purpose is always to make money
    Which application to install?

    View Slide

  31. 36
    1) Installation of a malicious APK
    2) Remote control of the phone
    3) Leverage the botnet (DoS attacks)
    4) Privilege escalation
    5) Exfiltration of sensitive data
    6) Silent installation of new
    applications
    7) Interception of communications
    Scenario
    1
    3
    4
    2
    5
    7
    6
    1
    2
    3
    4
    5
    6
    7
    ++

    View Slide

  32. 37
    ProxyDroid
    • Used to set the proxy (HTTP/SOCKS4/SOCKS5) on Android devices
    • The app has been modified
    • The GUI has been stripped entirely
    • When launched, sets the proxy and exit
    • The app is installed and run automatically
    ProxyDroid 7

    View Slide

  33. Conclusions

    View Slide

  34. 40
    Maybe it’s just a bit of luck, but we demonstrated that
    it’s easy to create a powerful Android-based malware…
    What we did
    Take an
    app
    Add
    malware
    ++
    Make it
    bad

    View Slide

  35. 43


    Marco Lancini
    Security Consultant, CEFRIEL
    @lancinimarco
    Roberto Puricelli
    Security Consultant, CEFRIEL
    @robywankenoby

    View Slide