Me and Roberto Puricelli delivered a talk based on this presentation at BSides Vienna 2014 (http://bsidesvienna.at/) in Vienna (November 22nd, 2014).
Cyber-attacks are quite common nowadays: data breaches, malware, botnets, phishing are some of the (buzz)words we hear almost constantly in the media. Indeed, while these attacks were once carried out by “white hat” hackers, whose purpose was to bypass security systems as a hobby or intellectual challenge, now they are performed mostly by criminals, with the aim of making profit. The constantly growing interest in this sector enables the proliferation of attack toolkits, sold also in underground markets, potentially allowing more people to perform cyber-attacks. Moreover, the discover of new vulnerabilities is often accompanied by blog posts or proof of concepts from researchers or security firms that demonstrate the technical details of their exploits. Despite their purpose of raising awareness, these information could also be used to perform attacks.
In this context, the goal of this talk is to demonstrate how it is possible to easily create powerful malware, combining public available attack toolkits and exploits of known vulnerabilities. In particular, we focused on mobile devices as the latest trends show how these kinds of terminals are becoming more often target of attacks. Remote Access Toolkits (RATs) for mobile devices are widespread and they could be considered an enabler for attacks aimed to obtain the control of the device itself. Moreover, given the source code of a RAT, it is possible to extend its features, adapting or modifying its behavior to the attacker's needs; for example “hiding” malicious features inside another application, or adding exploits in order to escalate privileges thus obtaining access to the administrative device’s features.
Therefore, we propose a proof-of-concept mobile malware, embedded in a legitimate application, that enhances the features of a well-know RAT application. The attack scenario that we propose is then subdivided into several incremental phases.
The first step is the installation of a malicious application from an alternative (non-official) store, which allows the attacker to remotely control the device. In general this is a common user behavior, especially in case of such paid applications, which are then provided free of charge.
The RAT, once installed, allows the attacker to control the phone remotely, obtaining access to certain sensitive information (such as contacts, calls & SMS logs, photos, files stored on the SD card, GPS geolocation), and potentially using the device for malicious purposes (create alerts, open links in the browser, make calls or send SMS, take pictures, use the microphone to intercept environmental audio, intercept calls). Moreover, if the attacker compromises a consistent number of devices, he could use them to create a botnet to perform attacks against third parties (e.g., DDOS attack against a website).
Subsequently, the attacker can also attempt to escalate his privileges in order to gain complete access to the device's resources. Embedding exploits for known kernel or driver vulnerabilities in the RAT, the attacker can then silently obtain root privileges and, therefore, complete access to the device. This allows, in addition to gaining access to many additional features (like the complete access to the internal memory, the possibility to install other packages, and to edit configurations), also a number of new attacks, like the exfiltration of protected system files, the "transparent" installation of new applications, or the interception of all the communications (e.g., performing a MITM attack by configuring a system proxy on the device).
In the talk we will describe the process that led us to realize the proof-of-concept of a mobile malware, starting from the public sources of a mobile RAT, to the integration of new and customized functionalities. We will also show a live demo of the proof-of-concept, following the steps described above.