Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Mobile Malware via Devconf(Opensanca)

Mobile Malware via Devconf(Opensanca)

Daiane Santos, trás nessa palestra uma talk importante sobre Malware para Celulares.

Sinopse:

Durante o final do ano passado e esse ano, temos visto uma crescente disseminação de malware voltados pro sistema mobile. Até que ponto podemos nos considerar seguros?

E como desenvolvedores, como podemos assegurar que nossos apps tenham essa camada de segurança?

Opensanca

May 27, 2023
Tweet

More Decks by Opensanca

Other Decks in Programming

Transcript

  1. Mobile
    Malware
    Presentation by Daiane Santos

    View full-size slide

  2. Agenda
    whoamI
    malwares
    malware types
    numbers
    zero-click
    one-click
    services
    android architecture
    permissions
    ty
    activities
    broadcast receivers

    View full-size slide

  3. quemsoueu
    Hacking
    Neuroscience
    Reverse Engineer
    Chess
    Mobile Security Engineer @ Nubank
    CTF Player @ RATF
    Mobile Security content @mobilehackingbr
    Autism and AH/SD
    Daiane Santos

    View full-size slide

  4. Malware is a term used for any type of malicious software designed to
    harm or exploit any programmable device, service or network.
    Malwares

    View full-size slide

  5. 1,661,743 malicious installers
    196,476 new mobile banking Trojans
    10,543 new mobile ransomware Trojans
    In 2022, Kaspersky mobile products and technology detected:
    In numbers

    View full-size slide

  6. 0% 10% 20% 30% 40% 50%
    RiskTook
    AdWare
    Trojan
    Trojan-Banker
    Trojan-Dropper
    Trojan-Spy
    Trojan-SMS
    Backdoor
    2022
    2021

    View full-size slide

  7. Zero Click Malwares
    A zero-click breach exploits flaws in your device, using a data verification loophole to
    create a path of entry into your system. Most software uses data verification
    processes to keep cyber breaches at bay.


    The software can be installed on a device without the victim taking any action to
    click on a link. As a result, zero-click or no-click malware is much more dangerous.


    The reduced interaction involved in zero-click attacks means even less traces of any
    malicious activity. Furthermore, vulnerabilities that can be exploited by
    cybercriminals in zero-click attacks are quite rare, which makes them especially
    prized by criminals.

    View full-size slide

  8. Zero Click Malwares
    Cybercriminals identify a vulnerability in an email or messaging application.
    They exploit the vulnerability by sending a carefully crafted message to the
    victim.
    The vulnerability allows malicious actors to infect the device remotely via emails
    that consume high levels of memory.
    The hacker's email, message or call does not necessarily remain on the device.
    As a result of the attack, cybercriminals can read, edit, leak or delete messages.
    A zero-click attack occurs theoretically as follows:


    View full-size slide

  9. Zero Click Malwares
    It is speculated that intelligence agencies use this tactic around the world to intercept
    messages and monitor the whereabouts of suspected criminals and terrorists.

    View full-size slide

  10. Zero Click Malwares
    1. In July 2020, an Azerbaijani journalist’s iPhone silently received
    a command to open the Apple Music app. Without the journalist’s
    knowledge or interaction, the app connected to a malicious server
    and downloaded spyware onto the phone that remained there for 17
    months, eavesdropping on phone calls and text messages. The Israeli
    company says clients use its software to stop terrorism and curb
    violent crime.

    View full-size slide

  11. Zero Click Malwares
    2. NSO Group also designed zero-click attacks that could
    compromise Android phones by exploiting a flaw in WhatsApp that
    was used to transmit malicious code onto a device. In April 2019,
    WhatsApp fixed the vulnerability—saying it said had been used to
    target more than 1,400 people over a two-month period—and filed a
    lawsuit against NSO Group.

    View full-size slide

  12. One Click Malware
    Are vulnerabilities that allows an attacker to induce users to perform
    actions that they do not intend to perform. It allows an attacker to partly
    circumvent the same origin policy, which is designed to prevent different
    websites from interfering with each other.

    View full-size slide

  13. One Click Malware
    https://vulnerable-website.com/email/[email protected]
    Email
    changed
    Change email address

    View full-size slide

  14. Rinha_de_Malware.jpg

    View full-size slide

  15. Runtime permissions gives additional access to restricted data or let your
    app perform restricted actions that affects the system and other
    apps. So, you need to request runtime permissions before access the
    restricted data or perform restricted actions.
    Permissions

    View full-size slide

  16. Reverse Engineer
    Download dex2jar.
    Extract the apk.zip and open it.
    Copy classes.dex file from the apk folder and paste
    it to the dex2jar folder.
    Run the command:
    Open the generated classes_dex2jar.jar file using
    JD-GUI.
    After disassembling, to analyze the Java source code of
    the application, we can use dex2jar and JD-GUI.
    Dex2jar to convert the dex files to jar (java) files. To view
    the java files we can use JD GUI. This can be done as
    follows:
    sh d2j-dex2jar.sh classes.dex
    to obtain classes_dex2jar.jar file.

    View full-size slide

  17. Reverse Engineer
    Activities: Components that provide a screen with which
    users can interact.
    Broadcast receivers: Components that receive and
    respond to broadcast messages from other apps or from
    the operating system.
    Services: Components that perform operations in the
    background.

    View full-size slide

  18. Overview
    Alarme - Browser - Calculadora -
    Calendário - Câmera - Contatos -
    E-mail - SMS...
    Content Providers - Activity -
    Location - Notifications - Resource,
    Telephony...

    View full-size slide

  19. Android Manifest

    View full-size slide

  20. Common
    Permissions

    View full-size slide

  21. In 2019, a vulnerability focused on the Android system emerged,
    which used the system_alert_window permission, focused on
    PopUps, to overlay the screen with a window over the apps.
    system_alert_window

    View full-size slide

  22. The focus of malware is precisely to trick the user into
    thinking that the program is useful or beneficial to him
    in some way. But in reality, the program performs
    actions that harm the user or application to harm
    other applications or services. In this case, using
    accessibility permissions to overlay the main screen and
    change the data underneath that screen.
    BrasDex

    View full-size slide

  23. Attacks on Activities
    If an application has an activity
    that is exported, other applications
    can also invoke it.
    This can be invoked by other malicious
    applications that are running on the
    device.
    android:name=".activities.ViewProfile" android:exported="true" />


    View full-size slide

  24. Attacks on
    Broadcast Receivers
    That means any application will be able to send arbitrary, uncontrolled SMSs.

    View full-size slide

  25. as an user
    How to Avoid

    View full-size slide

  26. How to avoid it
    Keep your operating system, firmware and applications on all your
    devices up to date as requested.
    And avoid remove the protection provided by Apple and Google.
    Basic CyberHygiene
    Download apps from official stores only
    Avoid 'jailbreaking' or 'rooting' your phone

    View full-size slide

  27. How to avoid it
    Use strong authentication to access accounts;
    Use strong passwords;
    Run backups on systems regularly;
    Enable pop-up blockers or prevent pop-ups from
    appearing by adjusting your browser settings.
    Fraudster and Scammers often use pop-ups to spread malware.

    View full-size slide

  28. as a developer
    How to Avoid

    View full-size slide

  29. How to avoid it
    Limiting and checking App permissions;
    Google Play Protect;
    RASP (Runtime Application Self-Protection);
    Code Obfuscation;
    In House Solutions.
    Set some action if a Malware is detected, ex: close the app automatically.

    View full-size slide

  30. Are my phone infected?
    Slow performance;
    Random reboots;
    Unusually data usage;
    Battery draining faster than usual;
    Unfamiliar apps installed;
    Overheating;
    Taking a long time to shut down;
    Signs of activity in standby mode;
    Weird sounds during phone calls;
    Weird text messages.
    Some signs that your smartphone are infected:

    View full-size slide

  31. References
    01
    Thomas, Tony; Surendran, Roopak; John, Teenu S.; Alazab,
    Mamoun. Intelligent Mobile Malware Detection (Security,
    Privacy, and Trust in Mobile Communications). CRC Press.
    Kindle Edition.

    View full-size slide

  32. Thank You!
    @Wh0isdxk
    daianesantos[at]protonmail[dot]com

    View full-size slide