Mobile Malware via Devconf(Opensanca)

Transcript

1. Mobile Malware Presentation by Daiane Santos

2. disclaimer

3. Agenda whoamI malwares malware types numbers zero-click one-click services android

   architecture permissions ty activities broadcast receivers

4. quemsoueu Hacking Neuroscience Reverse Engineer Chess Mobile Security Engineer @

   Nubank CTF Player @ RATF Mobile Security content @mobilehackingbr Autism and AH/SD Daiane Santos

5. Malware is a term used for any type of malicious

   software designed to harm or exploit any programmable device, service or network. Malwares
6. None

7. 1,661,743 malicious installers 196,476 new mobile banking Trojans 10,543 new

   mobile ransomware Trojans In 2022, Kaspersky mobile products and technology detected: In numbers

8. 0% 10% 20% 30% 40% 50% RiskTook AdWare Trojan Trojan-Banker

   Trojan-Dropper Trojan-Spy Trojan-SMS Backdoor 2022 2021

9. Zero Click Malwares A zero-click breach exploits flaws in your

   device, using a data verification loophole to create a path of entry into your system. Most software uses data verification processes to keep cyber breaches at bay. The software can be installed on a device without the victim taking any action to click on a link. As a result, zero-click or no-click malware is much more dangerous. The reduced interaction involved in zero-click attacks means even less traces of any malicious activity. Furthermore, vulnerabilities that can be exploited by cybercriminals in zero-click attacks are quite rare, which makes them especially prized by criminals.

10. Zero Click Malwares Cybercriminals identify a vulnerability in an email

    or messaging application. They exploit the vulnerability by sending a carefully crafted message to the victim. The vulnerability allows malicious actors to infect the device remotely via emails that consume high levels of memory. The hacker's email, message or call does not necessarily remain on the device. As a result of the attack, cybercriminals can read, edit, leak or delete messages. A zero-click attack occurs theoretically as follows:

11. Zero Click Malwares It is speculated that intelligence agencies use

    this tactic around the world to intercept messages and monitor the whereabouts of suspected criminals and terrorists.
12. None

13. Zero Click Malwares 1. In July 2020, an Azerbaijani journalist’s

    iPhone silently received a command to open the Apple Music app. Without the journalist’s knowledge or interaction, the app connected to a malicious server and downloaded spyware onto the phone that remained there for 17 months, eavesdropping on phone calls and text messages. The Israeli company says clients use its software to stop terrorism and curb violent crime.

14. Zero Click Malwares 2. NSO Group also designed zero-click attacks

    that could compromise Android phones by exploiting a flaw in WhatsApp that was used to transmit malicious code onto a device. In April 2019, WhatsApp fixed the vulnerability—saying it said had been used to target more than 1,400 people over a two-month period—and filed a lawsuit against NSO Group.

15. One Click Malware Are vulnerabilities that allows an attacker to

    induce users to perform actions that they do not intend to perform. It allows an attacker to partly circumvent the same origin policy, which is designed to prevent different websites from interfering with each other.

16. One Click Malware https://vulnerable-website.com/email/[email protected] Email changed Change email address

17. None
18. None
19. None

20. Rinha_de_Malware.jpg

21. Runtime permissions gives additional access to restricted data or let

    your app perform restricted actions that affects the system and other apps. So, you need to request runtime permissions before access the restricted data or perform restricted actions. Permissions

22. Reverse Engineer Download dex2jar. Extract the apk.zip and open it.

    Copy classes.dex file from the apk folder and paste it to the dex2jar folder. Run the command: Open the generated classes_dex2jar.jar file using JD-GUI. After disassembling, to analyze the Java source code of the application, we can use dex2jar and JD-GUI. Dex2jar to convert the dex files to jar (java) files. To view the java files we can use JD GUI. This can be done as follows: sh d2j-dex2jar.sh classes.dex to obtain classes_dex2jar.jar file.

23. Reverse Engineer Activities: Components that provide a screen with which

    users can interact. Broadcast receivers: Components that receive and respond to broadcast messages from other apps or from the operating system. Services: Components that perform operations in the background.

24. Overview Alarme - Browser - Calculadora - Calendário - Câmera

    - Contatos - E-mail - SMS... Content Providers - Activity - Location - Notifications - Resource, Telephony...

25. Android Manifest

26. Permissions

27. Common Permissions

28. Permissions

29. In 2019, a vulnerability focused on the Android system emerged,

    which used the system_alert_window permission, focused on PopUps, to overlay the screen with a window over the apps. system_alert_window
30. None

31. The focus of malware is precisely to trick the user

    into thinking that the program is useful or beneficial to him in some way. But in reality, the program performs actions that harm the user or application to harm other applications or services. In this case, using accessibility permissions to overlay the main screen and change the data underneath that screen. BrasDex

32. Attacks on Activities If an application has an activity that

    is exported, other applications can also invoke it. This can be invoked by other malicious applications that are running on the device. <activity android:label="@string/profile" android:name=".activities.ViewProfile" android:exported="true" />

33. Attacks on Broadcast Receivers That means any application will be

    able to send arbitrary, uncontrolled SMSs.

34. as an user How to Avoid

35. How to avoid it Keep your operating system, firmware and

    applications on all your devices up to date as requested. And avoid remove the protection provided by Apple and Google. Basic CyberHygiene Download apps from official stores only Avoid 'jailbreaking' or 'rooting' your phone

36. How to avoid it Use strong authentication to access accounts;

    Use strong passwords; Run backups on systems regularly; Enable pop-up blockers or prevent pop-ups from appearing by adjusting your browser settings. Fraudster and Scammers often use pop-ups to spread malware.

37. as a developer How to Avoid

38. How to avoid it Limiting and checking App permissions; Google

    Play Protect; RASP (Runtime Application Self-Protection); Code Obfuscation; In House Solutions. Set some action if a Malware is detected, ex: close the app automatically.

39. Are my phone infected? Slow performance; Random reboots; Unusually data

    usage; Battery draining faster than usual; Unfamiliar apps installed; Overheating; Taking a long time to shut down; Signs of activity in standby mode; Weird sounds during phone calls; Weird text messages. Some signs that your smartphone are infected:

40. References 01 Thomas, Tony; Surendran, Roopak; John, Teenu S.; Alazab,

    Mamoun. Intelligent Mobile Malware Detection (Security, Privacy, and Trust in Mobile Communications). CRC Press. Kindle Edition.

41. Thank You! @Wh0isdxk daianesantos[at]protonmail[dot]com