Upgrade to Pro — share decks privately, control downloads, hide ads and more …

"Part 4: Android RE or How I became a Master in clumsy_bird.apk", Александр Антух, Daniel Ramirez

"Part 4: Android RE or How I became a Master in clumsy_bird.apk", Александр Антух, Daniel Ramirez

OWASP Russia Meetup #4

47a3212bc9721c62f1135ead56569f17?s=128

OWASP Moscow

March 17, 2016
Tweet

Transcript

  1. Part 4: Android RE or How I became a Master

    in clumsy_bird.apk OWASP Russia 17.03.2016
  2. Whoami • Daniel Ramirez (@daniramirezmrtn) • Alexander Antukh (@c0rdis) •

    Part of EY security team based in Poland
  3. Anatomy of an apk

  4. Getting our apk file • From the phone – APKOptic

    – Astro File Manager • Using ADB • Use APKpure
  5. Decompiling || Disassembling • Decompiling: – High Level – Java

    Code • Disassembling: – Low Level – Assembly Code • Why Disassembling and not Decompiling?
  6. Decompiling DEX DEX JAR JAR JAVA JAVA JAR JAR DEX

    DEX JAVA JAVA
  7. Decompiling-Dex2Jar • dex2jar – Converts Dalvik bytecode (DEX) to java

    bytecode (JAR) – Allows to use any existing Java decompiler with the resulting JAR file
  8. Decompiling – Java Decompilers • JD-GUI || Luyten – Closed

    source Java decompiler – Combined with dex2jar, you can use JD-GUI or Luyten to decompile Android applications • Both are Java decompilers but have different OUTPUT!
  9. JD-GUI

  10. Luyten

  11. None
  12. Disassembling DEX DEX SMALI SMALI

  13. Disassembling • Apktool – Open source Java tool for reverse-engineering

    Android app – Transform binary Dalvik byte code(dex) into Smali source
  14. Signing apk • Using signapk.jar java -jar signapk.jar certificate.pem key.pk8

    your- app.apk your-app-signed.apk • Using AppUse
  15. Demo Time

  16. Demo Decompiling Luyten

  17. Demo Modify Smali Files

  18. Demo

  19. Lack of binary protection • At this point if you

    can read the source code of the application, modify the behavior of the application  doesn’t have enough protection.
  20. Techniques for mitigate the Lack of Binary Protection

  21. Verify Sign

  22. Obfuscated • Some obfuscation tool, allow to encrypt String in

    source code. – ProGuard(*) – DexProtector – DexGuard
  23. Anti-Emulator

  24. Debuggable

  25. Demo Time #2

  26. Demo

  27. Demo Decompiling Luyten

  28. Demo Modify Smali Files

  29. Demo

  30. Recap • We’ve seen how it’s possible change the behavior

    of an app by disassembling, modify the smali code and recompiling the app • Some techniques to “try” to prevent the lack of binary protection
  31. MALWARE

  32. Malware Statistics #1

  33. Malware Statistics #2

  34. Malware #1-Flappy-bird • Some application ask for permission that don’t

    need. • E.g: Game asking for send sms ??
  35. Malware #1-Flappy-bird • Some application ask for permission that don’t

    need. • E.g: Game asking for send sms ??
  36. Malware #2-iMatch

  37. Permissions Dangerous #1

  38. Permissions Dangerous #2

  39. Dendroid botnet #1 Botnet especially developed for attacking android user’s

    which has the functionalities like • Record call • Block SMS • Take video/photo • Send text • Send contacts • Get user account • Call Number • Update App • Delete files • Get browser history • Get call history • Get inbox SMS
  40. Dendroid botnet #3-malware

  41. Dendroid botnet #4 - Manifest

  42. Demo Time

  43. Dendroid Botnet

  44. DroidDream Malware • Steal sensitive data – IMEI –> block

    phone – IMSI – Device model – SDK
  45. DroidDream example #1 - Paint • Access_coarse_location==GPS • Read_phone_state

  46. DroidDream example #1.1

  47. DroidDream example #2 – Hotgirls

  48. Bonus

  49. GMBot – Privet ;)

  50. GMBot – Slempo • The first Tor Trojan for Android

    (2014) - Backdoor.AndroidOS.Torec.a • The Trojan can receive the following commands from the C&C : – Intercept sms – Send sms – Control number
  51. GMBot – Overview • Display phishing pages on the top

    of mobile banking applications • Also capable of forwarding calls and intercepting SMS messages to help fraudsters bypass an additional layer of bank security mechanisms, and locking a device’s screen.
  52. GMBot – Overview • Spy on victims • Delete data

    from the infected device • Gain boot persistence to help survive device restart • Send and Read your SMS message • Make calls to your contacts • Read the phone's state • Plague phone's control keys • Infect your Chrome browser • Change phone settings • Force the phone into sleep mode • Query the network status • Access the Internet • Wipe your device's storage Additionally the malware can be used to:
  53. GMBot – AndroidManifest.xml

  54. GMBot – Checking Device Admin Wondering what one can do

    with it…
  55. GMBot – Configuration

  56. GMBot – Activities

  57. GMBot – Components

  58. How to Protect Yourself • Go to Settings → Security

    → Turn OFF "Allow installation from unknown sources" . • Always keep an up-to-date Anti-virus app • Avoid unknown and unsecured Wi-Fi hotspots • Never open attachments from unknown sources. • Never click on links in SMS or MMS messages sent to your phone. • Even if the email looks legit, go directly to the source website and verify any possible updates.
  59. None