"Part 4: Android RE or How I became a Master in clumsy_bird.apk", Александр Антух, Daniel Ramirez

Transcript

1. Part 4: Android RE or How I became a Master

   in clumsy_bird.apk OWASP Russia 17.03.2016

2. Whoami • Daniel Ramirez (@daniramirezmrtn) • Alexander Antukh (@c0rdis) •

   Part of EY security team based in Poland

3. Anatomy of an apk

4. Getting our apk file • From the phone – APKOptic

   – Astro File Manager • Using ADB • Use APKpure

5. Decompiling || Disassembling • Decompiling: – High Level – Java

   Code • Disassembling: – Low Level – Assembly Code • Why Disassembling and not Decompiling?

6. Decompiling DEX DEX JAR JAR JAVA JAVA JAR JAR DEX

   DEX JAVA JAVA

7. Decompiling-Dex2Jar • dex2jar – Converts Dalvik bytecode (DEX) to java

   bytecode (JAR) – Allows to use any existing Java decompiler with the resulting JAR file

8. Decompiling – Java Decompilers • JD-GUI || Luyten – Closed

   source Java decompiler – Combined with dex2jar, you can use JD-GUI or Luyten to decompile Android applications • Both are Java decompilers but have different OUTPUT!

9. JD-GUI

10. Luyten

11. None

12. Disassembling DEX DEX SMALI SMALI

13. Disassembling • Apktool – Open source Java tool for reverse-engineering

    Android app – Transform binary Dalvik byte code(dex) into Smali source

14. Signing apk • Using signapk.jar java -jar signapk.jar certificate.pem key.pk8

    your- app.apk your-app-signed.apk • Using AppUse

15. Demo Time

16. Demo Decompiling Luyten

17. Demo Modify Smali Files

18. Demo

19. Lack of binary protection • At this point if you

    can read the source code of the application, modify the behavior of the application  doesn’t have enough protection.

20. Techniques for mitigate the Lack of Binary Protection

21. Verify Sign

22. Obfuscated • Some obfuscation tool, allow to encrypt String in

    source code. – ProGuard(*) – DexProtector – DexGuard

23. Anti-Emulator

24. Debuggable

25. Demo Time #2

26. Demo

27. Demo Decompiling Luyten

28. Demo Modify Smali Files

29. Demo

30. Recap • We’ve seen how it’s possible change the behavior

    of an app by disassembling, modify the smali code and recompiling the app • Some techniques to “try” to prevent the lack of binary protection

31. MALWARE

32. Malware Statistics #1

33. Malware Statistics #2

34. Malware #1-Flappy-bird • Some application ask for permission that don’t

    need. • E.g: Game asking for send sms ??

35. Malware #1-Flappy-bird • Some application ask for permission that don’t

    need. • E.g: Game asking for send sms ??

36. Malware #2-iMatch

37. Permissions Dangerous #1

38. Permissions Dangerous #2

39. Dendroid botnet #1 Botnet especially developed for attacking android user’s

    which has the functionalities like • Record call • Block SMS • Take video/photo • Send text • Send contacts • Get user account • Call Number • Update App • Delete files • Get browser history • Get call history • Get inbox SMS

40. Dendroid botnet #3-malware

41. Dendroid botnet #4 - Manifest

42. Demo Time

43. Dendroid Botnet

44. DroidDream Malware • Steal sensitive data – IMEI –> block

    phone – IMSI – Device model – SDK

45. DroidDream example #1 - Paint • Access_coarse_location==GPS • Read_phone_state

46. DroidDream example #1.1

47. DroidDream example #2 – Hotgirls

48. Bonus

49. GMBot – Privet ;)

50. GMBot – Slempo • The first Tor Trojan for Android

    (2014) - Backdoor.AndroidOS.Torec.a • The Trojan can receive the following commands from the C&C : – Intercept sms – Send sms – Control number

51. GMBot – Overview • Display phishing pages on the top

    of mobile banking applications • Also capable of forwarding calls and intercepting SMS messages to help fraudsters bypass an additional layer of bank security mechanisms, and locking a device’s screen.

52. GMBot – Overview • Spy on victims • Delete data

    from the infected device • Gain boot persistence to help survive device restart • Send and Read your SMS message • Make calls to your contacts • Read the phone's state • Plague phone's control keys • Infect your Chrome browser • Change phone settings • Force the phone into sleep mode • Query the network status • Access the Internet • Wipe your device's storage Additionally the malware can be used to:

53. GMBot – AndroidManifest.xml

54. GMBot – Checking Device Admin Wondering what one can do

    with it…

55. GMBot – Configuration

56. GMBot – Activities

57. GMBot – Components

58. How to Protect Yourself • Go to Settings → Security

    → Turn OFF "Allow installation from unknown sources" . • Always keep an up-to-date Anti-virus app • Avoid unknown and unsecured Wi-Fi hotspots • Never open attachments from unknown sources. • Never click on links in SMS or MMS messages sent to your phone. • Even if the email looks legit, go directly to the source website and verify any possible updates.
59. None