"Part 4: Android RE or How I became a Master in clumsy_bird.apk", Александр Антух, Daniel Ramirez

Slide 1

Slide 1 text

Part 4: Android RE or How I became a Master in clumsy_bird.apk OWASP Russia 17.03.2016

Slide 2

Slide 2 text

Whoami • Daniel Ramirez (@daniramirezmrtn) • Alexander Antukh (@c0rdis) • Part of EY security team based in Poland

Slide 3

Slide 3 text

Anatomy of an apk

Slide 4

Slide 4 text

Getting our apk file • From the phone – APKOptic – Astro File Manager • Using ADB • Use APKpure

Slide 5

Slide 5 text

Decompiling || Disassembling • Decompiling: – High Level – Java Code • Disassembling: – Low Level – Assembly Code • Why Disassembling and not Decompiling?

Slide 6

Slide 6 text

Decompiling DEX DEX JAR JAR JAVA JAVA JAR JAR DEX DEX JAVA JAVA

Slide 7

Slide 7 text

Decompiling-Dex2Jar • dex2jar – Converts Dalvik bytecode (DEX) to java bytecode (JAR) – Allows to use any existing Java decompiler with the resulting JAR file

Slide 8

Slide 8 text

Decompiling – Java Decompilers • JD-GUI || Luyten – Closed source Java decompiler – Combined with dex2jar, you can use JD-GUI or Luyten to decompile Android applications • Both are Java decompilers but have different OUTPUT!

Slide 9

Slide 9 text

JD-GUI

Slide 10

Slide 10 text

Luyten

Slide 11

Slide 11 text

No content

Slide 12

Slide 12 text

Disassembling DEX DEX SMALI SMALI

Slide 13

Slide 13 text

Disassembling • Apktool – Open source Java tool for reverse-engineering Android app – Transform binary Dalvik byte code(dex) into Smali source

Slide 14

Slide 14 text

Signing apk • Using signapk.jar java -jar signapk.jar certificate.pem key.pk8 your- app.apk your-app-signed.apk • Using AppUse

Slide 15

Slide 15 text

Demo Time

Slide 16

Slide 16 text

Demo Decompiling Luyten

Slide 17

Slide 17 text

Demo Modify Smali Files

Slide 18

Slide 18 text

Demo

Slide 19

Slide 19 text

Lack of binary protection • At this point if you can read the source code of the application, modify the behavior of the application  doesn’t have enough protection.

Slide 20

Slide 20 text

Techniques for mitigate the Lack of Binary Protection

Slide 21

Slide 21 text

Verify Sign

Slide 22

Slide 22 text

Obfuscated • Some obfuscation tool, allow to encrypt String in source code. – ProGuard(*) – DexProtector – DexGuard

Slide 23

Slide 23 text

Anti-Emulator

Slide 24

Slide 24 text

Debuggable

Slide 25

Slide 25 text

Demo Time #2

Slide 26

Slide 26 text

Demo

Slide 27

Slide 27 text

Demo Decompiling Luyten

Slide 28

Slide 28 text

Demo Modify Smali Files

Slide 29

Slide 29 text

Demo

Slide 30

Slide 30 text

Recap • We’ve seen how it’s possible change the behavior of an app by disassembling, modify the smali code and recompiling the app • Some techniques to “try” to prevent the lack of binary protection

Slide 31

Slide 31 text

MALWARE

Slide 32

Slide 32 text

Malware Statistics #1

Slide 33

Slide 33 text

Malware Statistics #2

Slide 34

Slide 34 text

Malware #1-Flappy-bird • Some application ask for permission that don’t need. • E.g: Game asking for send sms ??

Slide 35

Slide 35 text

Malware #1-Flappy-bird • Some application ask for permission that don’t need. • E.g: Game asking for send sms ??

Slide 36

Slide 36 text

Malware #2-iMatch

Slide 37

Slide 37 text

Permissions Dangerous #1

Slide 38

Slide 38 text

Permissions Dangerous #2

Slide 39

Slide 39 text

Dendroid botnet #1 Botnet especially developed for attacking android user’s which has the functionalities like • Record call • Block SMS • Take video/photo • Send text • Send contacts • Get user account • Call Number • Update App • Delete files • Get browser history • Get call history • Get inbox SMS

Slide 40

Slide 40 text

Dendroid botnet #3-malware

Slide 41

Slide 41 text

Dendroid botnet #4 - Manifest

Slide 42

Slide 42 text

Demo Time

Slide 43

Slide 43 text

Dendroid Botnet

Slide 44

Slide 44 text

DroidDream Malware • Steal sensitive data – IMEI –> block phone – IMSI – Device model – SDK

Slide 45

Slide 45 text

DroidDream example #1 - Paint • Access_coarse_location==GPS • Read_phone_state

Slide 46

Slide 46 text

DroidDream example #1.1

Slide 47

Slide 47 text

DroidDream example #2 – Hotgirls

Slide 48

Slide 48 text

Bonus

Slide 49

Slide 49 text

GMBot – Privet ;)

Slide 50

Slide 50 text

GMBot – Slempo • The first Tor Trojan for Android (2014) - Backdoor.AndroidOS.Torec.a • The Trojan can receive the following commands from the C&C : – Intercept sms – Send sms – Control number

Slide 51

Slide 51 text

GMBot – Overview • Display phishing pages on the top of mobile banking applications • Also capable of forwarding calls and intercepting SMS messages to help fraudsters bypass an additional layer of bank security mechanisms, and locking a device’s screen.

Slide 52

Slide 52 text

GMBot – Overview • Spy on victims • Delete data from the infected device • Gain boot persistence to help survive device restart • Send and Read your SMS message • Make calls to your contacts • Read the phone's state • Plague phone's control keys • Infect your Chrome browser • Change phone settings • Force the phone into sleep mode • Query the network status • Access the Internet • Wipe your device's storage Additionally the malware can be used to:

Slide 53

Slide 53 text

GMBot – AndroidManifest.xml

Slide 54

Slide 54 text

GMBot – Checking Device Admin Wondering what one can do with it…

Slide 55

Slide 55 text

GMBot – Configuration

Slide 56

Slide 56 text

GMBot – Activities

Slide 57

Slide 57 text

GMBot – Components

Slide 58

Slide 58 text

How to Protect Yourself • Go to Settings → Security → Turn OFF "Allow installation from unknown sources" . • Always keep an up-to-date Anti-virus app • Avoid unknown and unsecured Wi-Fi hotspots • Never open attachments from unknown sources. • Never click on links in SMS or MMS messages sent to your phone. • Even if the email looks legit, go directly to the source website and verify any possible updates.

Slide 59

Slide 59 text

No content