Hacking
Neuroscience
Reverse Engineer
Chess
Mobile Security Engineer @ Nubank
CTF Player @ RATF
Mobile Security content @mobilehackingbr
Autism and AH/SD
whoami
Slide 6
Slide 6 text
Malwares
Malware is a term used for any type of malicious software
designed to harm or exploit any programmable device, service
or network.
Slide 7
Slide 7 text
No content
Slide 8
Slide 8 text
In numbers:
1,661,743 malicious installers
196,476 new mobile banking Trojans
10,543 new mobile ransomware Trojans
In 2022, Kaspersky mobile products and technology detected:
Zero Click Malware
A zero-click breach exploits flaws in your device, using a data verification loophole to
create a path of entry into your system. Most software uses data verification processes to keep
cyber breaches at bay.
The software can be installed on a device without the victim taking any action to click on a
link. As a result, zero-click or no-click malware is much more dangerous.
The reduced interaction involved in zero-click attacks means even less traces of any
malicious activity. Furthermore, vulnerabilities that can be exploited by cybercriminals in zero-click
attacks are quite rare, which makes them especially prized by criminals.
Slide 11
Slide 11 text
Zero Click Malware
Cybercriminals identify a vulnerability in an email or messaging application.
They exploit the vulnerability by sending a carefully crafted message to the victim.
The vulnerability allows malicious actors to infect the device remotely via emails that
consume high levels of memory.
The hacker's email, message or call does not necessarily remain on the device.
As a result of the attack, cybercriminals can read, edit, leak or delete messages.
A zero-click attack occurs theoretically as follows:
Slide 12
Slide 12 text
No content
Slide 13
Slide 13 text
1. In July 2020, an Azerbaijani journalist’s iPhone silently received a
command to open the Apple Music app. Without the journalist’s knowledge or
interaction, the app connected to a malicious server and downloaded spyware onto
the phone that remained there for 17 months, eavesdropping on phone calls and text
messages. The Israeli company says clients use its software to stop terrorism and curb
violent crime.
Zero Click Malware
Slide 14
Slide 14 text
Zero Click Malware
2. NSO Group also designed zero-click attacks that could compromise
Android phones by exploiting a flaw in WhatsApp that was used to transmit
malicious code onto a device. In April 2019, WhatsApp fixed the vulnerability—saying it
said had been used to target more than 1,400 people over a two-month period—and
filed a lawsuit against NSO Group.
Slide 15
Slide 15 text
One Click Malware
Are vulnerabilities that allows an attacker to induce users to perform
actions that they do not intend to perform. It allows an attacker to partly circumvent
the same origin policy, which is designed to prevent different websites from interfering
with each other.
Runtime permissions gives additional access to restricted data or let your app perform restricted
actions that affects the system and other apps. So, you need to request runtime permissions
before access the restricted data or perform restricted actions.
Permissions
Slide 18
Slide 18 text
After disassembling, to analyze the Java source code of the
application, we can use dex2jar and JD-GUI.
Dex2jar to convert the dex files to jar (java) files. To view the
java files we can use JD GUI. This can be done as follows:
Download dex2jar.
Extract the apk.zip and open it.
Copy classes.dex file from the apk folder and paste it to the
dex2jar folder.
Run the command: sh d2j-dex2jar.sh classes.dex to obtain
classes_dex2jar.jar file.
Open the generated classes_dex2jar.jar file using JD-GUI.
Reverse Engineer
Slide 19
Slide 19 text
Activities: Components that provide a screen with which users can
interact.
Broadcast receivers: Components that receive and respond to
broadcast messages from other apps or from the operating system.
Services: Components that perform operations in the background.
Reverse Engineer
Using Accessibility to
attack
The Accessibility system was developed for users with disabilities. Using it,
you can create an app that reads captions on all interface elements and enables
you to activate these elements with your voice. This became possible because
Accessibility grants you full access to the app interface in the form of a tree of
elements: you can navigate through it and perform certain operations with its
elements.
Slide 26
Slide 26 text
By exploiting accessibility services, the Trojan can access the UI of any
other apps installed on the phone and steal data from them, including text.
Most banking apps don't allow the user to take screenshots when they're being used, but
some malwares like Svpeng, gets around this by using accessibility services to create
overlays and make actions in background.
Using Accessibility to
attack
Slide 27
Slide 27 text
Adding accessibility service to AndroidManifest.xml
Slide 28
Slide 28 text
Add the receiver to the AndroidManifest.xml
Slide 29
Slide 29 text
Adding this simple keylogger, all information entered by the user in any
input field of any app will be displayed in the console
Slide 30
Slide 30 text
system_alert_window
In 2019, a vulnerability focused on the Android system emerged, which used the
system_alert_window permission, focused on PopUps, to overlay the
screen with a window over the apps.
Slide 31
Slide 31 text
No content
Slide 32
Slide 32 text
BrasDex
The focus of malware is precisely to trick the user into
thinking that the program is useful or beneficial to him in
some way. But in reality, the program performs actions
that harm the user or application to harm other
applications or services. In this case, using accessibility
permissions to overlay the main screen and change the
data underneath that screen.
Slide 33
Slide 33 text
How to Avoid it
As an User
Slide 34
Slide 34 text
Keep your operating system, firmware and applications on all your devices
up to date as requested.
And avoid remove the protection provided by Apple and Google.
Basic CyberHygiene
Download apps from official stores only
Avoid 'jailbreaking' or 'rooting' your phone
Slide 35
Slide 35 text
Use strong authentication to access accounts;
Use strong passwords;
Run backups on systems regularly;
Enable pop-up blockers or prevent pop-ups from appearing by adjusting your
browser settings.
Fraudster and Scammers often use pop-ups to spread malware.
Slide 36
Slide 36 text
How to Avoid it
As a Developer
Slide 37
Slide 37 text
Limiting and checking App permissions;
Google Play Protect;
RASP (Runtime Application Self-Protection);
Code Obfuscation;
In House Solutions.
Set some action if a Malware is detected, ex: close the app automatically.
Slide 38
Slide 38 text
Are my phone infected?
Slow performance;
Random reboots;
Unusually data usage;
Battery draining faster than usual;
Unfamiliar apps installed;
Overheating;
Taking a long time to shut down;
Signs of activity in standby mode;
Weird sounds during phone calls;
Weird text messages.
Slide 39
Slide 39 text
References:
Thomas, Tony; Surendran, Roopak; John, Teenu S.; Alazab, Mamoun.
Intelligent Mobile Malware Detection (Security, Privacy, and Trust in
Mobile Communications). CRC Press. Kindle Edition.