No content

Mobile Malware Mobile Malware Daiane Santos

disclaimer

Agenda whoamI malwares malware types numbers zero-click one-click services android architecture permissions ty activities broadcast receivers

Hacking Neuroscience Reverse Engineer Chess Mobile Security Engineer @ Nubank CTF Player @ RATF Mobile Security content @mobilehackingbr Autism and AH/SD whoami

Malwares Malware is a term used for any type of malicious software designed to harm or exploit any programmable device, service or network.

No content

In numbers: 1,661,743 malicious installers 196,476 new mobile banking Trojans 10,543 new mobile ransomware Trojans In 2022, Kaspersky mobile products and technology detected:

0% 10% 20% 30% 40% 50% RiskTook AdWare Trojan Trojan-Banker Trojan-Dropper Trojan-Spy Trojan-SMS Backdoor 2022 2021

Zero Click Malware A zero-click breach exploits flaws in your device, using a data verification loophole to create a path of entry into your system. Most software uses data verification processes to keep cyber breaches at bay. The software can be installed on a device without the victim taking any action to click on a link. As a result, zero-click or no-click malware is much more dangerous. The reduced interaction involved in zero-click attacks means even less traces of any malicious activity. Furthermore, vulnerabilities that can be exploited by cybercriminals in zero-click attacks are quite rare, which makes them especially prized by criminals.

Zero Click Malware Cybercriminals identify a vulnerability in an email or messaging application. They exploit the vulnerability by sending a carefully crafted message to the victim. The vulnerability allows malicious actors to infect the device remotely via emails that consume high levels of memory. The hacker's email, message or call does not necessarily remain on the device. As a result of the attack, cybercriminals can read, edit, leak or delete messages. A zero-click attack occurs theoretically as follows:

No content

1. In July 2020, an Azerbaijani journalist’s iPhone silently received a command to open the Apple Music app. Without the journalist’s knowledge or interaction, the app connected to a malicious server and downloaded spyware onto the phone that remained there for 17 months, eavesdropping on phone calls and text messages. The Israeli company says clients use its software to stop terrorism and curb violent crime. Zero Click Malware

Zero Click Malware 2. NSO Group also designed zero-click attacks that could compromise Android phones by exploiting a flaw in WhatsApp that was used to transmit malicious code onto a device. In April 2019, WhatsApp fixed the vulnerability—saying it said had been used to target more than 1,400 people over a two-month period—and filed a lawsuit against NSO Group.

One Click Malware Are vulnerabilities that allows an attacker to induce users to perform actions that they do not intend to perform. It allows an attacker to partly circumvent the same origin policy, which is designed to prevent different websites from interfering with each other.

https://vulnerable-website.com/email/change?email=pwned@evil-user.net Email changed Change email address

Runtime permissions gives additional access to restricted data or let your app perform restricted actions that affects the system and other apps. So, you need to request runtime permissions before access the restricted data or perform restricted actions. Permissions

After disassembling, to analyze the Java source code of the application, we can use dex2jar and JD-GUI. Dex2jar to convert the dex files to jar (java) files. To view the java files we can use JD GUI. This can be done as follows: Download dex2jar. Extract the apk.zip and open it. Copy classes.dex file from the apk folder and paste it to the dex2jar folder. Run the command: sh d2j-dex2jar.sh classes.dex to obtain classes_dex2jar.jar file. Open the generated classes_dex2jar.jar file using JD-GUI. Reverse Engineer

Activities: Components that provide a screen with which users can interact. Broadcast receivers: Components that receive and respond to broadcast messages from other apps or from the operating system. Services: Components that perform operations in the background. Reverse Engineer

AndroidManifest.xml

Alarme - Browser - Calculadora - Calendário - Câmera - Contatos - E-mail - SMS... Content Providers - Activity - Location - Notifications - Resource, Telephony...

Permissions Type

Common Permissions in Malwares

Bypassing Apps Sandbox

Using Accessibility to attack The Accessibility system was developed for users with disabilities. Using it, you can create an app that reads captions on all interface elements and enables you to activate these elements with your voice. This became possible because Accessibility grants you full access to the app interface in the form of a tree of elements: you can navigate through it and perform certain operations with its elements.

By exploiting accessibility services, the Trojan can access the UI of any other apps installed on the phone and steal data from them, including text. Most banking apps don't allow the user to take screenshots when they're being used, but some malwares like Svpeng, gets around this by using accessibility services to create overlays and make actions in background. Using Accessibility to attack

Adding accessibility service to AndroidManifest.xml

Add the receiver to the AndroidManifest.xml

Adding this simple keylogger, all information entered by the user in any input field of any app will be displayed in the console

system_alert_window In 2019, a vulnerability focused on the Android system emerged, which used the system_alert_window permission, focused on PopUps, to overlay the screen with a window over the apps.

No content

BrasDex The focus of malware is precisely to trick the user into thinking that the program is useful or beneficial to him in some way. But in reality, the program performs actions that harm the user or application to harm other applications or services. In this case, using accessibility permissions to overlay the main screen and change the data underneath that screen.

How to Avoid it As an User

Keep your operating system, firmware and applications on all your devices up to date as requested. And avoid remove the protection provided by Apple and Google. Basic CyberHygiene Download apps from official stores only Avoid 'jailbreaking' or 'rooting' your phone

Use strong authentication to access accounts; Use strong passwords; Run backups on systems regularly; Enable pop-up blockers or prevent pop-ups from appearing by adjusting your browser settings. Fraudster and Scammers often use pop-ups to spread malware.

How to Avoid it As a Developer

Limiting and checking App permissions; Google Play Protect; RASP (Runtime Application Self-Protection); Code Obfuscation; In House Solutions. Set some action if a Malware is detected, ex: close the app automatically.

Are my phone infected? Slow performance; Random reboots; Unusually data usage; Battery draining faster than usual; Unfamiliar apps installed; Overheating; Taking a long time to shut down; Signs of activity in standby mode; Weird sounds during phone calls; Weird text messages.

References: Thomas, Tony; Surendran, Roopak; John, Teenu S.; Alazab, Mamoun. Intelligent Mobile Malware Detection (Security, Privacy, and Trust in Mobile Communications). CRC Press. Kindle Edition.

Daiane Santos @Wh0isdxk @mobilehackingbr daianesantos[at]protonmail[dot]com

No content