Slide 1

Slide 1 text

No content

Slide 2

Slide 2 text

Mobile Malware Mobile Malware Daiane Santos

Slide 3

Slide 3 text

disclaimer

Slide 4

Slide 4 text

Agenda whoamI malwares malware types numbers zero-click one-click services android architecture permissions ty activities broadcast receivers

Slide 5

Slide 5 text

Hacking Neuroscience Reverse Engineer Chess Mobile Security Engineer @ Nubank CTF Player @ RATF Mobile Security content @mobilehackingbr Autism and AH/SD whoami

Slide 6

Slide 6 text

Malwares Malware is a term used for any type of malicious software designed to harm or exploit any programmable device, service or network.

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

In numbers: 1,661,743 malicious installers 196,476 new mobile banking Trojans 10,543 new mobile ransomware Trojans In 2022, Kaspersky mobile products and technology detected:

Slide 9

Slide 9 text

0% 10% 20% 30% 40% 50% RiskTook AdWare Trojan Trojan-Banker Trojan-Dropper Trojan-Spy Trojan-SMS Backdoor 2022 2021

Slide 10

Slide 10 text

Zero Click Malware A zero-click breach exploits flaws in your device, using a data verification loophole to create a path of entry into your system. Most software uses data verification processes to keep cyber breaches at bay. The software can be installed on a device without the victim taking any action to click on a link. As a result, zero-click or no-click malware is much more dangerous. The reduced interaction involved in zero-click attacks means even less traces of any malicious activity. Furthermore, vulnerabilities that can be exploited by cybercriminals in zero-click attacks are quite rare, which makes them especially prized by criminals.

Slide 11

Slide 11 text

Zero Click Malware Cybercriminals identify a vulnerability in an email or messaging application. They exploit the vulnerability by sending a carefully crafted message to the victim. The vulnerability allows malicious actors to infect the device remotely via emails that consume high levels of memory. The hacker's email, message or call does not necessarily remain on the device. As a result of the attack, cybercriminals can read, edit, leak or delete messages. A zero-click attack occurs theoretically as follows:

Slide 12

Slide 12 text

No content

Slide 13

Slide 13 text

1. In July 2020, an Azerbaijani journalist’s iPhone silently received a command to open the Apple Music app. Without the journalist’s knowledge or interaction, the app connected to a malicious server and downloaded spyware onto the phone that remained there for 17 months, eavesdropping on phone calls and text messages. The Israeli company says clients use its software to stop terrorism and curb violent crime. Zero Click Malware

Slide 14

Slide 14 text

Zero Click Malware 2. NSO Group also designed zero-click attacks that could compromise Android phones by exploiting a flaw in WhatsApp that was used to transmit malicious code onto a device. In April 2019, WhatsApp fixed the vulnerability—saying it said had been used to target more than 1,400 people over a two-month period—and filed a lawsuit against NSO Group.

Slide 15

Slide 15 text

One Click Malware Are vulnerabilities that allows an attacker to induce users to perform actions that they do not intend to perform. It allows an attacker to partly circumvent the same origin policy, which is designed to prevent different websites from interfering with each other.

Slide 16

Slide 16 text

https://vulnerable-website.com/email/[email protected] Email changed Change email address

Slide 17

Slide 17 text

Runtime permissions gives additional access to restricted data or let your app perform restricted actions that affects the system and other apps. So, you need to request runtime permissions before access the restricted data or perform restricted actions. Permissions

Slide 18

Slide 18 text

After disassembling, to analyze the Java source code of the application, we can use dex2jar and JD-GUI. Dex2jar to convert the dex files to jar (java) files. To view the java files we can use JD GUI. This can be done as follows: Download dex2jar. Extract the apk.zip and open it. Copy classes.dex file from the apk folder and paste it to the dex2jar folder. Run the command: sh d2j-dex2jar.sh classes.dex to obtain classes_dex2jar.jar file. Open the generated classes_dex2jar.jar file using JD-GUI. Reverse Engineer

Slide 19

Slide 19 text

Activities: Components that provide a screen with which users can interact. Broadcast receivers: Components that receive and respond to broadcast messages from other apps or from the operating system. Services: Components that perform operations in the background. Reverse Engineer

Slide 20

Slide 20 text

AndroidManifest.xml

Slide 21

Slide 21 text

Alarme - Browser - Calculadora - Calendário - Câmera - Contatos - E-mail - SMS... Content Providers - Activity - Location - Notifications - Resource, Telephony...

Slide 22

Slide 22 text

Permissions Type

Slide 23

Slide 23 text

Common Permissions in Malwares

Slide 24

Slide 24 text

Bypassing Apps Sandbox

Slide 25

Slide 25 text

Using Accessibility to attack The Accessibility system was developed for users with disabilities. Using it, you can create an app that reads captions on all interface elements and enables you to activate these elements with your voice. This became possible because Accessibility grants you full access to the app interface in the form of a tree of elements: you can navigate through it and perform certain operations with its elements.

Slide 26

Slide 26 text

By exploiting accessibility services, the Trojan can access the UI of any other apps installed on the phone and steal data from them, including text. Most banking apps don't allow the user to take screenshots when they're being used, but some malwares like Svpeng, gets around this by using accessibility services to create overlays and make actions in background. Using Accessibility to attack

Slide 27

Slide 27 text

Adding accessibility service to AndroidManifest.xml

Slide 28

Slide 28 text

Add the receiver to the AndroidManifest.xml

Slide 29

Slide 29 text

Adding this simple keylogger, all information entered by the user in any input field of any app will be displayed in the console

Slide 30

Slide 30 text

system_alert_window In 2019, a vulnerability focused on the Android system emerged, which used the system_alert_window permission, focused on PopUps, to overlay the screen with a window over the apps.

Slide 31

Slide 31 text

No content

Slide 32

Slide 32 text

BrasDex The focus of malware is precisely to trick the user into thinking that the program is useful or beneficial to him in some way. But in reality, the program performs actions that harm the user or application to harm other applications or services. In this case, using accessibility permissions to overlay the main screen and change the data underneath that screen.

Slide 33

Slide 33 text

How to Avoid it As an User

Slide 34

Slide 34 text

Keep your operating system, firmware and applications on all your devices up to date as requested. And avoid remove the protection provided by Apple and Google. Basic CyberHygiene Download apps from official stores only Avoid 'jailbreaking' or 'rooting' your phone

Slide 35

Slide 35 text

Use strong authentication to access accounts; Use strong passwords; Run backups on systems regularly; Enable pop-up blockers or prevent pop-ups from appearing by adjusting your browser settings. Fraudster and Scammers often use pop-ups to spread malware.

Slide 36

Slide 36 text

How to Avoid it As a Developer

Slide 37

Slide 37 text

Limiting and checking App permissions; Google Play Protect; RASP (Runtime Application Self-Protection); Code Obfuscation; In House Solutions. Set some action if a Malware is detected, ex: close the app automatically.

Slide 38

Slide 38 text

Are my phone infected? Slow performance; Random reboots; Unusually data usage; Battery draining faster than usual; Unfamiliar apps installed; Overheating; Taking a long time to shut down; Signs of activity in standby mode; Weird sounds during phone calls; Weird text messages.

Slide 39

Slide 39 text

References: Thomas, Tony; Surendran, Roopak; John, Teenu S.; Alazab, Mamoun. Intelligent Mobile Malware Detection (Security, Privacy, and Trust in Mobile Communications). CRC Press. Kindle Edition.

Slide 40

Slide 40 text

Daiane Santos @Wh0isdxk @mobilehackingbr daianesantos[at]protonmail[dot]com

Slide 41

Slide 41 text

No content