Mobile Malware Presentation by Daiane Santos

disclaimer

Agenda whoamI malwares malware types numbers zero-click one-click services android architecture permissions ty activities broadcast receivers

whoami Hacking Neuroscience Reverse Engineer Chess Mobile Security Engineer @ Nubank CTF Player @ RATF Mobile Security content @mobilehackingbr Autism and AH/SD Daiane Santos

Malware is a term used for any type of malicious software designed to harm or exploit any programmable device, service or network. Malwares

No content

1,661,743 malicious installers 196,476 new mobile banking Trojans 10,543 new mobile ransomware Trojans In 2022, Kaspersky mobile products and technology detected: In numbers

0% 10% 20% 30% 40% 50% RiskTook AdWare Trojan Trojan-Banker Trojan-Dropper Trojan-Spy Trojan-SMS Backdoor 2022 2021

Zero Click Malwares A zero-click breach exploits flaws in your device, using a data verification loophole to create a path of entry into your system. Most software uses data verification processes to keep cyber breaches at bay. The software can be installed on a device without the victim taking any action to click on a link. As a result, zero-click or no-click malware is much more dangerous. The reduced interaction involved in zero-click attacks means even less traces of any malicious activity. Furthermore, vulnerabilities that can be exploited by cybercriminals in zero-click attacks are quite rare, which makes them especially prized by criminals.

Zero Click Malwares Cybercriminals identify a vulnerability in an email or messaging application. They exploit the vulnerability by sending a carefully crafted message to the victim. The vulnerability allows malicious actors to infect the device remotely via emails that consume high levels of memory. The hacker's email, message or call does not necessarily remain on the device. As a result of the attack, cybercriminals can read, edit, leak or delete messages. A zero-click attack occurs theoretically as follows:

Zero Click Malwares It is speculated that intelligence agencies use this tactic around the world to intercept messages and monitor the whereabouts of suspected criminals and terrorists.

No content

Zero Click Malwares 1. In July 2020, an Azerbaijani journalist’s iPhone silently received a command to open the Apple Music app. Without the journalist’s knowledge or interaction, the app connected to a malicious server and downloaded spyware onto the phone that remained there for 17 months, eavesdropping on phone calls and text messages. The Israeli company says clients use its software to stop terrorism and curb violent crime.

Zero Click Malwares 2. NSO Group also designed zero-click attacks that could compromise Android phones by exploiting a flaw in WhatsApp that was used to transmit malicious code onto a device. In April 2019, WhatsApp fixed the vulnerability—saying it said had been used to target more than 1,400 people over a two-month period—and filed a lawsuit against NSO Group.

One Click Malware Are vulnerabilities that allows an attacker to induce users to perform actions that they do not intend to perform. It allows an attacker to partly circumvent the same origin policy, which is designed to prevent different websites from interfering with each other.

One Click Malware https://vulnerable-website.com/email/change?email=pwned@evil-user.net Email changed Change email address

No content

No content

No content

Rinha_de_Malware.jpg

Runtime permissions gives additional access to restricted data or let your app perform restricted actions that affects the system and other apps. So, you need to request runtime permissions before access the restricted data or perform restricted actions. Permissions

Reverse Engineer Download dex2jar. Extract the apk.zip and open it. Copy classes.dex file from the apk folder and paste it to the dex2jar folder. Run the command: Open the generated classes_dex2jar.jar file using JD-GUI. After disassembling, to analyze the Java source code of the application, we can use dex2jar and JD-GUI. Dex2jar to convert the dex files to jar (java) files. To view the java files we can use JD GUI. This can be done as follows: sh d2j-dex2jar.sh classes.dex to obtain classes_dex2jar.jar file.

Reverse Engineer Activities: Components that provide a screen with which users can interact. Broadcast receivers: Components that receive and respond to broadcast messages from other apps or from the operating system. Services: Components that perform operations in the background.

Overview Alarme - Browser - Calculadora - Calendário - Câmera - Contatos - E-mail - SMS... Content Providers - Activity - Location - Notifications - Resource, Telephony...

Android Manifest

Permissions

Common Permissions

Permissions

In 2019, a vulnerability focused on the Android system emerged, which used the system_alert_window permission, focused on PopUps, to overlay the screen with a window over the apps. system_alert_window

No content

The focus of malware is precisely to trick the user into thinking that the program is useful or beneficial to him in some way. But in reality, the program performs actions that harm the user or application to harm other applications or services. In this case, using accessibility permissions to overlay the main screen and change the data underneath that screen. BrasDex

Attacks on Activities If an application has an activity that is exported, other applications can also invoke it. This can be invoked by other malicious applications that are running on the device.

Attacks on Broadcast Receivers That means any application will be able to send arbitrary, uncontrolled SMSs.

as an user How to Avoid

How to avoid it Keep your operating system, firmware and applications on all your devices up to date as requested. And avoid remove the protection provided by Apple and Google. Basic CyberHygiene Download apps from official stores only Avoid 'jailbreaking' or 'rooting' your phone

How to avoid it Use strong authentication to access accounts; Use strong passwords; Run backups on systems regularly; Enable pop-up blockers or prevent pop-ups from appearing by adjusting your browser settings. Fraudster and Scammers often use pop-ups to spread malware.

as a developer How to Avoid

How to avoid it Limiting and checking App permissions; Google Play Protect; RASP (Runtime Application Self-Protection); Code Obfuscation; In House Solutions. Set some action if a Malware is detected, ex: close the app automatically.

Are my phone infected? Slow performance; Random reboots; Unusually data usage; Battery draining faster than usual; Unfamiliar apps installed; Overheating; Taking a long time to shut down; Signs of activity in standby mode; Weird sounds during phone calls; Weird text messages. Some signs that your smartphone are infected:

References 01 Thomas, Tony; Surendran, Roopak; John, Teenu S.; Alazab, Mamoun. Intelligent Mobile Malware Detection (Security, Privacy, and Trust in Mobile Communications). CRC Press. Kindle Edition.

Thank You! @Wh0isdxk daianesantos[at]protonmail[dot]com