Android Malware - Realm of Mobile Infection - SecNiche Security Labs
12.07.2015 Views
Share Embed Flag

Android Malware - Realm of Mobile Infection - SecNiche Security Labs

Android Malware - Realm of Mobile Infection - SecNiche Security Labs

Android Malware - Realm of Mobile Infection - SecNiche Security Labs

SHOW MORE
SHOW LESS
ePAPER READ
DOWNLOAD ePAPER
  • No tags were found...
secniche.org

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

START NOW

SANS PanelBust a Cap in a <strong>Mobile</strong> AppSans

<strong>Android</strong> Platform Realities• What makes the malware to rise high?─ <strong>Android</strong> provenance system● Application masquerading (repackaging) is easy─ Permissions are user centric● Its hard to imagine that every user is security driven or knowledgeable» Ignorance is exploited !─ Encryption is <strong>of</strong>fered in platforms beginning with version 3 (Honey Comb)● Version >= 3 dm-crypt kernel (block device layer) feature is used.● All the android versions < 3 do not have proper encryption model» ALERT – What about android devices running 2.x versions ?─ No inbuilt mechanism to prevent social engineering and web trickeries─ Existence <strong>of</strong> alternative android application markets– Increases the attack surface with mobility and flexibilitySANS AppSec Summit 2012 - Panel 4

Introduction to <strong>Android</strong> <strong>Malware</strong>• <strong>Android</strong> <strong>Malware</strong> Classification - Overview─ Type-A─ Type-K─ Type-Z─ Type-H– Exploits the application layer» Example:- Zitmo, Spitmo, Hippo SMS– Exploits the integrity <strong>of</strong> kernel to compromise the device– Typically, used as a pillar in hybrid android malware» Example: Ginger Master, Droid Deluxe– Basically, an information stealer that does not modify any component <strong>of</strong> theandroid device» Example: Fake Netflic, <strong>Android</strong> Dogo War, <strong>Android</strong> Snake Tap– Hybrid in nature.– Harnesses the power <strong>of</strong> Type-A , Type-K and Type-Z malware collaboratively» Example: <strong>Android</strong> Root Smart, Droid CouponSANS AppSec Summit 2012 - Panel 5

Techniques and Tactics• <strong>Android</strong> <strong>Malware</strong> Tactics─ Application Masquerading and Repackaging– Adding malicious code in the legitimate applications– Signing repackaged application with different signature─ Native Code Execution– Exploiting kernel vulnerabilities to gain root access─ Over The Air (OTA) <strong>Infection</strong>s– Pushing malicious content on the android devices─ Device Administration APIs– Fooling users to treat malware as applications having administrative rights─ Hijacking (Spo<strong>of</strong>ing and Eavesdropping)– Manipulating the communication flow - broadcasts, activities and services─ Exploiting Custom ROM’s– Signing custom ROM with public keys and installing them on android devices─ <strong>Android</strong> BootkitsSANS AppSec Summit 2012 - Panel 6

<strong>Mobile</strong> App PentestingHow to proxy the device?SANS AppSec Summit 2012 - Panel 7

Proxy the DeviceSANS AppSec Summit 2012 - Panel 8

iOS• Emulator─ Works on HTTP Proxy settings <strong>of</strong> OSX─ For SSL add proxy cert to OSX’s trusted cert store• Device─ Settings on device has a native HTTP Proxy setting for WiFi networks! ─ For SSL add cert to iOS trusted store by opening cert in SafariSANS AppSec Summit 2012 - Panel 9

• Emulator<strong>Android</strong>─ “http-proxy” flag when running AVD works only with browser.● Hit or miss! ─ Tsocks is a better option on Linux boxes─ For SSL MiTM add proxy cert to /system/etc/security/cacerts.bks• Device─ Rooted with Cyanogen ROM (iptables support)─ Autoproxy tool adds GUI to iptables─ Same solution as emulator for SSL MiTMSANS AppSec Summit 2012 - Panel 10

Blackberry• Device─ No native proxy support. ─ WiFi MiTM with proxy support on Linux─ Will not connect to Ad-hoc AP.─ Easiest solution: use Pineapple WiFi router ()─ Apps provide a dialog box to accept bad SSL certs. So SSL MiTM forpentesting is easier.SANS AppSec Summit 2012 - Panel 11

Storage and Interface Vulnerabilities• Storage: sdcard vfat, world readable, source code reversing• Interfaces: Open interfaces with accessible dangerousfunctionality (Services, Broadcast Receivers, etc.)SANS AppSec Summit 2012 - Panel 12

Next Gen Attacks: Piggybacking onstorage and interfaces• Find sensitive data storage location with code reversing• Access file if permissions available (steal permission to the data)• Send intents to open interfaces with dangerous functionality• Effectively gain the permissionSANS AppSec Summit 2012 - Panel 13

Mitigations• No sensitive data: on the sdcard, in world readable files, in sourcecode• No dangerous functionality directly accessible via open interfaces(i.e. ask users to click ok before sending an SMS)• Use require-permission tag in manifest for interfacesSANS AppSec Summit 2012 - Panel 14

QuestionsSANS AppSec Summit 2012 - Panel 15

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!