4. Agenda
• Bad things a malware can do to Android device (Demo).
• Vectors that can be done With SMSs (Demo).
• Artificial Intelligence in Android (Demo).
• TapJacking Attack (Demo).
• Ideas for Denial Of Service attacks.
• Current/Future Trends to come in malware (Demos!).
• Questions & Answers.
Disclaimer:
The information contained in this presentation is for learning purposes only.
Please don't use this information for other uses, except doing good to the world.
4
5. There are two opponent
football clubs in Tel Aviv (Israel)
Maccabi Hapoel
5
7. Greetings Hapoel fans…
I’m a fanatic Hapoel fan like you.. ahmm..
I want to recommend you my new app
with 24/7 updates about the team..
1337 app… you should install it!
The Attacker goes
undercover…
How will
The fans
get it?!
7
10. When scanning the QR code…
we can create more
“legit” url & apk name
that will convince the user
to download the app
The app downloaded to the device:
10
11. All is quiet.. But when the match is over..
• Background - Changed to Maccabi logo..
• Ringtone - Changed to Maccabi song..
• SMSs - Sent to all contacts found in the device
– “We are losers… I don’t believe this!
I'm such a lame to support this team. Maccabi rulez..”
• GPS coordinates (Latitude/longitude)…
11
12. Different content (Toast)
by physical location
With that ability it’s a good thing you
didn’t show your face in the stadium!
Don’t forget to tell your friends
you witnessed that shame with
your own eyes!
12
13. Demo workflow
• Step 1 – User installs External APK file.
• Step 2 – External APK request user to install Internal APK.
• Step 3 – Removing External APK (Internal APK still running).
• Step 4 – Date Changed (Trigger for coming actions).
• Step 5 – Background is changed.
• Step 6 – A message given to user (based on user’s GPS
location, for example inside stadium).
• Step 7 – SMS sent to contact (Another Device).
• Step 8 – Ringtone is changed.
• Step 9 – SMS from Mobile provider is dropped.
• Step 10 – If the device boots the Internal APK auto starts.
13
14. This may also lead to the following scenario
I’m telling you it’s the app! It’s the app!
I am Hapoel fan! Aiiiiiiiii!!!!
Tip: This will work for
Cricket too..
14
15. From demo to real-life (1/3)
Auto starts
DogWar
SMS registration
sent to PETA service
SMS text sent to contacts
15
16. From demo to real-life (2/3)
Usage of QR code
End of world Trojan
Background changed
Jifake
RogueSPPush
Dropping and deleting the SMS Checking whether SMS originated
from mobile operator or provider
16
17. From demo to real-life (3/3)
trick?!
RogueSPPush
SpyEye
Usage of high priority to get SMSs before other apps
17
18. Phone calls can be manipulated as well
Capable of ending calls
BaseBridge
Capable of answering calls
Setting volume to ‘0’
Delete record from the call log Catch coming phone calls
What else can we do with SMSs? 18
19. Vectors that can be done with SMSs (1/2)
• Sending SMSs to premium numbers.
• Control a botnet for voting for American Idol.
• Running Linux commands on device via SMSs.
• Get & use information of user’s accounts
– Used in banks, mobile payments.
• Phishing
– Man in the Middle - redirect to website.
– Download my malicious app (with an exploit?)
• SPAM. 19
20. Vectors that can be done with SMSs (2/2)
• Target Mobile Provider
– Drop billing SMSs from operator.
– Offer discounts in the name of provider.
– Change billing value.
• Search for specific words
– ‘revolution’ , ‘bomb’ , ‘password recovery’..
• Used in other ’interesting’ places
– We can steal a car using SMS, SCADA Systems.
20
21. Artificial Intelligence in Android
• Automatic chat like famous ‘Eliza’.
• Spotting SMSs with questions (W*?)
– “cancel meeting” or “can’t come to the interview”…
• Spot co-workers and send them SMS
– “I don’t like working with you! You smell bad!!!!”
• Spot close relation contacts and ‘play Cupid’
– “Goodbye… I don’t want to see you anymore…
I cheated you with…”.
21
22. From ClickJacking to TapJacking
• User is mislead into perform undesired
actions.
• There is no user indication
– Actions taking place in the background.
• Examples for undesired actions:
– Installing malicious applications.
– Changing security settings.
– Performing a full device wipe.
– More…
22
23. Permission-based security model
• Apps are not adequately reviewed before
being placed on the Market.
• Permission-based security model
– average user in charge of critical security
decisions.
• The following example will be demonstrated:
What does ‘READ_PHONE_STATE” means?
23
24. Denial Of Service Attacks
• Control a Botnet for Denial Of Service Attacks
– Mobile Operator / Website / Other target.
• Target current Mobile provider/Manufacturer
– Disable the internet & connectivity on the phone.
• Target a person
– disable his connectivity for a while..
• Cause battery loss.
• Erase content and data on the device.
24
25. Other ways the bad guys can make $
• Blackmail
– Encrypt content.
– Copy user’s files from device to remote server.
• Using devices CPU from remote with botnet.
We love Android!
25
26. Current and future trends
• Use a device as hacking platform (Demos!).
• Anti Debugging techniques (Demo).
• Usage of updated exploits (Demo).
• Social Engineering.
• Anti ‘Anti Virus‘.
• Getting malicious updates.
• Signed malware.
• Google TV.
• Android@home + Android@car.
26
27. Trend #1 – Use a device as hacking platform
• Facesniff. ‘Point-Click-Root’
• Android Network Toolkit (Anti).
• DroidSheep.
• Caribou.
• More to come..
27
28. Trend #2 - Anti Debugging techniques
• Detecting if running in emulator.
• ‘Debuggable’.
• Encryption.
• Obfuscation.
• Checking Checksum.
28
29. Trend #2 - Anti Debugging techniques
Checking if it’s an emulator
NickiSpy
Getting IMEI of the device
Encryption Algorithm
Lena
29
36. Trend#5 – Anti ‘Anti Virus’
Checking if Anti virus exist in installed packages
“Sorry” The name says it all..
“Application (in the process) stopped
unexpectedly, please try again” “forced off”
BaseBridge 36
37. Trend#6 – Getting malicious updates (1/2)
Connection to remote server
Information collected and sent to remote server
Jar file to download from the remote server
Plankton 37
41. Trend#8 - Google TV
• Google TV is a Smart TV platform from Google.
• Announced on May 20, 2010 (Google I/O event).
• Co-developed by Google, Intel, Sony and Logitech.
• Integrates Google’s Android operating system and
the Linux version of Google Chrome browser.
• create an interactive television overlay on top of
existing internet television and WebTV sites.
41
42. Few scenarios for exploiting Google TV
1 - Channel Redirection
How did Jay Leno got higher rating
than the Super bowl???
2 - Adding commercials & Hidden frames
3 - Information warfare
Not a Google TV.. 42
43. Trend#9 - Android@home
• Android phone/tablet
– Interface between you and every electronic device.
• Using your phone you’ll be able to:
– dim the lights.
– turn up the heating.
– switch on your television.
• Your device has GPS ->
– Switch off the lights
– Put the TV on standby
– turn the heating back down.
43
44. Trend#9 - Android@car
I repeat. I am in a middle of a car chase!
There’s no driver in the vehicle!!!
44
45. Now you know how I won American Idol…
I'm s-h-o-c-k-e-d.
I think you should not sing. Really.
But it turns out that the audience at home love you..
Simon Cowell
Judge in American Idol
45
46. Will this be the topic for next year?
• Feel free to stay in touch..
Elad.Shapira@avg.com
• Thanks goes to :
– ClubHack organizers.
– AVG Mobilation founder &
CTO, Dror Shalev. Hacked Windows Phone 7
46