1. I haz you and pwn your maal
Harsimran Walia

2. #WhoamI
• Research Scientist @ McAfee
• Expertise: Malware Analysis, Exploit
development and Vulnerability Analysis
• Twitter: b44nz0r
• Email: walia.harsimran@gmail.com
• Previous papers: Reversing Microsoft Patches
to Reveal Vulnerable code @ NullCon,2011

3. Disclaimer
• The research and views presented here are
solely mine and nothing to do with any of the
current and previous organizations, I work for
or associated with in any form
• The presentation is for educational purposes
only and no one can be held responsible for
any harm caused in any form due to use or
misuse of information presented here

4. Access Data?
• Use of smartphones, tablets, mobile devices
• No longer need to stay in one place
• Information on the go
• But,

5. Danger!
• Create a larger attack vector
• Treasure trove for attackers
• Hot targets for attackers and data thieves
• Ease of attack
• Vast amount of information

6. Attacks
• Most reliable attack is via malware
• Malware can
1. penetrate a host
2. extract information
3. stay hidden
4. send data to the attacker
• Attackers created smartphone malware
• Delivered as smartphone applications

7. Platforms
• Many smartphone platform
– Apple’s iOS
– Android
– Symbian
– Blackberry
• Android by far most popular with attackers

8. Why Android?
• 50.1% Smartphone users share in US

9. Why Android?
• 61% smartphone sales share in Q1,2012

10. Why Android?
Starting development
of Iphone OS apps
needs
• Mac Computer
• Sign-in Dev Program
• Wait for verification
• Pay fees

11. Why Android?
• Not only user share, sales are much above
any other platform
• Huge user base i.e. victims ;)
• Ease of malware development and hosting on
google play
• Have led to:

12. Headlines
• Android OS the “worst platform for malware”. - TG Daily August’11
• Android threats leapt 76% during the Q2-2011 - McAfee
• Most attacked mobile OS overtaking Symbian OS
• The most popular target for mobile malware developers
• Increasing target for cybercriminals

13. Malware Analysis
Windows Vs Android
• 2 methods, dynamic and static • Same, dynamic and static
• Virtual machine or sandbox is • Virtual machine with
used
android SDK
• Static analysis - reverse
engineer the • In many cases static analysis
application/malware reveals the malware
using tools and techniques to behavior and very little
re-create the actual code and
algorithm
dynamic analysis is required
• Have to debug through • Can be decompiled into
assembly code to understand readable java code
the algorithm

14. What to expect?
• Lab setup, a VM with android SDK
installation.
• Tools required for the analysis
• Static Analysis
• Dynamic Analysis
• Patching the malware to own it

15. What not to expect?
• How to write an android malware
• How to spread it
• How to hack Android

16. Behavioral classification

17. Types of Android Malware
• Mobile Device Data Stealers
– most common
– aim to acquire different info from the infected
device
• OS version
• product ID
• International Mobile Equipment Identity (IMEI)
number
• International Mobile Subscriber Identity (IMSI)
number
– This stolen device info is encrypted and sent via
HTTP POST to the attacker, can be used for future
attacks .

18. • Rooting-capable
– malware infect to gain so-called root
privileges
– remote users access to files and the devices’
flash memory
– With rooting malware drop copies of
themselves onto their flash memory
– they can’t be detected and consequently
deleted by antivirus products

19. • Premium Service Abusers
– hard coded predetermined premium numbers
– sends text messages
– affected users being charged for sms services
• Mobile Device Spies
– secretly monitor info stored on infected devices
• GPS location
• save text and email messages
• Like data stealers, sends stolen data to specific URLs via HTTP
POST.
• focus more on gathering personal data

20. One-click Billing Fraud

21. Android One-click Billing Fraud
• Mostly active on p0rn and gamer video sites
• Trying to view a video triggers a pop-up asking the user to
download a malicious app.
• Gets the Android user account information, and sends them to
the cybercriminals.
• Displays a pop-up showing the message
– “We haven’t received your payment. Therefore, based on our
policy, we will have to charge you if you have not paid yet.”
• Also displays the information it stole in order to build credibility
for it self, and better convince the victim to pay the amount.
• The pop-up is set to show every few minutes and keeps eating
your money.

22. WHY DID I WRITE MY PAPER?

23. • Malware Analysis,
– important part of antimalware companies’ work.
• Mobile malware analysis is now equally important.
• Effective analysis can be used by law enforcement
agencies to catch law breakers
– i.e malware authors and attackers
• For fun, when you can pwn someone else’s malware
and control it.
• You get yourself full-blown malware without writing it.

24. ANDROID MAL-ANALYSIS
TOOLS OF TRADE

25. Tools - Static analysis
• Mobile Sandbox: provides static analysis of malware images
• IDA pro: Supports Android bytecode in version 6.1 and later
• APKInspector: Powerful GUI tool for analyzing Android applications.
• Dex2jar: For converting Android’s .dex format to Java’s .class format
• Jd-gui: A standalone graphical utility that displays Java source codes of .class files.
• Androguard: Reverse engineering and Malware analysis of Android applications.
• JAD: Java Decompiler
• Dexdump: Java .dex file format decompiler
• Smali: smali/baksmali is an assembler/disassembler for the dex format used by dalvik, Android’s Java VM
implementation.

26. Tools – Dynamic analysis
• Droidbox: An Android Application Sandbox for Dynamic
Analysis
• The Android SDK: “A software development kit that enables
developers to create applications for the Android platform.
Using the Android SDK we can create a virtual android device
almost identical in functionality and capabilities of an android
telephone and using that virtual device as secure environment
we can execute the malware and observe the behaviour of it.
• AndroidAuditTools: Dynamic Android analysis tools

27. LAB SETUP

28. • Traditional malware analysis includes a Virtual Machine
• We need a one as well
• Android SDK installed in VM
• Well documented installation details can be found here
http://developer.android.com/sdk/installing.html
• Would highlight one thing during installation

29. • Must select atleast one
version of the API
• API versions to develop
applications for different
android versions
• Separate SDK for
malwares targeted for a
particular version
• Demo
– android 2.3 (gingerbread)

30. ANALYSIS

31. Android Malware Acquisition
• Contagio MiniDump
(http://contagiominidump.blogspot.in/)
• Community driven
• Anyone can submit a sample
• It is made available to others
• Demo
– Voodoo SimpleCarrierIQDetector
– supposed to detect presence of the Carrier IQ mobile
diagnostic software on the system
– Chosen based on the ease of understanding

32. STATIC ANALYSIS

33. Mobile-sandbox.com
• Submit the apk to mobile-sandbox.com for analysis
• Report generated can be viewed at
http://mobilesandbox.org/xml_report_static/?q=176
• Important information from report
Requested Permissions from Android Manifest: android.permission.READ_LOGS
android.permission.SEND_SMS
sendSMS
Potentially dangerous Calls: Execution of native code
getPackageInfo

34. Extraction
• Start our manual analysis
• Need to extract the apk to get its contents
• apk file is a zip file formatted package.
• Extraction done with win-rar or win-zip
• File of interest is classes.dex

35. dex2jar
• C:> dex2jar.bat classes.dex
– Output: classes.dex  classes_dex2jar.jar
• Converts classes.dex file extracted from the
apk to jar file

36. JD-GUI
• To read the code from the .class file in the jar
• Open the jar file with JD-GUI

37. • Four .class files
– Detect.class
• Code is trying to make out if CarrierIQ software is installed on the
system based on some checks.
– R.class
• Every android application contains this class file. Here it is used to
declare few variables
– Utils.class
• Contains few utility method definitions like findFiles.
getCommandOutput etc
– Main.class
• This is the most interesting class as it actually contains the malicious
code.
• The code looks like this

39. Code Analysis
• Four same command to send SMS to the number
“81168” with four different SMS texts
– AT37
– MC49
– SP99
– SP93
• A Google search on the number shows that it a
premium rate sms number that costs almost € 9/SMS
• This is how hackers make money with mobile malware

40. • Some malware listens to incoming messages
• Deletes them even before a user can read it if
• They are from the service providers which
would inform users about their balance or
billing charges.

41. I haz you
• I know the premium rate phone number
• Know the text message being sent
• If interested in catching the crooks,
– find the country and the operator whom the number
belongs to
– persuade them to disclose the information on the
attacker/malware author
– Google helps a lot with substantial information available
publically regarding the same
• If you get the police involved, chances of catching
the hax0r are big

42. Scam
• On Google I found a funny but very interesting Facebook scam
around this
• Like other scam Facebook applications,
– a user gets messages from his friends on Facebook asking him to
vote for his friend on some “Miss and Mister” contest giving an
infected web link
– Following the link actually hacks the Facebook account rendering it
unusable for the user
– Attacker then calls him/her up telling him that his account has been
blocked for so and so reason
– Hence he has to send an SMS to the mentioned number “81168”
with any of the 4 texts
– He will receive a code that has to be given to the caller(who is the
hacker) to unlock his Facebook account.

43. PWNIFICATION

44. • Finished with the analysis
• Extracted information on malware author
• Lets own the malware and making it dance to
our tunes
• Following technique explains the process to
own the malware we just analyzed
– can be fairly generalized

45. Baksmali
• Program used to disassemble the dex files
• Disassembles the .dex file to .smali files
• Names similar to the .class files
• Can be opened in any text-editor
• C:> baksmali-0.93.jar –o smali-out classes.dex

46. • File containing the malicious code
– main$1.smali
– From main.class, figured out in analysis phase
– Open in a text editor

47. • Change the destination number of the sms
– i.e first argument to sendTextMessage function
• Set it to your mobile number or any other
• Save the file
• Demo
– changing it to the port number of my android
emulator

48. Smali
• Used to compile the .smali files back to .dex file
• After making the desired changes to the smali file
• Save it, compile all the .smali files together to
classes.dex using
• C:> smali-0.93.jar smali-out –o classes.dex

49. Packing
• Delete the META-INF folder
– contains the SHA1 of the classes.dex
– will not match the changed classes.dex file
– apk signing information
– has to be changed
• Private key of original author not available
• Have to sign the apk with our private key
• With modified classes.dex, pack the files back to
a .zip file using any packer utility
• Change extension from .zip to .apk

50. Signing
• Mandated by Google for an application (apk) to be
signed by the owner/author’s private key
• Cannot install on an emulator or a device, if it is not
signed
• Can use self-signed certificates to sign applications
• No certificate authority is needed
• To sign we need,
– Keytool
– Jarsigner

51. Keytool
• Comes as a part of jdk installation
• Used to create private key for signing
• C:> keytool -genkey -v -keystore my-personal-
key.keystore -alias alias_name -keyalg RSA -
keysize 2048 -validity 10000
– prompts for passwords for the keystore and key
– and the Distinguished Name fields

52. Jarsigner
• Comes as a part of jdk installation
• Used to sign the apk with created keystore
• C:> jarsigner -verbose -sigalg MD5withRSA -
digestalg SHA1 -keystore my-release-
key.keystore carrieriq.apk alias_name
– modifies the APK in-place
– creates META_INF folder with the signing details
– APK is now signed

53. • To verify if the apk is signed
• C:> jarsigner –verify -verbose my_ carrieriq.apk
alias_name
• If signed properly, it outputs “JAR verified”
• Voila!
• Got ourselves a malware

54. Playing
DYNAMIC ANALYSIS

55. • Install apk (malware) on the android SDK
• To verify the behavior that we modified
• Open two instances of the android emulator
• Install the new malware on one of them
• sms num modified should be the port
number of emulator other than with
malware install.

56. • Install and run the app
• As soon uninstall button is clicked
• SMS gets sent to the other emulator

57. I pwn your maal
• I modified your malware
• Customized it to my need
• Now I pwn you maal
• It will serve me now
•  (evil grin)

58. CONCLUSION

59. • Overview of how android smartphone OS has
become the most popular target for attackers
• Describes different types of malware being
created for the android platform
• Attempts to explain
– the lab setup
– tools required
– the static and dynamic malware analysis
– practically analyzing a real premium SMS sending
malware

60. • After analysis
– Origin of malware is known
– We know how to own the malware
• In short
“I haz you and pwn your maal”.

61. Thanks
Questions??