4. 8:30 PM
DALVIK VM
- Register-based virtual machine
- It uses its own bytecode, not Java bytecode.
- Run on a slow CPU with little RAM.
- Run on an operating system without swap space.
- Optimized for memory efficiency.
- Dex class file format.
5. 8:30 PM
Dex file format
header
string_ids
type_ids
proto_ids
field_ids
method_ids
class_defs
data
8. 8:30 PM
Anti-analysis
Examples:
- Easy: Use a.class and A.class as class names: the file will
be hidden on case-insensitive file systems.
- Medium: Optimize/ofuscate the code with ProGuard.
- Hard: Modify bytecode to break reversing tools (be
sure that it still runs on Dalvik.)
if self.__value_type >= VALUE_SHORT
Ej: androguard-a1: ...
elif self.__value_type == VALUE_ARRAY :
...
elif self.__value_type == VALUE_BYTE :
Insert value type ...
VALUE_ANNOTATION elif self.__value_type == VALUE_NULL :
...
elif self.__value_type == VALUE_BOOLEAN :
...
else :
raise(“oops”)
11. 8:30 PM
Dynamic Analysis
Advance:
- Create you own system image and modify the java classes to log the
program flow. Example, framework/base/core/java/android/os/
Process.java
14. 8:30 PM
Anti-VM
- Detecting the emulator is very easy:
DEVICE_ID:
String id = Settings.Secure.getString(this.getContentResolver(), Settings.Secure.ANDROID_ID);
boolean emulator = TextUtils.isEmpty(id);
Solution:
Change secure->android_id on data/data/com.android.providers.settings/databases/settings.db
IMSI:
TelephonyManager manager = (TelephonyManager)getSystemService(TELEPHONY_SERVICE);
String imsi = manager.getSubscriberId(); (00000... on emulator)
Solution:
Patch the emulator binary (search for +CGSN string) or the emulator source code (external/
qemu/telephony/android_modem.c).
15. 8:30 PM
More Anti-VM
- LocationManager.NETWORK_PROVIDER -> IllegalArgumentException
- Detect ADB stuff.. process, network, debug enabled...
- /proc/cpuinfo - > Hardware
: Goldfish
- vibrator.vibrate(milliseconds) and use SensorListener (sensor data doesn’t
change)
(Thanks Ehooo)
- Qemu specific detection (Google)
Solution:
Patch emulator, Qemu, system hooking...
16. 8:30 PM
Alternatives to Android Emulator
- http://www.android-x86.org/ . Supports VMware
- Use a real phone... Slower
17. 8:30 PM
Attack Vectors
- Alternative markets, repacked applications.
-SMS, MMS vulnerabilities, Fuzzing!!!.
- Wireless, Bluetooth Drivers
- NFC
- System componentes: Webkit,
sound library, Kernel.
18. 8:30 PM
Third party software
Source: http://android.git.kernel.org/
19. 8:30 PM
ADRD aka Redbunny
- "Security Alert 2011-02-14: New Android Trojan 'ADRD' Was Found in
the Wild by Aegislab" ( http://blog.aegislab.com/index.php?
op=ViewArticle&articleId=75&blogId=1 ) !
Notification
- "[…] Today, we found a new Android trojan,
we call it "ADRD", which was not reported by any security vendors before.
[…]"
- Jaime Blasco and Pablo Rincón were working together,
analyzing this malware on Feb 2, 2011:
* Name: com.beautyfullivewallpaper
* Date: Feb. 2, 2011, 1:49 p.m.
- Also known as HongTouTou
21. 8:30 PM
Detection
- Sends http requests through a proxy:
* HttpHost localHttpHost = new HttpHost("10.0.0.172", 80, "http");
* HttpParams localHttpParams =
localDefaultHttpClient.getParams().setParameter("http.route.default-
proxy", localHttpHost);
- Services:
* com.xxx.yyy.MyService
* .beauty.Beauty
- Intents:
* android.intent.action.BOOT_COMPLETED **** -> Boots at system startup
* android.intent.action.PHONE_STATE
* android.net.conn.CONNECTIVITY_CHANGE
22. 8:30 PM
Analysis I
Service module (MyService): Sets a Proxy for GET/POST and
- Sets the preferred apn 1 HTTP specially crafted headers
- Runs each 12 hours (UA, MIME types)
- Looks for specific APN network : 2
“CMWAP” || “UNIWAP”
Cipher data module
Send data to adrd.taxuan.net/ public static String encrypt/decrypt
3
index.aspx?im=%s: Cipher localCipher = Cipher.getInstance("DES/CBC/PKCS5Padding");
+ IMEI
+ IMSI
Loop
+ Netway (preferred APN)
+ Decrypt response
+ iversion
+ Switch(cmd) It depends on the
+ oversion 4
+ 0 Do nothing
+ 1 adad.StartGo()
adad.StartGo() + 2 ParseO 5
Sends http://adrd.xiaxiab.com/pic.aspx?im= + 3 UpdateHelper()
+encrypt(IMEI+IMSI
Parses the big list of ulrs/referers
B#1#963a_w1|http://59.173.12.105/g/ UpdateHelper installs the update
g.ashx?w=963a_w1 apk 6
BBBB.Go() -> Retrieves search lists of
wap.baidu.com
FixUrls(): Send random requests adding
BAIDU_WISE_UID and HTTP_HEADERS. ParseO(): parse server response (number, flags, tags..):
Sends log data to control servers 6 T213607170863|12345|+ -10086+ abc -597| [ '
6
23. 8:30 PM
Analysis II
- Following the encryption routines, the DES key is found…: this.kk = "48734154";
* UpdateHelper class:
public class UpdateHelper
{
private static String savefilepath = "/myupdate.apk";
private Context ct;
private int netway;
* Benefit from visits to the content (Baidu) and bandwidth consumption (China Mobile &&
Unicom) and also SMS charges.
- Server URLs (there are more):
http://adrd.xiaxiab.com/pic.aspx?im=CIPHERED_DATA
http://adrd.taxuan.net/index.aspx?im=CIPHERED_DATA
- We want to know more!!
24. 8:30 PM
Control Servers
- adrd.xiaxiab.com from an eagle view:
* Microsoft-IIS/6.0
* Debug Enabled (Displaying .NET errors and backtraces)
* Hidden paths to the .Net/aspx application
* ALL is Chinese! (WTF!?!"·$%&/(?)
- Possible vector attacks:
* HTTP functions + DES key + pyDes = "legal" HTTP Requests (at least for the adrd server)
25. 8:30 PM
Control Servers
- First results:
Search
* Exceptions in chinese. Google Translate is your friend
* Errors at .NET (it didn't generate any html list/table, or view to use for data displaying)
* We got a successful Sql injection after the last ciphered parameter :D).
* User without admin privileges.
* Permissions to run Backups + Shared Resources = Timeout
* Other possibilities:
+ 1: Create a temporal db, with just one table each time, dump paginated rows and run
backups. Problem: Complex to do and complex to rebuild the original DB (Also the lang
didn't help)
+ 2: Try to get a shell in any possible way. Problem: time, exploits, noise (our current
attacks were hidden by DES at the http logs, and it's not usual to log all the db queries for
performance reason.
26. 8:30 PM
Database Information
- All the scheme obtained: list of Tables, Fields, types, stored procedures
- IMEI/IMSIs list (at least some of them), logs, keywords, Baidu accounts
- The main stored procedure affected by the sql injection retrieves the URL of myupdate.apk, that
points to adrd.xiaxiab.com/down.aspx !
* Parameters:
@imei varchar(50), @imsi varchar(50), @ip varchar(128), @logs varchar(256), @netwap int
* Store procedure:
--if (@netwap=2)
select 'T-1|T11'
--select 'T3http://adrd.xiaxiab.com/down.aspx'
--select 'T213607170863|12345|+ -10086+ abc -597| [ '
--else
--select 'T013607170863'
* Looks that they were considering the netwap (based on the mobile operator) as a criteria to send
commands
* TX (where X seems to be a command type)
* 13607170863 is a phone number located at Wuhan
28. 8:30 PM
Myupdate.apk
- It uses the main package of the ADRD family xxx.yyy.
- The update has other permissions: WRITE_SMS, READ_SMS,
RECEIVE_SMS, SEND_SMS..
- Looks like a google reader
- It adds a local sqlite DB (keyword storage).
go_g1_sms: id, keyword, type, flag
go_g2_sms: id, keyword, keyword2
- SMSObserver:
* Replaces keywords on SMS’s.
* Sends SMS!
31. 8:30 PM
Infections
g Infections by operator
+20K different IMSIs
Other affected operators:
Far EasT one
Peoples Telephone Company
Hutchison 3G
PCCW Mobile Sunday
Hong Kong Telecom
Smart One Mobile
32. 8:30 PM
Thank You
! Questions?
Ok Cancel
@jaimeblascob
@PabloForThePPL