SlideShare a Scribd company logo

CNIT 128 5: Mobile malware

Sam Bowne
Sam Bowne

Slides for a college course at City College San Francisco. Based on "Hacking Exposed Mobile: Security Secrets & Solutions", by Bergman, Stanfield, Rouse, Scambray, Geethakumar, Deshmukh, Matsumoto, Steven and Price, McGraw-Hill Osborne Media; 1 edition (July 9, 2013) ISBN-10: 0071817018. Instructor: Sam Bowne Class website: https://samsclass.info/128/128_S17.shtml

Education
1 of 41
Download to read offline
Ch 5: Mobile Malware CNIT 128: Hacking Mobile Devices Updated 3-7-17
Increase in Mobile Malware • From link Ch 5h
Early Malware • LibertyCrack (2000) – Trojan masquerading as pirated software for Palm OS – Restored device to factory defaults
Early Malware • Cabir (2004) – First phone worm – Infected Symbian phones – Spread via Bluetooth • Image from link Ch 5a
Android Malware: New Reports
• Link Ch 5i
• Ch 5j
Android Malware: From Textbook
DroidDream (2011) • Was primarily distributed by the Google Play store • Legitimate apps were repackaged to include DroidDream and then put back in the Play store
Excessive Permissions • App trojaned by DroidDream asks for too many permissions
Information Theft • When it is installed, DroidDream launches a "Setting" service • Steals private information and sends it to a remote server – International Mobile Station Equipment Identity (IMEI) – International Mobile Subscriber Identity (IMSI)
Botted • DroidDream then roots the device • Hijacks the app downloading and installing code • Makes it a bot under remote control
Google's Response • Google removed the repackaged apps from the Play Store • But 50,000 – 200,000 users were already infected
NickiSpy • Packaged into other software • At next reboot, it launches the services shown to the right • Steals IMEI, location, SMS messages and records voice phone calls • Records sound when phone is not in use
Google's Response to NickiSpy • Android 2.3 removed the ability for an application to change the phone state without user interaction • So an app could no longer turn on the microphone as stealthily
SMSZombie • Packaged inside live wallpaper apps in a Chinese marketplace named Gfan • Makes fraudulent payments using China Mobile SMS Payment • No permissions are requested during installation, because it starts as a wallpaper app – No clue to warn the user
Malicious App • It then downloads another app and shows the user a box with only one option "Install" to get "100 points!" • That installs another app that does ask for permissions
Becoming Administrator
Payload • SMSZombie sends all SMS messages currently on the device to a target phone # • It then scans all SMS messages to stealthily steal and delete ones that are warning the phone user about fraudulent SMS transactions
Banking Malware
Man-in-the-Browser (MITB) Attack • A Trojan installed on a PC hooks Windows API networking calls such as HttpSendRequestW • Allows attacker to intercept and modify HTTP and HTTPS traffic sent by the browser • Can steal banking credentials and display false information to the user
Two-Factor Authentication (2FA) • This was the response by banks to resist MITB attacks • Use an SMS to a phone as the second factor for 2FA – Message contains a mobile transaction authentication number (mTAN) • Customer types mTAN into the banking web app on the PC
Zeus and Zitmo Defeat 2FA • Zeus malware on the PC – Manipulates HTTPS traffic to encourage user to install fake Trusteer mobile security software – Looks like legitimate security software on the phone – Steals SMS messages from the phone to defeat 2FA
FakeToken • User is tricked into installing TokenGenerator app • It requests suspicious permissions, including – Install and delete apps • An error by the malware designers: only system apps can have that permission – Send and receive SMS messages
Payload • TakeToken steals SMS messages to defeat 2FA • Can also steal contact list
How Bouncer was Hacked • Researchers submitted an app containing a remote shell • When Bouncer ran the app in a virtual machine, it phoned home to the researchers • They explored the VM and exploited Bouncer itself • With a remote shell inside Bouncer, they explored it and found ways to defeat it
Google Application Verification Service • Launched in 2012 • Tries to detect malicious apps • Much less effective than 3rd-party AV – Link Ch 5e
Moral: Get Real AV • Avast! won in a review from Feb., 2015 – Link Ch 5g • There are plenty of others, including – Lookout – AVG – Kaspersky – Norton – McAfee
iOS Malware What iOS malware?
Risk is Very Small • Very few items of malware, very few users actually infected, no real harm done • An academic exercise in theoretical computer security, not a real risk for users
Fake Update • "iPhone firmware 1.1.3 prep software" • Only for jailbroken devices • Supposedly written by an 11-year-old • Broke utilities like Doom and SSH • A minor annoyance
Jailbroken iPhones with Default SSH Password • Dutch teenager scanned for iPhones on T- Mobile's 3G IP range – Pushed ransomware onto phones in Nov. 2009 • Australian teenager wrote the iKee worm to Rickroll iPhones in 2009 – A later version made an iPhone botnet
iOS Malware in the Apple App Store • "Find and Call" – First seen in 2012 – Also in Google Play – Uploads user's contacts to a Web server – Sends SMS spam to the contacts with install links – Spreads but does no other harm
Malware Security:
 Android v. iOS
Why the Huge Difference? • Market share • App approval process – $25 to register for Google Play • Apps appear within 15-60 min. – $99 to register for Apple's App Store • A week of automated & manual review before app appears in the store • Third-party app stores – Allowed on Android, but not on iOS (unless you jailbreak)

Recommended

CNIT 128 Ch 3: iOS
CNIT 128 Ch 3: iOSCNIT 128 Ch 3: iOS
CNIT 128 Ch 3: iOS
Sam Bowne
 
CNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidCNIT 128 Ch 4: Android
CNIT 128 Ch 4: Android
Sam Bowne
 
CNIT 128 Ch 1: The mobile risk ecosystem
CNIT 128 Ch 1: The mobile risk ecosystemCNIT 128 Ch 1: The mobile risk ecosystem
CNIT 128 Ch 1: The mobile risk ecosystem
Sam Bowne
 
CNIT 128 8: Mobile development security
CNIT 128 8: Mobile development securityCNIT 128 8: Mobile development security
CNIT 128 8: Mobile development security
Sam Bowne
 
CNIT 128 7: Mobile Device Management
CNIT 128 7: Mobile Device ManagementCNIT 128 7: Mobile Device Management
CNIT 128 7: Mobile Device Management
Sam Bowne
 
Malware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthMalware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient Truth
AGILLY
 
CNIT 128: 9: Mobile payments
CNIT 128: 9: Mobile paymentsCNIT 128: 9: Mobile payments
CNIT 128: 9: Mobile payments
Sam Bowne
 
Mobile security
Mobile securityMobile security
Mobile security
priyanka pandey
 

Recommended

CNIT 128 Ch 3: iOS
CNIT 128 Ch 3: iOSCNIT 128 Ch 3: iOS
CNIT 128 Ch 3: iOS
Sam Bowne
 
CNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidCNIT 128 Ch 4: Android
CNIT 128 Ch 4: Android
Sam Bowne
 
CNIT 128 Ch 1: The mobile risk ecosystem
CNIT 128 Ch 1: The mobile risk ecosystemCNIT 128 Ch 1: The mobile risk ecosystem
CNIT 128 Ch 1: The mobile risk ecosystem
Sam Bowne
 
CNIT 128 8: Mobile development security
CNIT 128 8: Mobile development securityCNIT 128 8: Mobile development security
CNIT 128 8: Mobile development security
Sam Bowne
 
CNIT 128 7: Mobile Device Management
CNIT 128 7: Mobile Device ManagementCNIT 128 7: Mobile Device Management
CNIT 128 7: Mobile Device Management
Sam Bowne
 
Malware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthMalware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient Truth
AGILLY
 
CNIT 128: 9: Mobile payments
CNIT 128: 9: Mobile paymentsCNIT 128: 9: Mobile payments
CNIT 128: 9: Mobile payments
Sam Bowne
 
Mobile security
Mobile securityMobile security
Mobile security
priyanka pandey
 
AusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS ApplicationsAusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS Applications
eightbit
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and Exploitation
Tom Eston
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS Devices
Tom Eston
 
YOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS ApplicationsYOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS Applications
eightbit
 
Mobile Apps Security Testing -1
Mobile Apps Security Testing -1Mobile Apps Security Testing -1
Mobile Apps Security Testing -1
Krisshhna Daasaarii
 
Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applications
Satish b
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
Denim Group
 
iOS Security and Encryption
iOS Security and EncryptioniOS Security and Encryption
iOS Security and Encryption
Urvashi Kataria
 
Chapter 4
Chapter 4Chapter 4
Chapter 4
NorazlinaAbdullah4
 
CNIT 128 8. Android Implementation Issues (Part 3)
CNIT 128 8. Android Implementation Issues (Part 3)CNIT 128 8. Android Implementation Issues (Part 3)
CNIT 128 8. Android Implementation Issues (Part 3)
Sam Bowne
 
Challenges in Testing Mobile App Security
Challenges in Testing Mobile App SecurityChallenges in Testing Mobile App Security
Challenges in Testing Mobile App Security
Cygnet Infotech
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and Exploitation
SecureState
 
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
eightbit
 
Bringing Government and Enterprise Security Controls to the Android Endpoint
Bringing Government and Enterprise Security Controls to the Android EndpointBringing Government and Enterprise Security Controls to the Android Endpoint
Bringing Government and Enterprise Security Controls to the Android Endpoint
Hamilton Turner
 
DerbyCon 2017 - Behind Enemy Lines
DerbyCon 2017 - Behind Enemy LinesDerbyCon 2017 - Behind Enemy Lines
DerbyCon 2017 - Behind Enemy Lines
Michael Flossman
 
Mobile application security
Mobile application securityMobile application security
Mobile application security
Shubhneet Goel
 
Mobile Application Security Code Reviews
Mobile Application Security Code ReviewsMobile Application Security Code Reviews
Mobile Application Security Code Reviews
Denim Group
 
Hacking By Nirmal
Hacking By NirmalHacking By Nirmal
Hacking By Nirmal
NIRMAL RAJ
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
Prateek Jain
 
Hijacking a Pizza Delivery Robot (using SQL injection)
Hijacking a Pizza Delivery Robot (using SQL injection)Hijacking a Pizza Delivery Robot (using SQL injection)
Hijacking a Pizza Delivery Robot (using SQL injection)
Priyanka Aash
 
Ch 6: Enumeration
Ch 6: EnumerationCh 6: Enumeration
Ch 6: Enumeration
Sam Bowne
 
Ch 10: Hacking Web Servers
Ch 10: Hacking Web ServersCh 10: Hacking Web Servers
Ch 10: Hacking Web Servers
Sam Bowne
 

More Related Content

What's hot

Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS Devices
Tom Eston
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
Denim Group
 
Challenges in Testing Mobile App Security
Challenges in Testing Mobile App SecurityChallenges in Testing Mobile App Security
Challenges in Testing Mobile App Security
Cygnet Infotech
 
Mobile application security
Mobile application securityMobile application security
Mobile application security
Shubhneet Goel
 
Hacking By Nirmal
Hacking By NirmalHacking By Nirmal
Hacking By Nirmal
NIRMAL RAJ
 
Hijacking a Pizza Delivery Robot (using SQL injection)
Hijacking a Pizza Delivery Robot (using SQL injection)Hijacking a Pizza Delivery Robot (using SQL injection)
Hijacking a Pizza Delivery Robot (using SQL injection)
Priyanka Aash
 

What's hot (20)

AusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS ApplicationsAusCERT - Developing Secure iOS Applications
AusCERT - Developing Secure iOS Applications
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and Exploitation
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS Devices
 
YOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS ApplicationsYOW! Connected 2014 - Developing Secure iOS Applications
YOW! Connected 2014 - Developing Secure iOS Applications
 
Mobile Apps Security Testing -1
Mobile Apps Security Testing -1Mobile Apps Security Testing -1
Mobile Apps Security Testing -1
 
Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applications
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
 
iOS Security and Encryption
iOS Security and EncryptioniOS Security and Encryption
iOS Security and Encryption
 
Chapter 4
Chapter 4Chapter 4
Chapter 4
 
CNIT 128 8. Android Implementation Issues (Part 3)
CNIT 128 8. Android Implementation Issues (Part 3)CNIT 128 8. Android Implementation Issues (Part 3)
CNIT 128 8. Android Implementation Issues (Part 3)
 
Challenges in Testing Mobile App Security
Challenges in Testing Mobile App SecurityChallenges in Testing Mobile App Security
Challenges in Testing Mobile App Security
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and Exploitation
 
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
 
Bringing Government and Enterprise Security Controls to the Android Endpoint
Bringing Government and Enterprise Security Controls to the Android EndpointBringing Government and Enterprise Security Controls to the Android Endpoint
Bringing Government and Enterprise Security Controls to the Android Endpoint
 
DerbyCon 2017 - Behind Enemy Lines
DerbyCon 2017 - Behind Enemy LinesDerbyCon 2017 - Behind Enemy Lines
DerbyCon 2017 - Behind Enemy Lines
 
Mobile application security
Mobile application securityMobile application security
Mobile application security
 
Mobile Application Security Code Reviews
Mobile Application Security Code ReviewsMobile Application Security Code Reviews
Mobile Application Security Code Reviews
 
Hacking By Nirmal
Hacking By NirmalHacking By Nirmal
Hacking By Nirmal
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
 
Hijacking a Pizza Delivery Robot (using SQL injection)
Hijacking a Pizza Delivery Robot (using SQL injection)Hijacking a Pizza Delivery Robot (using SQL injection)
Hijacking a Pizza Delivery Robot (using SQL injection)
 

Viewers also liked

Viewers also liked (20)

Ch 6: Enumeration
Ch 6: EnumerationCh 6: Enumeration
Ch 6: Enumeration
 
Ch 10: Hacking Web Servers
Ch 10: Hacking Web ServersCh 10: Hacking Web Servers
Ch 10: Hacking Web Servers
 
CNIT 127 Ch 2: Stack overflows on Linux
CNIT 127 Ch 2: Stack overflows on LinuxCNIT 127 Ch 2: Stack overflows on Linux
CNIT 127 Ch 2: Stack overflows on Linux
 
CNIT 126 7: Analyzing Malicious Windows Programs
CNIT 126 7: Analyzing Malicious Windows ProgramsCNIT 126 7: Analyzing Malicious Windows Programs
CNIT 126 7: Analyzing Malicious Windows Programs
 
CNIT 123 Ch 1: Ethical Hacking Overview
CNIT 123 Ch 1: Ethical Hacking OverviewCNIT 123 Ch 1: Ethical Hacking Overview
CNIT 123 Ch 1: Ethical Hacking Overview
 
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
CNIT 128: 6: Mobile services and mobile Web (part 1: Beginning Through OAuth)
 
CNIT 128 Ch 6: Mobile services and mobile Web (part 2: SAML to end)
CNIT 128 Ch 6: Mobile services and mobile Web (part 2: SAML to end)CNIT 128 Ch 6: Mobile services and mobile Web (part 2: SAML to end)
CNIT 128 Ch 6: Mobile services and mobile Web (part 2: SAML to end)
 
Ch 2: TCP/IP Concepts Review
Ch 2: TCP/IP Concepts ReviewCh 2: TCP/IP Concepts Review
Ch 2: TCP/IP Concepts Review
 
CNIT 127 Lecture 7: Intro to 64-Bit Assembler (not in book)
CNIT 127 Lecture 7: Intro to 64-Bit Assembler (not in book)CNIT 127 Lecture 7: Intro to 64-Bit Assembler (not in book)
CNIT 127 Lecture 7: Intro to 64-Bit Assembler (not in book)
 
Ch 12: Cryptography
Ch 12: CryptographyCh 12: Cryptography
Ch 12: Cryptography
 
Ch 13: Network Protection Systems
Ch 13: Network Protection SystemsCh 13: Network Protection Systems
Ch 13: Network Protection Systems
 
Ch 9: Embedded Operating Systems: The Hidden Threat
Ch 9: Embedded Operating Systems: The Hidden ThreatCh 9: Embedded Operating Systems: The Hidden Threat
Ch 9: Embedded Operating Systems: The Hidden Threat
 
Ch 7: Programming for Security Professionals
Ch 7: Programming for Security ProfessionalsCh 7: Programming for Security Professionals
Ch 7: Programming for Security Professionals
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port Scanning
 
CNIT 123: Ch 7: Programming for Security Professionals
CNIT 123: Ch 7: Programming for Security ProfessionalsCNIT 123: Ch 7: Programming for Security Professionals
CNIT 123: Ch 7: Programming for Security Professionals
 
Ch 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social EngineeringCh 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social Engineering
 
CNIT 121: 10 Enterprise Services
CNIT 121: 10 Enterprise ServicesCNIT 121: 10 Enterprise Services
CNIT 121: 10 Enterprise Services
 
CNIT 127 Ch 6: The Wild World of Windows
CNIT 127 Ch 6: The Wild World of WindowsCNIT 127 Ch 6: The Wild World of Windows
CNIT 127 Ch 6: The Wild World of Windows
 
CISSP Prep: Ch 3. Asset Security
CISSP Prep: Ch 3. Asset SecurityCISSP Prep: Ch 3. Asset Security
CISSP Prep: Ch 3. Asset Security
 
Practical Malware Analysis Ch13
Practical Malware Analysis Ch13Practical Malware Analysis Ch13
Practical Malware Analysis Ch13
 

Similar to CNIT 128 5: Mobile malware

I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maal
Harsimran Walia
 
IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?
Tyler Shields
 
I haz you and pwn your maal whitepaper
I haz you and pwn your maal whitepaperI haz you and pwn your maal whitepaper
I haz you and pwn your maal whitepaper
Harsimran Walia
 
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest Link
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest LinkSecuring Mobile Banking Apps - You Are Only as Strong as Your Weakest Link
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest Link
IBM Security
 
Smartphone Ownage: The state of mobile botnets and rootkits
Smartphone Ownage: The state of mobile botnets and rootkitsSmartphone Ownage: The state of mobile botnets and rootkits
Smartphone Ownage: The state of mobile botnets and rootkits
Jimmy Shah
 

Similar to CNIT 128 5: Mobile malware (20)

Can You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security RisksCan You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security Risks
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maal
 
ANDROID SECURITY
ANDROID SECURITYANDROID SECURITY
ANDROID SECURITY
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maal
 
Android phone identifiers and eavesdropping audio
Android phone identifiers and eavesdropping audioAndroid phone identifiers and eavesdropping audio
Android phone identifiers and eavesdropping audio
 
IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?
 
Forensic And Cloud Computing
Forensic And Cloud ComputingForensic And Cloud Computing
Forensic And Cloud Computing
 
News Bytes June 2012
News Bytes June 2012News Bytes June 2012
News Bytes June 2012
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and Privacy
 
Mobile Security for Smartphones and Tablets
Mobile Security for Smartphones and TabletsMobile Security for Smartphones and Tablets
Mobile Security for Smartphones and Tablets
 
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
NETC 2012_Mobile Security for Smartphones and Tablets (pptx)
 
Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012Lumension Security - Adjusting our defenses for 2012
Lumension Security - Adjusting our defenses for 2012
 
18-mobile-malware.pptx
18-mobile-malware.pptx18-mobile-malware.pptx
18-mobile-malware.pptx
 
I haz you and pwn your maal whitepaper
I haz you and pwn your maal whitepaperI haz you and pwn your maal whitepaper
I haz you and pwn your maal whitepaper
 
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest Link
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest LinkSecuring Mobile Banking Apps - You Are Only as Strong as Your Weakest Link
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest Link
 
Smartphone Ownage: The state of mobile botnets and rootkits
Smartphone Ownage: The state of mobile botnets and rootkitsSmartphone Ownage: The state of mobile botnets and rootkits
Smartphone Ownage: The state of mobile botnets and rootkits
 
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
 
DEVSECOPS_the_beginning.ppt
DEVSECOPS_the_beginning.pptDEVSECOPS_the_beginning.ppt
DEVSECOPS_the_beginning.ppt
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
 
Detecting Intrusions and Malware - Eric Vanderburg - JurInnov
Detecting Intrusions and Malware - Eric Vanderburg - JurInnovDetecting Intrusions and Malware - Eric Vanderburg - JurInnov
Detecting Intrusions and Malware - Eric Vanderburg - JurInnov
 

More from Sam Bowne

More from Sam Bowne (20)

Cyberwar
CyberwarCyberwar
Cyberwar
 
3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development Security
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the Application
 
3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)
 
12 Elliptic Curves
12 Elliptic Curves12 Elliptic Curves
12 Elliptic Curves
 
11. Diffie-Hellman
11. Diffie-Hellman11. Diffie-Hellman
11. Diffie-Hellman
 
2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android Applications
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)
 
10 RSA
10 RSA10 RSA
10 RSA
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard Problems
 
8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis Methodology
 
8. Authenticated Encryption
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated Encryption
 
7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)
 
7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream Ciphers
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection
 

Recently uploaded

Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.
MateoGardella
 
An Overview of Mutual Funds Bcom Project.pdf
An Overview of Mutual Funds Bcom Project.pdfAn Overview of Mutual Funds Bcom Project.pdf
An Overview of Mutual Funds Bcom Project.pdf
SanaAli374401
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
QucHHunhnh
 

Recently uploaded (20)

Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesMixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
 
Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxUnit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptx
 
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdf
 
Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
 
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
An Overview of Mutual Funds Bcom Project.pdf
An Overview of Mutual Funds Bcom Project.pdfAn Overview of Mutual Funds Bcom Project.pdf
An Overview of Mutual Funds Bcom Project.pdf
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 

CNIT 128 5: Mobile malware

  • 1. Ch 5: Mobile Malware CNIT 128: Hacking Mobile Devices Updated 3-7-17
  • 2. Increase in Mobile Malware • From link Ch 5h
  • 3. Early Malware • LibertyCrack (2000) – Trojan masquerading as pirated software for Palm OS – Restored device to factory defaults
  • 4. Early Malware • Cabir (2004) – First phone worm – Infected Symbian phones – Spread via Bluetooth • Image from link Ch 5a
  • 7.
  • 8.
  • 9.
  • 11.
  • 12.
  • 14. DroidDream (2011) • Was primarily distributed by the Google Play store • Legitimate apps were repackaged to include DroidDream and then put back in the Play store
  • 15. Excessive Permissions • App trojaned by DroidDream asks for too many permissions
  • 16. Information Theft • When it is installed, DroidDream launches a "Setting" service • Steals private information and sends it to a remote server – International Mobile Station Equipment Identity (IMEI) – International Mobile Subscriber Identity (IMSI)
  • 17. Botted • DroidDream then roots the device • Hijacks the app downloading and installing code • Makes it a bot under remote control
  • 18. Google's Response • Google removed the repackaged apps from the Play Store • But 50,000 – 200,000 users were already infected
  • 19. NickiSpy • Packaged into other software • At next reboot, it launches the services shown to the right • Steals IMEI, location, SMS messages and records voice phone calls • Records sound when phone is not in use
  • 20. Google's Response to NickiSpy • Android 2.3 removed the ability for an application to change the phone state without user interaction • So an app could no longer turn on the microphone as stealthily
  • 21. SMSZombie • Packaged inside live wallpaper apps in a Chinese marketplace named Gfan • Makes fraudulent payments using China Mobile SMS Payment • No permissions are requested during installation, because it starts as a wallpaper app – No clue to warn the user
  • 22. Malicious App • It then downloads another app and shows the user a box with only one option "Install" to get "100 points!" • That installs another app that does ask for permissions
  • 24. Payload • SMSZombie sends all SMS messages currently on the device to a target phone # • It then scans all SMS messages to stealthily steal and delete ones that are warning the phone user about fraudulent SMS transactions
  • 26. Man-in-the-Browser (MITB) Attack • A Trojan installed on a PC hooks Windows API networking calls such as HttpSendRequestW • Allows attacker to intercept and modify HTTP and HTTPS traffic sent by the browser • Can steal banking credentials and display false information to the user
  • 27. Two-Factor Authentication (2FA) • This was the response by banks to resist MITB attacks • Use an SMS to a phone as the second factor for 2FA – Message contains a mobile transaction authentication number (mTAN) • Customer types mTAN into the banking web app on the PC
  • 28. Zeus and Zitmo Defeat 2FA • Zeus malware on the PC – Manipulates HTTPS traffic to encourage user to install fake Trusteer mobile security software – Looks like legitimate security software on the phone – Steals SMS messages from the phone to defeat 2FA
  • 29. FakeToken • User is tricked into installing TokenGenerator app • It requests suspicious permissions, including – Install and delete apps • An error by the malware designers: only system apps can have that permission – Send and receive SMS messages
  • 30. Payload • TakeToken steals SMS messages to defeat 2FA • Can also steal contact list
  • 31.
  • 32. How Bouncer was Hacked • Researchers submitted an app containing a remote shell • When Bouncer ran the app in a virtual machine, it phoned home to the researchers • They explored the VM and exploited Bouncer itself • With a remote shell inside Bouncer, they explored it and found ways to defeat it
  • 33. Google Application Verification Service • Launched in 2012 • Tries to detect malicious apps • Much less effective than 3rd-party AV – Link Ch 5e
  • 34. Moral: Get Real AV • Avast! won in a review from Feb., 2015 – Link Ch 5g • There are plenty of others, including – Lookout – AVG – Kaspersky – Norton – McAfee
  • 36. Risk is Very Small • Very few items of malware, very few users actually infected, no real harm done • An academic exercise in theoretical computer security, not a real risk for users
  • 37. Fake Update • "iPhone firmware 1.1.3 prep software" • Only for jailbroken devices • Supposedly written by an 11-year-old • Broke utilities like Doom and SSH • A minor annoyance
  • 38. Jailbroken iPhones with Default SSH Password • Dutch teenager scanned for iPhones on T- Mobile's 3G IP range – Pushed ransomware onto phones in Nov. 2009 • Australian teenager wrote the iKee worm to Rickroll iPhones in 2009 – A later version made an iPhone botnet
  • 39. iOS Malware in the Apple App Store • "Find and Call" – First seen in 2012 – Also in Google Play – Uploads user's contacts to a Web server – Sends SMS spam to the contacts with install links – Spreads but does no other harm
  • 41. Why the Huge Difference? • Market share • App approval process – $25 to register for Google Play • Apps appear within 15-60 min. – $99 to register for Apple's App Store • A week of automated & manual review before app appears in the store • Third-party app stores – Allowed on Android, but not on iOS (unless you jailbreak)