Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
Hide Android Applications in Images
Axelle Apvrille - FortiGuard Labs, Fortinet
Ange Albertini, Corkami
BlackHat Europe, A...
What is this all about?
Read the title! ;)
BlackHat Europe 2014 - A. Apvrille, A. Albertini 2/24
What is this all about?
Read the title! ;)
Hiding
BlackHat Europe 2014 - A. Apvrille, A. Albertini 2/24
What is this all about?
Read the title! ;)
Hiding Android Applications
BlackHat Europe 2014 - A. Apvrille, A. Albertini 2/...
What is this all about?
Read the title! ;)
Hiding Android Applications
in ...
BlackHat Europe 2014 - A. Apvrille, A. Alber...
What is this all about?
Read the title! ;)
Hiding Android Applications
in ... images
BlackHat Europe 2014 - A. Apvrille, A...
Who are we?
Axelle
axelle = {
‘‘realname’’ : ‘‘Axelle Apvrille’’,
‘‘job’’ : ‘‘Mobile/IoT Malware Analyst and Research’’,
‘...
What is this?
Nice? Thanks that’s GIMP art from me ;)
BlackHat Europe 2014 - A. Apvrille, A. Albertini 4/24
It’s an image!
file says...
anakin.png: PNG image data, 636298042 x 1384184774, 19-bit
PNG file format
89 50 4e 47 0d 0a 1a ...
It is more than that!
AES Decrypt
Valid PNG Valid Android Package (APK)
BlackHat Europe 2014 - A. Apvrille, A. Albertini 6...
Embed this “PNG” in an Android app?
Imagine...
...if that PNG/APK is malicious!
(Nearly) invisible to reverse engineering!...
Demo
Party time!
Demo!
Wake up!
BlackHat Europe 2014 - A. Apvrille, A. Albertini 8/24
In case the demo crashes - lol
The APK looks genuine
Archive: PocActivity-debug.apk
Length Date Time Name
--------- ------...
In case the demo crashes - lol
The image looks genuine: assets/anakin.png
BlackHat Europe 2014 - A. Apvrille, A. Albertini...
In case the demo crashes - lol
The image looks genuine: assets/anakin.png
Perhaps a bit ’fat’
508720 bytes (≈ 500K) for 38...
In case the demo crashes - lol
adb install
WrappingApk.apk
BlackHat Europe 2014 - A. Apvrille, A. Albertini 11/24
In case the demo crashes - lol
BlackHat Europe 2014 - A. Apvrille, A. Albertini 11/24
In case the demo crashes - lol
We could use
DexClassLoader to
hide this
BlackHat Europe 2014 - A. Apvrille, A. Albertini 1...
In case the demo crashes - lol
We could use
DexClassLoader to
hide this
BlackHat Europe 2014 - A. Apvrille, A. Albertini 1...
In case the demo crashes - lol
We could use
DexClassLoader to
hide this
BlackHat Europe 2014 - A. Apvrille, A. Albertini 1...
In case the demo crashes - lol
Payload gets
executed
BlackHat Europe 2014 - A. Apvrille, A. Albertini 11/24
How do we do that?
1. We write a payload APK
BlackHat Europe 2014 - A. Apvrille, A. Albertini 12/24
How do we do that?
1. We write a payload APK
2. We encrypt it using AngeCryption: it looks like a valid PNG
BlackHat Europ...
How do we do that?
1. We write a payload APK
2. We encrypt it using AngeCryption: it looks like a valid PNG
3. We hack it ...
How do we do that?
1. We write a payload APK
2. We encrypt it using AngeCryption: it looks like a valid PNG
3. We hack it ...
Power: controlling encryption!
Ciphertext
Genuine PNG
encrypt
Plaintext
Android Package (APK)
Is this possible?
BlackHat E...
AES encryption in practice
key:’MySecretKey12345’
block:’a block of text.’
key:’MySecretKey12346’
block:’a block of text.’...
Can we control the output?
With a tiny change in the key in the key or the block, the output
block is completely different
...
Can we control the output?
With a tiny change in the key in the key or the block, the output
block is completely different
...
Can we control the output?
With a tiny change in the key in the key or the block, the output
block is completely different
...
Controlling AES with AngeCryption
It will look the same ... but be slightly different
The APK will look the same to Android...
Trick no. 1: dummy PNG chunk
Header: 0x89 PNG r n 0x1a n
Chunk length
Chunk Id
Chunk data
Chunk CRC32
BlackHat Europe 2014...
Trick no. 1: dummy PNG chunk
Header: 0x89 PNG r n 0x1a n
Chunk length
Chunk Id
Chunk data
Chunk CRC32
APK
AES decrypt
AES ...
Trick no. 2: appended zip data
Payload APK
EOCD 1
AES−1( ...
Anakin Skywalker
... )
EOCD 2
APK
BlackHat Europe 2014 - A. A...
Crypto background
AES is a block cipher
It can only process a block of 16 bytes
BlackHat Europe 2014 - A. Apvrille, A. Alb...
What if my plaintext is longer?!
Chaining - 101
We use chaining
We apply AES on block
... well, that’s for ECB (Electronic...
Cipher Block Chaining (CBC) - 101
IV is Initialization Vector
Trick no.3: controlling first block
We have our plaintext P0 ...
Trick no.4: controlling other blocks
Basically... obvious!
Encrypting then decrypting is like doing nothing
and reciprocal...
Full picture
Payload APK
EOCD 1
Appended data
= chunks for Anakin
Dummy bytes
so that size multiple of 16
EOCD 2
APK
Black...
Full picture
Payload APK
EOCD 1
Appended data
= chunks for Anakin
Dummy bytes
so that size multiple of 16
EOCD 2
APKPNG
Bl...
Full picture
Payload APK
EOCD 1
Appended data
= chunks for Anakin
Dummy bytes
so that size multiple of 16
EOCD 2
APKPNG
Fi...
Thank You !
Status
Works on Android 4.4.2
June 2014: Android Security Team notified ≈ fixed
Contact info
Me: @cryptax or aap...
Prochain SlideShare
Chargement dans…5
×

Hide Android applications in images

3 025 vues

Publié le

by Axelle Apvrille & Ange Albertini
presented at BlackHat Europe 2014, in Amsterdam

PoC: https://github.com/cryptax/angeapk
AngeCryption: http://corkami.googlecode.com/svn/trunk/src/angecryption/

Publié dans : Technologie
  • Soyez le premier à commenter

Hide Android applications in images

  1. 1. Hide Android Applications in Images Axelle Apvrille - FortiGuard Labs, Fortinet Ange Albertini, Corkami BlackHat Europe, Amsterdam, NH October 2014
  2. 2. What is this all about? Read the title! ;) BlackHat Europe 2014 - A. Apvrille, A. Albertini 2/24
  3. 3. What is this all about? Read the title! ;) Hiding BlackHat Europe 2014 - A. Apvrille, A. Albertini 2/24
  4. 4. What is this all about? Read the title! ;) Hiding Android Applications BlackHat Europe 2014 - A. Apvrille, A. Albertini 2/24
  5. 5. What is this all about? Read the title! ;) Hiding Android Applications in ... BlackHat Europe 2014 - A. Apvrille, A. Albertini 2/24
  6. 6. What is this all about? Read the title! ;) Hiding Android Applications in ... images BlackHat Europe 2014 - A. Apvrille, A. Albertini 2/24
  7. 7. Who are we? Axelle axelle = { ‘‘realname’’ : ‘‘Axelle Apvrille’’, ‘‘job’’ : ‘‘Mobile/IoT Malware Analyst and Research’’, ‘‘company’’ : ‘‘Fortinet, FortiGuard Labs’’ } Ange ange = { ‘‘realname’’ : ‘‘Ange Albertini’’, ‘‘hobby’’ : ‘‘Corkami’’ } BlackHat Europe 2014 - A. Apvrille, A. Albertini 3/24
  8. 8. What is this? Nice? Thanks that’s GIMP art from me ;) BlackHat Europe 2014 - A. Apvrille, A. Albertini 4/24
  9. 9. It’s an image! file says... anakin.png: PNG image data, 636298042 x 1384184774, 19-bit PNG file format 89 50 4e 47 0d 0a 1a 0a 00 01 b4 40 61 61 61 61 |.PNG.......@a 25 ed 23 3a 52 80 fb c6 13 cc 54 4d 74 f5 78 87 |%.#:R.....TMt ba 7d b5 f6 93 63 43 f0 e0 b9 99 9b 37 06 cc 8f |.}...cC.....7 32 59 5b 55 da 14 e2 87 68 f7 89 e5 88 14 fe 76 |2Y[U....h.... 3e 0b cd 65 ec c4 7a 71 4d 95 c0 4e de 48 30 91 |>..e..zqM..N. ... BlackHat Europe 2014 - A. Apvrille, A. Albertini 5/24
  10. 10. It is more than that! AES Decrypt Valid PNG Valid Android Package (APK) BlackHat Europe 2014 - A. Apvrille, A. Albertini 6/24
  11. 11. Embed this “PNG” in an Android app? Imagine... ...if that PNG/APK is malicious! (Nearly) invisible to reverse engineering! The Android app is encrypted Arg! What will I see? A fat image The wrapping application Code that decrypts an asset Code that loads/installs an application But that depends how well the wrapping app is written It can be obfuscated... BlackHat Europe 2014 - A. Apvrille, A. Albertini 7/24
  12. 12. Demo Party time! Demo! Wake up! BlackHat Europe 2014 - A. Apvrille, A. Albertini 8/24
  13. 13. In case the demo crashes - lol The APK looks genuine Archive: PocActivity-debug.apk Length Date Time Name --------- ---------- ----- ---- 508720 2014-09-11 13:41 assets/anakin.png 1272 2014-09-11 14:03 res/layout/main.xml 1988 2014-09-11 14:03 AndroidManifest.xml 1444 2014-09-11 14:03 resources.arsc 7515 2014-09-11 14:03 res/drawable-hdpi/logo.png 2455 2014-09-11 14:03 res/drawable-ldpi/logo.png 4471 2014-09-11 14:03 res/drawable-mdpi/logo.png 8856 2014-09-11 14:03 classes.dex 634 2014-09-11 14:03 META-INF/MANIFEST.MF 687 2014-09-11 14:03 META-INF/CERT.SF 776 2014-09-11 14:03 META-INF/CERT.RSA --------- ------- 538818 11 files BlackHat Europe 2014 - A. Apvrille, A. Albertini 9/24
  14. 14. In case the demo crashes - lol The image looks genuine: assets/anakin.png BlackHat Europe 2014 - A. Apvrille, A. Albertini 10/24
  15. 15. In case the demo crashes - lol The image looks genuine: assets/anakin.png Perhaps a bit ’fat’ 508720 bytes (≈ 500K) for 382x385 pixels BlackHat Europe 2014 - A. Apvrille, A. Albertini 10/24
  16. 16. In case the demo crashes - lol adb install WrappingApk.apk BlackHat Europe 2014 - A. Apvrille, A. Albertini 11/24
  17. 17. In case the demo crashes - lol BlackHat Europe 2014 - A. Apvrille, A. Albertini 11/24
  18. 18. In case the demo crashes - lol We could use DexClassLoader to hide this BlackHat Europe 2014 - A. Apvrille, A. Albertini 11/24
  19. 19. In case the demo crashes - lol We could use DexClassLoader to hide this BlackHat Europe 2014 - A. Apvrille, A. Albertini 11/24
  20. 20. In case the demo crashes - lol We could use DexClassLoader to hide this BlackHat Europe 2014 - A. Apvrille, A. Albertini 11/24
  21. 21. In case the demo crashes - lol Payload gets executed BlackHat Europe 2014 - A. Apvrille, A. Albertini 11/24
  22. 22. How do we do that? 1. We write a payload APK BlackHat Europe 2014 - A. Apvrille, A. Albertini 12/24
  23. 23. How do we do that? 1. We write a payload APK 2. We encrypt it using AngeCryption: it looks like a valid PNG BlackHat Europe 2014 - A. Apvrille, A. Albertini 12/24
  24. 24. How do we do that? 1. We write a payload APK 2. We encrypt it using AngeCryption: it looks like a valid PNG 3. We hack it (a little) BlackHat Europe 2014 - A. Apvrille, A. Albertini 12/24
  25. 25. How do we do that? 1. We write a payload APK 2. We encrypt it using AngeCryption: it looks like a valid PNG 3. We hack it (a little) 4. We implement another APK containing the PNG BlackHat Europe 2014 - A. Apvrille, A. Albertini 12/24
  26. 26. Power: controlling encryption! Ciphertext Genuine PNG encrypt Plaintext Android Package (APK) Is this possible? BlackHat Europe 2014 - A. Apvrille, A. Albertini 13/24
  27. 27. AES encryption in practice key:’MySecretKey12345’ block:’a block of text.’ key:’MySecretKey12346’ block:’a block of text.’ key:’MySecretKey12345’ block:’a block of text!’ BlackHat Europe 2014 - A. Apvrille, A. Albertini 14/24
  28. 28. Can we control the output? With a tiny change in the key in the key or the block, the output block is completely different BlackHat Europe 2014 - A. Apvrille, A. Albertini 15/24
  29. 29. Can we control the output? With a tiny change in the key in the key or the block, the output block is completely different We can’t control the output The output block is (more or less) ’unpredictable’ BlackHat Europe 2014 - A. Apvrille, A. Albertini 15/24
  30. 30. Can we control the output? With a tiny change in the key in the key or the block, the output block is completely different We can’t control the output The output block is (more or less) ’unpredictable’ Yes, we can! But there’s a trick - AngeCryption BlackHat Europe 2014 - A. Apvrille, A. Albertini 15/24
  31. 31. Controlling AES with AngeCryption It will look the same ... but be slightly different The APK will look the same to Android The PNG will look the same to our eyes encrypt Android does not see the diff Manipulate Plaintext encrypt Your eye does not see the diff so that it encrypts to this PNG BlackHat Europe 2014 - A. Apvrille, A. Albertini 16/24
  32. 32. Trick no. 1: dummy PNG chunk Header: 0x89 PNG r n 0x1a n Chunk length Chunk Id Chunk data Chunk CRC32 BlackHat Europe 2014 - A. Apvrille, A. Albertini 17/24
  33. 33. Trick no. 1: dummy PNG chunk Header: 0x89 PNG r n 0x1a n Chunk length Chunk Id Chunk data Chunk CRC32 APK AES decrypt AES encrypt BlackHat Europe 2014 - A. Apvrille, A. Albertini 17/24
  34. 34. Trick no. 2: appended zip data Payload APK EOCD 1 AES−1( ... Anakin Skywalker ... ) EOCD 2 APK BlackHat Europe 2014 - A. Apvrille, A. Albertini 18/24
  35. 35. Crypto background AES is a block cipher It can only process a block of 16 bytes BlackHat Europe 2014 - A. Apvrille, A. Albertini 19/24
  36. 36. What if my plaintext is longer?! Chaining - 101 We use chaining We apply AES on block ... well, that’s for ECB (Electronic Code Book). Not very good. Other chainings CBC, CFB, OFB... (see FIPS 81) We’ll use CBC : Cipher Block Chaining BlackHat Europe 2014 - A. Apvrille, A. Albertini 20/24
  37. 37. Cipher Block Chaining (CBC) - 101 IV is Initialization Vector Trick no.3: controlling first block We have our plaintext P0 and ciphertext C0 We select a key K We compute IV: IV = AES−1 K (C0) ⊕ P0 BlackHat Europe 2014 - A. Apvrille, A. Albertini 21/24
  38. 38. Trick no.4: controlling other blocks Basically... obvious! Encrypting then decrypting is like doing nothing and reciprocally Want ciphertext to be bitmap of Anakin? Select plaintext = AES−1(bitmapofAnakin) AES(plaintext) = AES(AES−1(bitmapofAnakin)) = bitmap of Anakin BlackHat Europe 2014 - A. Apvrille, A. Albertini 22/24
  39. 39. Full picture Payload APK EOCD 1 Appended data = chunks for Anakin Dummy bytes so that size multiple of 16 EOCD 2 APK BlackHat Europe 2014 - A. Apvrille, A. Albertini 23/24
  40. 40. Full picture Payload APK EOCD 1 Appended data = chunks for Anakin Dummy bytes so that size multiple of 16 EOCD 2 APKPNG BlackHat Europe 2014 - A. Apvrille, A. Albertini 23/24
  41. 41. Full picture Payload APK EOCD 1 Appended data = chunks for Anakin Dummy bytes so that size multiple of 16 EOCD 2 APKPNG File Header Dummy chunk AES encrypt Chunk CRC 32 Chunk IHDR containing Anakin Skywalker Chunk(s) IDAT Chunk IEND AES(Dummy) AES(EOCD) Ignored BlackHat Europe 2014 - A. Apvrille, A. Albertini 23/24
  42. 42. Thank You ! Status Works on Android 4.4.2 June 2014: Android Security Team notified ≈ fixed Contact info Me: @cryptax or aapvrille at fortinet dot com Ange: @angealbertini or ange at corkami dot com References AngeCryption: http://corkami.googlecode.com/svn/trunk/src/angecryption/ Code: https://github.com/cryptax/angeapk - soon after conf’ Corkami: https://code.google.com/p/corkami/ Fortinet’s blog: http://blog.fortinet.com Thanks to : @veorq, Android Security Team BlackHat Europe 2014 - A. Apvrille, A. Albertini 24/24

×