SESSION ID: CRWD-W13
The Secrets of Malware Success on Google Play Store
Rowland Yu Senior Threat Researcher SOPHOS #rowlandy
#RSAC
#RSAC
AGENDA THE TAKEAWAYS GOOGLE PLAY FACTS GOOGLE PLAY SECURITY MEASURES MALWARE HISTORY ON GOOGLE PLAY
2
#RSAC
AGENDA THE MISSION OF MALWARE THE SECRET WEAPONS OF CYBERCRIMINALS ANDROID APPLICATION PACKAGE (APK) CASE STUDIES LESSONS & CONCLUSIONS 3
#RSAC
THE TAKEAWAYS
The security measures in Google Play The social engineering techniques employed by malware A practical knowledge of how malware bypasses Google Play security
4
#RSAC
GOOGLE PLAY FACTS
LAUNCH AN APP ON GOOGLE PLAY How to launch Android App on Google Play Store Register ($25 USD) Prepare and upload your App Store Listing Pricing & Distribution Publishing your App (takes up to 24 hours to go live) 6
#RSAC
NUMBER OF APPS ON GOOGLE PLAY
#RSAC
Number of available Apps on the Google Play
7
#RSAC
GOOGLE PLAY SECURITY MEASURES
#RSAC
GOOGLE PLAY SECURITY MEASURES
9
Android White Paper 2016 February
GOOGLE PLAY SECURITY MEASURES
10
#RSAC
GOOGLE PLAY SECURITY MEASURES
Two Changes to Google Play Apps Reviews From March 2015 Move to real human reviewers Introduce age-based rating system
11
#RSAC
#RSAC
MALWARE HISTORY ON GOOGLE PLAY
#RSAC
MALWARE HISTORY ON GOOGLE PLAY Find and Call
Carberp
FakeMarket
Brazilian Banker Hideicon
BadNews
Plankton
Bumzasery
BrainTest2
InstaAgent Feabme
2012-FEB
2013-FEB
2014-FEB
DroidCleaner FakeLookout Android DropDialer
2015-FEB SaveMe
ZertSecurity
VirusShield DenDroid
KK plugin
Dubsmash
MobiDash InfectedHTML
2016-FEB
BrainTest
FakeBatteryBotProSanta Claus Ngu Studios
13
TurkishClicker
MALWARE HISTORY ON GOOGLE PLAY
14
#RSAC
#RSAC
MALWARE HISTORY ON GOOGLE PLAY Eleven Date
2015-04-24 2015-07-06 2015-07-09 2015-07-22 2015-08-05 2015-09-21 2015-11-11 2015-11-17 2015-12-17 2016-01-06 2016-01-08
Name
Dubsmash
Fake BatteryPro
Feabme
Ngu Studio Bumzasery BrainTest
Insta Agent
KK plugin Santa Claus BrainTest2
Turkish Clicker
First Seen 2015-04-17 2015-06-17 2015-04-10 2015-07-14 2015-08-05 2015-07-28 2015-10-16 2014-09-22 2015-12-17 2015-10-01 2015-09-27
Behaviours Porn Clicker Backdoor Installs
100,000 500,000
100,000 500,000
Phishing Porn Clicker Porn Clicker Backdoor 501,000 1,005,000
25,000 50,000
27
100,000 500,000
Phishing
Agent
Backdoor
100,000 500,000
100,000 500,000
N/A
~5,000,000 15
Backdoor
Backdoor
606,000 500 - 1,000 1,335,000
#RSAC
THE MISSION OF MALWARE
THE MISSION OF MALWARE
Think Like A Cybercriminal
17
#RSAC
WHAT MALWARE WANTS TO DO
SURVIVAL
18
#RSAC
WHAT MALWARE WANTS TO DO
19
#RSAC
WHAT MALWARE WANTS TO DO
20
#RSAC
#RSAC
THE SECRET WEAPONS OF CYBERCRIMINALS
THE SECRET WEAPONS OF CYBERCRIMINALS IP Info Timebombs Dynamic code loading Obfuscation/Packing Encryption Remote payload
SURVIVAL
Behave for a while before going rogue 22
#RSAC
THE SECRET WEAPONS OF CYBERCRIMINALS
(A lot of) Games Tools
23
#RSAC
THE SECRET WEAPONS OF CYBERCRIMINALS
Social Engineering Silent mode Boundary
24
#RSAC
#RSAC
ANDROID APPLICATION PACKAGE (APK)
ANDROID APPLICATION PACKAGE (APK) Blah.apk META-INF/ MANIFEST.MF CERT_NAME.(RSA|DSA) CERT_NAME.SF lib/ arm*/ lib*.so x86/ mips/ res/ drawable-*/ xml/ raw/ ...
*.png *.xml
assets/ * AndroidManifest.xml classes.dex resources.arsc *
https://github.com/rednaga/training/tree/master/DEFCON23
26
#RSAC
ANDROID APPLICATION PACKAGE (APK) Blah.apk META-INF/ MANIFEST.MF CERT_NAME.(RSA|DSA) CERT_NAME.SF lib/ arm*/ lib*.so x86/ mips/
Extension of ZIP / JAR application/vnd.android.package-archive *.png
res/ drawable-*/ xml/ raw/ ... assets/ * AndroidManifest.xml classes.dex resources.arsc
*.xml
digitally signed with a certificate com.package.name.apk unzip blah.apk
*
27
#RSAC
ANDROID APPLICATION PACKAGE (APK) Blah.apk META-INF/ MANIFEST.MF CERT_NAME.(RSA|DSA) CERT_NAME.SF lib/ arm*/ lib*.so x86/ mips/ res/ drawable-*/ xml/ raw/ ... assets/ *
Developer public AndroidManifest.xml certificate of the APK classes.dex resources.arsc *
28
*.png *.xml
#RSAC
Manifest File Text File Signature Manifest File Text File The list of resources and SHA-1 digest of the corresponding lines in the MANIFEST.MF file
ANDROID APPLICATION PACKAGE (APK) Blah.apk META-INF/ MANIFEST.MF CERT_NAME.(RSA|DSA) CERT_NAME.SF lib/ arm*/ lib*.so x86/ mips/ res/ drawable-*/ xml/ raw/ ... assets/ * AndroidManifest.xml classes.dex resources.arsc *
29
*.png *.xml
Compiled shared libraries Native ELF files specific to a software layer of a processor
#RSAC
ANDROID APPLICATION PACKAGE (APK) Blah.apk META-INF/ MANIFEST.MF CERT_NAME.(RSA|DSA) CERT_NAME.SF lib/ arm*/ lib*.so x86/ mips/ res/ drawable-*/ xml/ raw/ ... assets/ * AndroidManifest.xml
*.png *.xml
#RSAC
Resources files Non-compiled resources: images xml files raw binary files media files …
May contain malicious payloads
classes.dex resources.arsc *
30
ANDROID APPLICATION PACKAGE (APK)
#RSAC
Blah.apk META-INF/ MANIFEST.MF CERT_NAME.(RSA|DSA) CERT_NAME.SF lib/ arm*/ lib*.so x86/ mips/ res/ drawable-*/ xml/ raw/ ... assets/ *
*.png *.xml
Assets files can be retrieved by AssetManager Another good place to hide payloads
AndroidManifest.xml classes.dex resources.arsc *
31
ANDROID APPLICATION PACKAGE (APK) Blah.apk
META-INF/ MANIFEST.MF Android Manifest CERT_NAME.(RSA|DSA) CERT_NAME.SF Compiled binary xml lib/ arm*/ lib*.so x86/ Executable Dalvik entry points for app mips/ res/ drawable-*/ *.pngcode for Dalvik xml/ *.xml virtual machine raw/ ...
assets/ *
Precompiled resources
AndroidManifest.xml classes.dex
Random files
resources.arsc *
32
#RSAC
#RSAC
CASE STUDY – PHISHING
#RSAC
CASE STUDY – PHISHING Report Date
2015-07-09
2015-11-11
Name
Feabme
InstaAgent
First Seen
2015-04-10
2015-10-16
Period
90 days
26 days
Installs
501,000 - 1,005,000 100,000 - 500,000 34
CASE STUDY – PHISHING
35
#RSAC
#RSAC
PHISHING TEST
36
#RSAC
PHISHING TEST
37
#RSAC
PHISHING TEST
38
#RSAC
PHISHING TEST
39
#RSAC
WHICH ONE IS MALICIOUS?
A
C
B
D 40
#RSAC
PHISHING – FEABME Popular Games on Google Play Cowboy Adventure
Jump Chess
500,000 – 1,000,000 installs from Google Play
Images from: http://www.welivesecurity.com/2015/07/09/apps-google-play-steal-facebook-credentials/
41
MONOGAME FRAMEWORK
C# Based on .net framework
42
#RSAC
#RSAC
FEABME PAYLOAD Main activity
Fake Facebook payload 43
#RSAC
FEABME WORKFLOW CowboyAdventure.dll Activity1 TinkerAccountLibrary.dll Payload from remote Phishing Activity Submit to remote 44
#RSAC
FEABME WORKFLOW CowboyAdventure.dll Activity1 TinkerAccountLibrary.dll Payload from remote Phishing Activity Submit to remote 45
#RSAC
FEABME WORKFLOW CowboyAdventure.dll Activity1 TinkerAccountLibrary.dll Payload from remote Phishing Activity Submit to remote 46
#RSAC
FEABME WORKFLOW CowboyAdventure.dll Activity1 TinkerAccountLibrary.dll Payload from remote Phishing Activity Submit to remote 47
#RSAC
FEABME WORKFLOW CowboyAdventure.dll Activity1 TinkerAccountLibrary.dll Payload from remote Phishing Activity Submit to remote 48
#RSAC
CASE STUDY – BRAINTEST
CASE STUDY – BRAINTEST
http://blog.checkpoint.com/2015/09/21/braintest-a-new-level-of-sophistication-in-mobile-malware/
50
#RSAC
#RSAC
CASE STUDY – BRAINTEST Report Date
2015-09-21
2016-01-06
Name
BrainTest
BrainTest2
First Seen
2015-07-28
2015-10-01
Period
55 days
97 days
100,000 - 500,000
606,000 1,335,000
Installs
51
CASE STUDY – BRAINTEST IP Info Timebombs Dynamic code loading Encryption Remote payload packing/obfuscation 52
#RSAC
#RSAC
IP INFO Bypass Google Bouncer via ipinfo.io
53
IP INFO HTTP://IPINFO.IO/JSON { "ip": "91.109.247.173", "hostname": "tor-exit2-readme.puckey.org", "city": "", "region": "", "country": "GB", "loc": "51.5000,-0.1300", "org": "AS13213 UK2 - Ltd” } 54
#RSAC
#RSAC
IP INFO
Verify the IP doesn't belong to: 216.58.192.0 - 216.58.223.255 209.85.128.0 - 209.85.255.255 104.132.0.0 - 104.135.255.255 173.194.0.0 - 173.194.255.255 74.125.0.0 - 74.125.255.255
hostname or org doesn't contain google, android, or 1e100
55
#RSAC
FIRST TIMEBOMB
malicious flow will run every 2 hours
56
#RSAC
DROPPER call DD-> d(context) to decrypt assets/start.ogg and drop it as do.jar.
Dynamic code a.a.a.a.b() loading via Android Reflection
57
DROPPED PAYLOAD – SECOND TIMEBOMB Wait for 8 hours before running payload
58
#RSAC
BRAINTEST CONT.
#RSAC
#RSAC
CASE STUDY – BOUNDARY
#RSAC
GOOD APP? BAD APP? High popularity Long history Multiple version of App Different Apps under the same developer Spoof Grey behaviors 61
#RSAC
FAKE BATTERYBOT PRO Malicious App Free version
Paid version
Legit App
62
#RSAC
FAKE BATTERYBOT PRO Airpush Mobile Ad Network
63
#RSAC
KK PLUGIN
64
#RSAC
KK PLUGIN Fake alert
Frequent pop-ups
http://www.cmcm.com/blog/en/security/2015-11-17/857.html
65
#RSAC
KK PLUGIN
Install app silently
66
#RSAC
KK PLUGIN
First App seen on 2013-12-09 More than 48 different Apps 100,000 - 500,000 Installs
67
#RSAC
LESSONS & CONCLUSIONS
LESSONS & CONCLUSIONS Google Play Safe? Breakable?
The secret weapons Social engineering IPinfo Timebomb Remote payload … 69
#RSAC
LESSONS & CONCLUSIONS Google Play Challenge task Developer policy Punishment
Security providers Cooperation
Customers Minimize your apps No more games 70
#RSAC
#RSAC
[email protected]