SESSION ID: CRWD-W13

The Secrets of Malware Success on Google Play Store

Rowland Yu Senior Threat Researcher SOPHOS #rowlandy

#RSAC

#RSAC

AGENDA THE TAKEAWAYS GOOGLE PLAY FACTS GOOGLE PLAY SECURITY MEASURES MALWARE HISTORY ON GOOGLE PLAY

2

#RSAC

AGENDA THE MISSION OF MALWARE THE SECRET WEAPONS OF CYBERCRIMINALS ANDROID APPLICATION PACKAGE (APK) CASE STUDIES LESSONS & CONCLUSIONS 3

#RSAC

THE TAKEAWAYS

The security measures in Google Play The social engineering techniques employed by malware A practical knowledge of how malware bypasses Google Play security

4

#RSAC

GOOGLE PLAY FACTS

LAUNCH AN APP ON GOOGLE PLAY How to launch Android App on Google Play Store Register ($25 USD) Prepare and upload your App Store Listing Pricing & Distribution Publishing your App (takes up to 24 hours to go live) 6

#RSAC

NUMBER OF APPS ON GOOGLE PLAY

#RSAC

Number of available Apps on the Google Play

7

#RSAC

GOOGLE PLAY SECURITY MEASURES

#RSAC

GOOGLE PLAY SECURITY MEASURES

9

Android White Paper 2016 February

GOOGLE PLAY SECURITY MEASURES

10

#RSAC

GOOGLE PLAY SECURITY MEASURES

Two Changes to Google Play Apps Reviews From March 2015 Move to real human reviewers Introduce age-based rating system

11

#RSAC

#RSAC

MALWARE HISTORY ON GOOGLE PLAY

#RSAC

MALWARE HISTORY ON GOOGLE PLAY Find and Call

Carberp

FakeMarket

Brazilian Banker Hideicon

BadNews

Plankton

Bumzasery

BrainTest2

InstaAgent Feabme

2012-FEB

2013-FEB

2014-FEB

DroidCleaner FakeLookout Android DropDialer

2015-FEB SaveMe

ZertSecurity

VirusShield DenDroid

KK plugin

Dubsmash

MobiDash InfectedHTML

2016-FEB

BrainTest

FakeBatteryBotProSanta Claus Ngu Studios

13

TurkishClicker

MALWARE HISTORY ON GOOGLE PLAY

14

#RSAC

#RSAC

MALWARE HISTORY ON GOOGLE PLAY Eleven Date

2015-04-24 2015-07-06 2015-07-09 2015-07-22 2015-08-05 2015-09-21 2015-11-11 2015-11-17 2015-12-17 2016-01-06 2016-01-08

Name

Dubsmash

Fake BatteryPro

Feabme

Ngu Studio Bumzasery BrainTest

Insta Agent

KK plugin Santa Claus BrainTest2

Turkish Clicker

First Seen 2015-04-17 2015-06-17 2015-04-10 2015-07-14 2015-08-05 2015-07-28 2015-10-16 2014-09-22 2015-12-17 2015-10-01 2015-09-27

Behaviours Porn Clicker Backdoor Installs

100,000 500,000

100,000 500,000

Phishing Porn Clicker Porn Clicker Backdoor 501,000 1,005,000

25,000 50,000

27

100,000 500,000

Phishing

Agent

Backdoor

100,000 500,000

100,000 500,000

N/A

~5,000,000 15

Backdoor

Backdoor

606,000 500 - 1,000 1,335,000

#RSAC

THE MISSION OF MALWARE

THE MISSION OF MALWARE

Think Like A Cybercriminal

17

#RSAC

WHAT MALWARE WANTS TO DO

SURVIVAL

18

#RSAC

WHAT MALWARE WANTS TO DO

19

#RSAC

WHAT MALWARE WANTS TO DO

20

#RSAC

#RSAC

THE SECRET WEAPONS OF CYBERCRIMINALS

THE SECRET WEAPONS OF CYBERCRIMINALS IP Info Timebombs Dynamic code loading Obfuscation/Packing Encryption Remote payload

SURVIVAL

Behave for a while before going rogue 22

#RSAC

THE SECRET WEAPONS OF CYBERCRIMINALS

(A lot of) Games Tools

23

#RSAC

THE SECRET WEAPONS OF CYBERCRIMINALS

Social Engineering Silent mode Boundary

24

#RSAC

#RSAC

ANDROID APPLICATION PACKAGE (APK)

ANDROID APPLICATION PACKAGE (APK) Blah.apk META-INF/ MANIFEST.MF CERT_NAME.(RSA|DSA) CERT_NAME.SF lib/ arm*/ lib*.so x86/ mips/ res/ drawable-*/ xml/ raw/ ...

*.png *.xml

assets/ * AndroidManifest.xml classes.dex resources.arsc *

https://github.com/rednaga/training/tree/master/DEFCON23

26

#RSAC

ANDROID APPLICATION PACKAGE (APK) Blah.apk META-INF/ MANIFEST.MF CERT_NAME.(RSA|DSA) CERT_NAME.SF lib/ arm*/ lib*.so x86/ mips/

Extension of ZIP / JAR application/vnd.android.package-archive *.png

res/ drawable-*/ xml/ raw/ ... assets/ * AndroidManifest.xml classes.dex resources.arsc

*.xml

digitally signed with a certificate com.package.name.apk unzip blah.apk

*

27

#RSAC

ANDROID APPLICATION PACKAGE (APK) Blah.apk META-INF/ MANIFEST.MF CERT_NAME.(RSA|DSA) CERT_NAME.SF lib/ arm*/ lib*.so x86/ mips/ res/ drawable-*/ xml/ raw/ ... assets/ *

Developer public AndroidManifest.xml certificate of the APK classes.dex resources.arsc *

28

*.png *.xml

#RSAC

Manifest File Text File Signature Manifest File Text File The list of resources and SHA-1 digest of the corresponding lines in the MANIFEST.MF file

ANDROID APPLICATION PACKAGE (APK) Blah.apk META-INF/ MANIFEST.MF CERT_NAME.(RSA|DSA) CERT_NAME.SF lib/ arm*/ lib*.so x86/ mips/ res/ drawable-*/ xml/ raw/ ... assets/ * AndroidManifest.xml classes.dex resources.arsc *

29

*.png *.xml

Compiled shared libraries Native ELF files specific to a software layer of a processor

#RSAC

ANDROID APPLICATION PACKAGE (APK) Blah.apk META-INF/ MANIFEST.MF CERT_NAME.(RSA|DSA) CERT_NAME.SF lib/ arm*/ lib*.so x86/ mips/ res/ drawable-*/ xml/ raw/ ... assets/ * AndroidManifest.xml

*.png *.xml

#RSAC

Resources files Non-compiled resources: images xml files raw binary files media files …

May contain malicious payloads

classes.dex resources.arsc *

30

ANDROID APPLICATION PACKAGE (APK)

#RSAC

Blah.apk META-INF/ MANIFEST.MF CERT_NAME.(RSA|DSA) CERT_NAME.SF lib/ arm*/ lib*.so x86/ mips/ res/ drawable-*/ xml/ raw/ ... assets/ *

*.png *.xml

Assets files can be retrieved by AssetManager Another good place to hide payloads

AndroidManifest.xml classes.dex resources.arsc *

31

ANDROID APPLICATION PACKAGE (APK) Blah.apk

META-INF/ MANIFEST.MF Android Manifest CERT_NAME.(RSA|DSA) CERT_NAME.SF Compiled binary xml lib/ arm*/ lib*.so x86/ Executable Dalvik entry points for app mips/ res/ drawable-*/ *.pngcode for Dalvik xml/ *.xml virtual machine raw/ ...

assets/ *

Precompiled resources

AndroidManifest.xml classes.dex

Random files

resources.arsc *

32

#RSAC

#RSAC

CASE STUDY – PHISHING

#RSAC

CASE STUDY – PHISHING Report Date

2015-07-09

2015-11-11

Name

Feabme

InstaAgent

First Seen

2015-04-10

2015-10-16

Period

90 days

26 days

Installs

501,000 - 1,005,000 100,000 - 500,000 34

CASE STUDY – PHISHING

35

#RSAC

#RSAC

PHISHING TEST

36

#RSAC

PHISHING TEST

37

#RSAC

PHISHING TEST

38

#RSAC

PHISHING TEST

39

#RSAC

WHICH ONE IS MALICIOUS?

A

C

B

D 40

#RSAC

PHISHING – FEABME Popular Games on Google Play Cowboy Adventure

Jump Chess

500,000 – 1,000,000 installs from Google Play

Images from: http://www.welivesecurity.com/2015/07/09/apps-google-play-steal-facebook-credentials/

41

MONOGAME FRAMEWORK

C# Based on .net framework

42

#RSAC

#RSAC

FEABME PAYLOAD Main activity

Fake Facebook payload 43

#RSAC

FEABME WORKFLOW CowboyAdventure.dll Activity1 TinkerAccountLibrary.dll Payload from remote Phishing Activity Submit to remote 44

#RSAC

FEABME WORKFLOW CowboyAdventure.dll Activity1 TinkerAccountLibrary.dll Payload from remote Phishing Activity Submit to remote 45

#RSAC

FEABME WORKFLOW CowboyAdventure.dll Activity1 TinkerAccountLibrary.dll Payload from remote Phishing Activity Submit to remote 46

#RSAC

FEABME WORKFLOW CowboyAdventure.dll Activity1 TinkerAccountLibrary.dll Payload from remote Phishing Activity Submit to remote 47

#RSAC

FEABME WORKFLOW CowboyAdventure.dll Activity1 TinkerAccountLibrary.dll Payload from remote Phishing Activity Submit to remote 48

#RSAC

CASE STUDY – BRAINTEST

CASE STUDY – BRAINTEST

http://blog.checkpoint.com/2015/09/21/braintest-a-new-level-of-sophistication-in-mobile-malware/

50

#RSAC

#RSAC

CASE STUDY – BRAINTEST Report Date

2015-09-21

2016-01-06

Name

BrainTest

BrainTest2

First Seen

2015-07-28

2015-10-01

Period

55 days

97 days

100,000 - 500,000

606,000 1,335,000

Installs

51

CASE STUDY – BRAINTEST IP Info Timebombs Dynamic code loading Encryption Remote payload packing/obfuscation 52

#RSAC

#RSAC

IP INFO Bypass Google Bouncer via ipinfo.io

53

IP INFO HTTP://IPINFO.IO/JSON { "ip": "91.109.247.173", "hostname": "tor-exit2-readme.puckey.org", "city": "", "region": "", "country": "GB", "loc": "51.5000,-0.1300", "org": "AS13213 UK2 - Ltd” } 54

#RSAC

#RSAC

IP INFO

Verify the IP doesn't belong to: 216.58.192.0 - 216.58.223.255 209.85.128.0 - 209.85.255.255 104.132.0.0 - 104.135.255.255 173.194.0.0 - 173.194.255.255 74.125.0.0 - 74.125.255.255

hostname or org doesn't contain google, android, or 1e100

55

#RSAC

FIRST TIMEBOMB

malicious flow will run every 2 hours

56

#RSAC

DROPPER call DD-> d(context) to decrypt assets/start.ogg and drop it as do.jar.

Dynamic code a.a.a.a.b() loading via Android Reflection

57

DROPPED PAYLOAD – SECOND TIMEBOMB Wait for 8 hours before running payload

58

#RSAC

BRAINTEST CONT.

#RSAC

#RSAC

CASE STUDY – BOUNDARY

#RSAC

GOOD APP? BAD APP? High popularity Long history Multiple version of App Different Apps under the same developer Spoof Grey behaviors 61

#RSAC

FAKE BATTERYBOT PRO Malicious App Free version

Paid version

Legit App

62

#RSAC

FAKE BATTERYBOT PRO Airpush Mobile Ad Network

63

#RSAC

KK PLUGIN

64

#RSAC

KK PLUGIN Fake alert

Frequent pop-ups

http://www.cmcm.com/blog/en/security/2015-11-17/857.html

65

#RSAC

KK PLUGIN

Install app silently

66

#RSAC

KK PLUGIN

First App seen on 2013-12-09 More than 48 different Apps 100,000 - 500,000 Installs

67

#RSAC

LESSONS & CONCLUSIONS

LESSONS & CONCLUSIONS Google Play Safe? Breakable?

The secret weapons Social engineering IPinfo Timebomb Remote payload … 69

#RSAC

LESSONS & CONCLUSIONS Google Play Challenge task Developer policy Punishment

Security providers Cooperation

Customers Minimize your apps No more games  70

#RSAC

#RSAC

[email protected]