docMobile Antivirus Security Assessment
download 
Report Transcription
Mobile Antivirus Security Assessment
Whenthemedicineismoredangerousthanthedisease:
MobileAntivirusSecurityAssessment
Alexander‘dark_k3y’Bolshev
Ivan‘Steph’Yushkevich
;cat/dev/user
• Alexander‘@dark_k3y’Bolshev
– SecurityConsultant@IOActive,Ph.D.,
– AssistantProfessor@SPb ETU.
• Ivan‘Steph’Yushkevich:
– SecurityAuditor@DigitalSecurity
2
RCEinmobileantivirusviasignatures/engineupdate
INTRODUCTORYVIDEO
Installs:10,000,000 - 50,000,000
3
Agenda
•
•
•
•
Demovideo
Introduction:whatit’sallabout?
Analysisapproaches
Results&vulnerabilities
– Virusscanning
– Updatemechanism
– Privacyanduserdata
– Other&funnythings
• Conclusions
4
Introduction:
WHATIT’SALLABOUT?
5
Mobilemalware…
http://thenextweb.com/insider/2013/06/26/juniper-mobile-malware-is-an-increasingly-profit-driven-business-as-92-of-all-known-threats-target-android/#gref
http://news.softpedia.com/news/Mobile-Malware-and-Malicious-Apps-Surpass-the-1-Million-Mark-387564.shtml
https://www.gdatasoftware.com/securitylabs/news/article/g-data-releases-mobile-malware-report-for-the-fourth-quarter-of-2015
http://www.wirefresh.com/the-growing-risk-of-mobile-phone-malware-explained-in-a-hefty-graphic/
6
Andherecomesthehero…
http://thenextweb.com/insider/2013/06/26/juniper-mobile-malware-is-an-increasingly-profit-driven-business-as-92-of-all-known-threats-target-android/#gref
http://news.softpedia.com/news/Mobile-Malware-and-Malicious-Apps-Surpass-the-1-Million-Mark-387564.shtml
https://www.gdatasoftware.com/securitylabs/news/article/g-data-releases-mobile-malware-report-for-the-fourth-quarter-of-2015
http://www.wirefresh.com/the-growing-risk-of-mobile-phone-malware-explained-in-a-hefty-graphic/
7
Andherecomesthehero(es)…
GooglePlay:
• Totalof100+antiviruses
• Morethan10billionsinstalls
8
Mobileantiviruses:functionality
Free
• Scanningforviruses
• Realtimeprotection?
• Ads?Sometimes
Withsubscription/paid functions:
•+Allfreefeatures
•Antitheft
•Backups
•Optimization
•Anyotherfunctionforyourmoney
•Noads?
”Super-Free”
•
•
•
•
Showinstalledapps
Showtheirpermissions
Lotsofads
Useless
9
Whatitisallabout…
• Therearemanyresearches/antivirusestestthatanalyzingthe
antivirusperformanceinvirusdetection/active
protection/e.t.c.
• Herewearefocusingonotherquestion:howsecureare
mobileantiviruses?Inotherwords:isitSECURE/SAFEtouse
them?
• Orsometimesthismedicineismuchworsethandisease?
• Ortheirhelptoyoudevicecouldbelikethefollowing:
10
Whatisallabout…
• Therearemanyresearches/antivirusestestthatanalyzingthe
antivirusperformanceinvirusdetection/active
protection/e.t.c.
• Herewearefocusingonotherquestion:howsecureare
mobileantiviruses?Inotherwords:isitSECURE/SAFEtouse
them?
• Orsometimesthismedicineismuchworsethandisease?
• Ortheirhelptoyoudevicecouldbelikethefollowing:
11
Disclaimer:thisisjustaverylightreview ofthemobile
antiviruses;we’vejustpointedtoveryeasy-to-exploit
things;however,italsomakesthisresearchmorescary.
12
13
Selectedantiviruses
• Android,googleplay
• Subsetof“morethan100000installs”:38
antiviruses
Selectedmobile antiviruses
com.antiy.avlpro
com.avira.android
com.psafe.msuite
com.trustlook.antivirus
com.nqmobile.antivirus20
com.pandasecurity.pandaav
com.bullguard.mobile.mobilesecurity
com.trustgo.mobile.security
com.estsoft.alyac
com.iobit.mobilecare
com.zoner.android.antivirus
com.wsandroid.suite
com.quickheal.platform
com.bornaria.antivirus
com.aegislab.sd3prj.antivirus.free
com.cyou.security
com.virusfighter.android
com.gpaddy.free.antivirus
com.sophos.appprotectionmonitor
com.escan.main
com.kms.free
com.eset.ems2.gp
com.trendmicro.tmmspersonal.emea
com.maxtotalsecurity
com.cleanmaster.security
com.bitdefender.antivirus
com.androhelm.antivirus.free
com.mpsecurity
com.androidantivirus
com.qihoo.security
com.mobandme.security.virusguard
com.drweb
com.lookout
com.max.gamerantivirus
com.avast.android.mobilesecurity
com.secore.privacyshield
com.symantec.mobilesecurity
com.fsecure.ms.safe
14
ANALYSIS
15
Checklist
Isitajunk?
Howthevirusscanningisworking?Whatalgorithms/approachesareused?
Arethereanynativecodeintheapplication?
Howdoestheapplicationupdateit’smodulesand/orsignaturedatabases?
Securityoftheupdates/backups/configurationsstorage
Privacy:whatinformationissendtobackend?
Whatadditionalfunctionalityisused?
OtherOWASPTOP10MOBILE
Rootdetection
16
Attackapproaches
• Vs.scanningengines:
– DoS:APK/ZIPbombs
– Fuzzing
• Vs.updateengines:
–
–
–
–
–
MiTM andchangeupdatesfiles?
Spoofexecutable(s)(.so,.dex,.jar,.lua,…)inupdates?
Spoofupdate(slanderalltypicalapplications)
SQLinjection
Fuzzsignatureparser?
• Vs.insecuredatastorage
• Vs.backend:incaseof“cloud”
• Vs.additionalfeatures(mayvary)
17
Fuzzing
https://s-media-cache-ak0.pinimg.com/236x/13/41/d6/1341d6537089b044deb6d485a8bab26f.jpg
18
Makingnightmares
FuzzedAPK
radamsa
erlamsa
FuzzedfilesinAPK
19
ToolZ:attacksagainstupdates
• Mitmproxy
• BurpSuite
• PythonDNSserver(twisted)+
SimpleHTTPServer
• Erlamsa,radamsa
• IDAPro
• Frida
• adb
• Radare2
• jd-gui,bytecodeviewer,dex2jar,apktool
20
But…,sorry,responsible disclosure
21
VIRUSSCANNING
22
Sometimesappisjust/dev/junk
Stone
FakeAV
Updates
Realtime protection
Antitheft
Ads
23
Oritatlistscansfor…
•
•
•
•
Installedapplications
Runtimescan– e.g.downloadedapps
SDcard
UnpackZip/JARtoseewhat’sinside?
…Buthow?
Signatures?Heuristics?
24
Scan
•
•
•
•
Installedapplications
Runtimescan– e.g.downloadedapps
SDcard
UnpackZip/JARtoseewhat’sinside?
…Buthow?
Signatures?Heuristics?
25
Scan:>60%ofantivirusesapproach
1)Applicationname
2)Path
3)Type
4)Cryptosignature*(50%)
*sha1/md5/own_crypto_hash (appname|app)
26
Scan:appname,hash,path
Virusdetected!
Seemslegit…
Ultimatebypass.
27
Scanapproaches(stats)
Appnames– scanonlyfor
names/paths/hashsums of
installedapplications
Scanningenginetype
8%
37%
Name/Hash/Path/e.t.c.
Normal– “deep”APK
inspectionoreven
scanningofnon-apk files
55%
Normal
Fake
Fake– noscanningengine
28
Completedevicelock!
DEMO:ZIP/APKBOMB
Install:50000000– 100000000
29
Nightmaresresults(screens)
30
Nightmaresresults(stats)
Mobile Antivirus
DoS inJavacode
DoS innativecode
ZIP/APK Bomb
Kaspersky MobileSecurity
-
+ (unstable)
-
F-SecureSAFE
+
+
-
Dr.Web Mobile
-
-
+
ESETMobileSecurity&Antivirus
-
-
+
PSafe Antivirus
-
+
-
AVLProAntivirus &Security
-
-
+
NQMobileSecurity&Antivirus
-
+
+
AviraAntivirus Security
-
+
-
CMSecurityAppLock AntiVirus
-
+
-
Zoner AntiVirus
+
-
-
AMCSecurity- Antivirus
-
+
-
ALYac Android
-
+
-
eScan - MobileAntivirus
-
+
+
McAfeeSecurity&PowerBooster
-
+
-
31
SIGNATURES/ENGINEUPDATES
32
/dev/tcp:updateconnectiontypes
HTTP
HTTP+other
HTTPS+cryptosign/crypto
HTTP+hash
HTTPS+HTTP
HTTPS+pinning
HTTP+crytosign/crypto
HTTPS
Other
HTTPS+pinning
10%
Other
8%
HTTPS+
cryptosign/crypto
3%
HTTPS
21%
0%
8%
HTTP
26%
HTTPS
34%
3%
HTTP
55%
HTTPS+HTTP
3%
HTTP+other
5%
HTTP+crytosign/crypto
16%
HTTP+hash
8%
33
We’reusingSSL… pinning?Eh...Maybe...
34
Updates:MiTM andchangefiles
– Spoofexecutable(s)(.so,.dex,.jar,.lua,…)in
updates?=>RCE
– Spoofupdate (changesignatures)=>slanderall
legitimateapplications
– SQLinjection
– Attacksagainstadsengines?
– Fuzzsignatureparser?*
*taskforseparate/nextresearch
35
RCE(introvideo)
mitmproxy orsimilar
Installs:10,000,000 - 50,000,000
Updaterequest
(https)
Updateresponse
Updaterequest
(https)
Mobile
Antivirus
Evilserver
36
Updateviagoogleplay?Spoofable!
YoucouldpointtoanyappinGoogle Play
ortothecustomapk file;inthelastcaseit
willbedownloaded anduserwillbeasked
forinstallation;becauseyoucontrolthe
updatemessage,youcould askuserto
enableunknown sources.
Installs:10,000,000 - 50,000,000
37
JARinupdate…
Installs:50,000,000- 100,000,000
JARarchivewithadvanced“heuristics”in
update
EasyRCE
DefconRussia(DCG#7812)
Butwait,theyhavea“defence”!
38
Not“soeasy”!
Installs:50,000,000- 100,000,000
Developerspresented“newtechnology”
insigningandhashing:
ZIPArchivewithpassword!*
Mobile
Antivirus
Developer
*Easybruted inlessthan1minute
39
Fakeupdates==Bettersecurity
•
•
•
•
•
•
•
SomeniceAV
UseKAVengine
Updatescontains*.sofiles
Nosigning…
But:updatesareNEVER used atall
Download,checkhash,unpack,butneveruse
Noupdateusage==noRCE,PROFIT!
Installs:1,000,000 - 5,000,000
40
Lua inads?
Installs:10,000,000 - 50,000,000
• Lua scriptsasadvertisingengine
• Advertsupdatessimultaneouslywithvirus
databases
• Nosigningforscripts,ofcourse
41
Slanderallgoodguys!
Installs:100000–500000
Resultor/andsign changed
cosHTTP/HTTPS
Yougotnothingbutviruses!
(also,AVcouldremoveAppdata too!)
42
Slanderallgoodapplications!
DEMOVIDEO
Installs:1000000–5000000
43
Easier:SQLinjectionviaupdate?
<item>
<name> 9dc4831488ed784afe45a4c67674ab3e5225bb785d37916d3021888f9f13b3ae
</name>
<tip>application</tip>
<path> 146fdabd0300280de8f25d6ee52689091e4fcca6cb8939bc8b7c84da97e28cbd
</path>
</item>
Codepart:
public boolean hasSign(String paramString)
{
paramString = getReadableDatabase().rawQuery("SELECT id FROM ****_signatures WHERE h
ash='"+ paramString +"'", null);
So… SELECT id FROM ***_signatures WHERE hash=123or1=1
Andallappsbecomesviruses!
Installs:1000000–5000000
44
PRIVACY&&DATA
45
Privacyanddata
Datacollection*:
1)
DeviceInfo
2)
WiFi
3) Applicationslist
4) IMEI/IMSI?
5) Contactsanddatabackeduptoremoteserver?!
SometimesthisisdoneusingjustHTTP?
*IMSI:4/38,IMEI:7/38,App.list:4/38
46
Data?Yep,wegotone…
SDCARDbackup
forbetteraccess.
Whatifyoulostyour
phone?
47
…andyourandfriend(s)datatoo
• FTPBACKUPS…forbettersecurity
48
…andyourandfriend(s)datatoo
• FTPBACKUPS…forbettersecurity
FromGoogle Playcomments, dialogwith“support”:
[Visitor]IfIreinstallapplication, errorswillnotmagicallydisapper
[Visitor]Sodon't sayanything like"reinstall"- this'llnothelp.
[Visitor]Itestediton2devices
[Visitor]whatcanyousayaboutit?
[Andrew]CanIremotelyaccessyourPCnowandgetyour issue
resolved?
[Visitor]ThisisanAndroid application
[Visitor]And whatdoyoumeanunder "Iremotelyaccessyour PC
nowandgetyourissueresolved? "?
49
OTHER&&FUNNYTHINGS
50
Rootdetection
Rootdetection
5%
95%
Detect
“C”-- config overHTTP
[Root]
<r>noshufou,supersu,chainfire
<p>free.spapa.bankfreed
<p>/tegrak/bin/tegrak_service
<p>spapa_su
<p>bankfreed
<f>/system/bin/.ext/.su
<f>/system/bin/.222/.su
<f>/system/xbin/.tmpsu
<f>/su/lib
<h>org.sbtools.gamehack
Norootdetection
51
Writingexploitsisveryhard,let’ssupply
busybox andsuperuser tomakeiteasier.
We’vefindsomememorycorruptions
duringfuzzinginthisAV
Installs:10,000,000 - 50,000,000
52
RCEonbackend
Whencontroloversignatures andcontactsorevenRCEisnot
enough…
FINDRCEONSERVER!
Installs:100000–500000
53
CONCLUSIONS
54
Bestapproaches*
• Usedeepscan
• UseHTTPS+SSLpinningand/orcryptographic
signaturesduringsoftwareupdate
• UseHTTPS+SSLpinningduringanyother
communications
• Respectprivacy
*fromSECURITYperspective,we’renottalkingaboutvirusdetectionresults
55
Conclusions
• Thisresearchwasdoneinaverylightway(searchedfor”lowhanging”fruits),howeverwe’vefoundsomeseriousproblems.
• Atleast1/3ofreviewedantivirusesusesinsecureupdate
mechanisms;atleast50%ofantivirusesareexposedtodenialof
serviceorevenworseattacks.
• SomeofmodernAndroidantivirusesmaybearealsecurity
threattoyourdevice.*
• ThesethreatsincludeDoS,deviceDoS,slanderlegal
application(s),leakofprivatedataorevenRCEonyourdevice.
• Andremember,thatmobileAVusuallyrequireasmuch
permissionsaspossible.
• So,chooseyourmobileantiviruscarefullyorfindanotherwayto
improveyourdevicesecurity.
*Nomatterwhatratingtheyhaveandhowmuchisinstallscount. 56
Questions?
