Bsides Orlando - Tim Armstrong - Android Malware Grows Up

coming um so uh my name is Tim Armstrong I work for Rapid 7 um a little bit of an overview this isn't going to be super in- depth I'm not going to look at any code or anything like that it's really more of uh Android's malware timeline since uh 2010 into what we're seeing now um I don't do research for Rapid 7 I used to do research for uh kasperski used to work for the Russians um and uh did a lot of PR stuff for them did a lot of Android reverse engineering and research on that as well so it stayed on as sort of a hobby of mine um so anyway that said um the interesting thing I

think about Android at this point is that the way malware is developing on Android is very similar to the way malware has developed on Windows but on a much shorter timeline um with the exception of that first period of just having destructive malware Android's pretty much the malware for the Android platform has pretty much always been designed around making money um almost so uh I'm just going to go through some different things around the um the different types of M we've seen what they are and then what we're seeing most recently um so I I actually started in research like 2009 or something like that and had no background in it and the guys I was working with they're like you

have to pick a platform you know you have to pick something that you're going to you know know things about like well I'm going to pick Android like well that's stupid there's no malware for Android and I was like what there will be you know that's dumb um and if you looked on forums at the time you know people were asking should I get antivirus for my phone and you know soos has this and kasperski has this and people like you're an idiot there's there's no point um when suddenly uh one of my colleagues discovered fake player so what this was was a movie player applic or a supposed movie player application um you could

only really get it on Russian I think it was on either yendex or Russian Google um and you had to search with a phone to actually get infected by it and what it was was just a little Media Player app it actually didn't do anything it was just an icon and you'd click on it and it opened and then a close but in the background it would start a service and the service like most of the mobile malare that's out there would just start sending SMS messages out to premium rate numbers five six bucks per message um and then do it on a regular basis um you know not not complex one of the funny

things about this is it actually had the hello world code from Google's Android coding tutorial still in the application so it's pretty pretty lowlevel stuff you know um definitely somebody who is probably like a Symbian malare writer who said well you know I can I can figure this out um and then there was a second iteration of it called porno player almost the same application except for the icon which I've con conveniently blurred out um was you know aimed at a different audience maybe and was a little more aggressive but essentially the same program uh just calling a different number so then um a bunch of different other malware came out and you know all

kind of the same thing it was all in uh outside of the Android market primarily Russian markets Chinese markets um I'm not sure if it's the case to this day but for a long long time there was no Market in China so there's a lot of alternative markets and in those alternative markets there's really no you know not that the Android play store has a lot of oversight but there's just none you can upload anything and there's no barrier of Entry or anything like that and you can be very Anonymous with writing apps submitting them and having people download them so that was sort of the you know at this time that was sort of the only place you'd see malware um

when all of a sudden Droid Dream came out the thing that's interesting about Droid dream there's a few things but one of the main things is that it was pretty well orchestrated this is the first time we really saw you know multiple people probably involved some real thought process behind the infection Vector um there are three separate accounts on the Android store this is before it was called play um there's 24 separate applications what they did is they took all the top popular applications at that time and made an application that either the same name or very similar name and sometimes even stole the icon for that game or that that application um the one I found

was called super guitar solo and they infected over 100,000 people through the legitimate Android Market at that point um the other cool thing about that was that there were two root exploits in this um there's uh the thing is called exploit yeah exploit and Rage Against the Cage were the two ones um almost the same escalation of privilege through exploit but um yeah you just you launch the app it would run the exploits um that the Rage Against the Cage one was it just would Fork the ad process over and over and over and over and over again then it would crash then it would restart as root um which was the vulnerability or one of the

vulnerabilities um and once it restarted as root then you could install all sorts of crazy things um so that was cool and the other thing that's interesting about that is that almost every phone on the market at that point had an update available to patch this vulnerability so of the 100,000 people that got infected probably like 90% of those people had they been running AV or had they um up updated their phone never would have gotten infected in the first place the other thing about this is it did some cool things it stole the the imy and the MZ numbers which are the unique identifiers for your phone one being the SIM card one being the phone

identifier itself um and it could download and install applications on its own without notifying you because I had Ro privilege at that point so it was pretty cool um one of the big things about it um was that um Google for the first time executed their ability to remove apps remotely from people's devices this was a huge thing this has never happened before um to my knowledge and what they did was they actually launched a removal process it ran native code on your device which was sketchy um and uh they didn't ask anybody you just got an email notification that hey we did stuff on your device so that was it was a big you

know was big Todo in the industry um I think the other the only other real version of this type of thing happening that I've seen was when Amazon removed uh Brave New World from the Kindle devices ironically um the other cool thing about this is that these Mal Raiders these guys aren't stupid they immediately came out with their own uh Droid dream remover uh application that was malware so you know not not dumb so the thing with mimicking what Windows been doing Windows has been doing here kind of keeps going um after Droid dream There Was You know here and there you'd find malare in the Android market other places almost always premium rate SMS stuff um the reason

that this works is that uh in Russia China um lots of uh Eastern Europe when you go to get a premium rate number you can do it pretty much anonymously you can get it probably today or tomorrow when people actually hit the number and do the premium rate message you get paid almost instantly or you know very quickly if if nothing else um and it's not run by the carriers there's it's not like there's a Verizon or an AT&T that's overseeing this they're independent companies so for a company like I worked for kasperski like for a company like that they would then go to these independent companies and say these numbers are being used for malicious

purposes this company's getting a cut out of this malicious purpose so it's really doesn't behoove them to go and oh we'll get it shut down today you know it'd be 20 30 days and they'd eventually shut it down so they were taking a cut too um this doesn't work in the us though because it is there are independent companies that do this but the billing process by and large is run by the carriers and they have a 30-day payment window so you do this and you can't do it anonymously but you can set up a premium rate number but it's probably going to go through one of the carriers the payment processes and they're not going to pay you for 30 days

you're going to get caught so that's really why it hasn't happened so much in the US yet that said um there has been some instances of international premium rate car carriers that are able to bill us customers and some of these malw will use that um so what about bot Nets the uh the first real instance we saw was this thing called gmy or gmy or however you want to pronounce it um it's a lot of VES so this was the real first instance that we saw of this type of malware um and it was um it was pretty cool I mean this is this is well engineered stuff this is when we're starting to get away from that you know

hello world code within the application um it could read and send SMS messages it could delete messages it could collect your messages it can make phone calls it can download files um probably the coolest thing is that it could commands for a remote CNC server which was to our knowledge and as far as I know at this point you know unique that at that point in time um and uh you know can take all your contact information send it up to a remote server and this is the act this is the actual command list off of that this is from a company called Lookout does some pretty awesome research on um on AV for mobile devices so really you

know you see the things on here um skip time change frequency if you've ever done any work with with botn Nets or anything like that um the botnet clients typically have all sorts of calls like this that you can make to them what's toast colash which one I don't know oh um I believe it's to do with toast notifications on Android when you get those pop-ups on the top of the screen that's a toast notification so I'm pretty sure they were able to push a toast notification I don't know why you would do it though because I mean kind of the point is not to let the user know that you're there um but it just I think

it it shows the extent of capabilities they had though so then you know we're hot and heavy into antivirus at that point you know people are actually seeing need for it people are actually getting infected um you know I I was like talking to magazines and stuff about it at that point on a pretty pretty regular basis um and then this thing called Carrier IQ broke so if you haven't heard of it Carrier IQ is essentially um they're a company they're a legitimate company that sells this capability to different mobile makers to track the users's usage um and it's it basically is a root kit on the phone you can't remove it um you'd have to root your phone to get rid

of it uh so this was on a ton of HTC phones and some other uh company phones too but HTC was the the greatest Defender and it would collect all sorts of data about you you know where you were what you were doing the SMS messages you were sending um and there was a lot of disagreement in the industry between researchers about what level you could see but there was definitely consensus that you can see way too much they're collecting way too much data on people so then uh some researchers figured out that there were vulnerabilities in the communication methodology and this quote on the bottom is actually from the FCC and basically what this means is

that if I as a malare writer got you to install an application I could then Port into everything that Carrier IQ was sending back to their Communication Center and collect it myself so you know pretty much total usage of the phone GPS location text messaging all that stuff um and it was just impossible to remove without you know rooting the phone um some other cool examples of different things that you know when we saw the maturing of this uh GG tracker um I'm sure pretty much everybody in here has had either themselves or a family member click on something and get fake antivirus to pop up um this is a it's not quite the same thing but it's

very similar it's the first real successful campaign I've seen where you're Distributing mware through social engineering so what this was is it was actually an advertisement that would pop you would get a specific website the advertisement would pop and it looked like this and at the time that's exactly what the Android market looked like um but as you can see from the URL you're definitely not on the Android Market that the other thing the idea of installing an application that makes your battery work better is kind of counterintuitive but these guys infected a ton of people and the way this actually worked was it would you know cover the whole screen with the advertisement you think oh well this is

the inter Market I should install it hey it's free and uh you know it would then do a bunch of collection stuff like your location like the IM the MZ number um it could download and prompt you to install a new application um I don't think it ever did but it had the capability there um a lot of this stuff the early stuff really looks like test versions of you know are we going to be able to pull this off in the future um so this one was cool it was it was pretty unique um and I think this was discovered by Lookout as well and then The Big C change happened so zipo um I don't know how how many of

you guys are familiar with Zeus B yeah like tons of you okay so the way the Zeus works is it injects code or does key logging or something like that right so what happened was European Banks figured out well what if we do sort of a you know po man's two-factor will send um we'll send a code as a text message to these people's phones that they have to put in on the website now we've got two Factor authentication and even if they're um even if their computer's infected and even if there's key loging going on you know there's still probably not going to be able to get the whole process up to the CNC so and what that number is called

that gets sent to the phone it's called an mtan it's a mobile transaction authentication number so what the guys that were coding Zeus figured out is well this why don't we just infect the phones too so what happened was they actually would ask you to install an application and they did it under the guise of being truster um and if you're not familiar with truster Rapport truster is they're a Boston based well they're actually an Israeli based company that has an office in Boston um and they do a lot of work with top tier Banks I I know they do at least the the top 10 of the top 20 Banks use truster um and it's it's basically just

a malware detection or AP detection service um and they do a really good job so they're both trading on truster name at this point for some social engineering but they're telling you you know um for added Security install this application what this application did was it would actually steal the MTM number that was getting sent to your phone so now they had compromised both sides of that two-factor authentication it's pretty pretty ingenious um and their their coding methodology was good like here's the in website they were targeting you know they're using quality logos to get this done so pretty cool stuff um so that that so far was you know the cooler things that were happening uh

within malare and you can see it's all those all are windows campaigns just ported to to Android um and they almost follow the same you know Discovery methodology where you know you start with basic stuff to steal money you get more complex you bring in some social engineering and then finally you're doing B so then Google says well we're going to fix this and um anybody that has an iPhone who's followed like Charlie Miller or Doo daobi mostly Charlie Miller um you know that that Apple's got a Sandbox when you write an app for um for iPhone or for iOS in general it goes through this whole review process it's pretty as far as I know it's entirely

automated unless something really flags and you you need somebody to look at it um it's very closed and there's not a lot of information around it but they do review of all the applications up until this point everything on Android had been the wild west you know it's like buy or beware we're an open platform good luck so finally they couldn't really deal with this anymore they had to sort of stem the tide of malare showing up in the Android market must have been affecting their you know their branding or something like that so they released this thing called bouncer so what bouncer is is an execution sandbox for Android apps um if you've done any develop for development

for Android and sold it on the marketplace um you'll know you basically create an account uh you put in your credit card they charge 25 bucks and you're a developer now and up until this point you could write an app um you know put it up for sale and it was on sale right there people could get it you know in minutes bouncer comes out and it's going to slow down the process it's going to do you know uh sandbox execution um it's going to stop malware and look at this stuff the problem is that it's way underbuilt so um the guys at TR were pretty smart and they basically write an app that is

a test of Bouncer and submit it to the market and through doing this they figure out that there is a timeout period so the sandboxes that bouncer is using and this may not still be the case there hasn't been a lot of follow-up research um I don't want to get banned from the marketplace so I haven't really submitted anything U but they figured out if you just waited 5 minutes to launch your malicious code um you were fine they you know there's there so many incoming applications you know the the thing just tests for 5 minutes looks for network activity looks for malicious libraries SMS calls things like that and Yep this is good and sends it along um

the other cool thing here is they have it's each phone has one account one contact and two photos and that's the whole sandbox so not the smartest thing either and then the other thing was that to accurately test these things against things like botn Nets and cnc's and all that stuff the apps have to have internet access so what these guys at trustway were able to figure out that if we are um if we do a call back we can find out all the IP addresses Google is using in their sandbox and and they did this and so technically speaking and I'm absolutely recommending you don't do this you could you know a Russian hacker

could dos the sandbox process or something like that so it's a good attempt but it's definitely not you know done um so it's pretty interesting stuff so that's you know so far everything was built around making money in one way or another whether it was Russian gangs working collectively or individuals you know individual actors um it was all aimed at that kind of process um and then in a very you know Windows M fashion we see just last week uh truly. a so this is the first publicly reported I mean there's it's probably already happened but this is the first publicly reported targeted attack using Android um and it's it's pretty crazy this was also discovered by kerski um by

a colleague of mine really sharp guy named Kurt bomgardner he does AP research specific around um targeted attacks on activist groups and things like that and he was one of the discoverers of this so what this is is um there's a conference that started happening now between um uh what is I I don't I don't know how to pronounce it correctly it's erer or or weager weager U the weager groups and uh just Chinese uh activists in general they have this conference now so what whoever is attacking them it looks to have Chinese attribution I don't know um you know don't kill me uh but what it was is they basically compromised one of the

accounts for the activists and then used that account to Spearfish all his contacts with this campaign and if you notice on the bottom there's an APK file that's the installer file for android so when you install that it takes you to a link or it it uh takes you to this handy conference application and the conference application is um it's really just a list of things that are going to happen that day at the conference um but what it what it did is it's able to collect all kinds of details SMS messages um it's a really pretty clever piece of malware um it does goip so I I sort of liken it to the Aurora attack on Google

in 20098 something like that um it's just a more modern approach to the same old attack where you have you know a group of people that want to know what this you know breakout activist group is doing um and they just have a new attack Vector um so I mean you know to sort of wrap up you know it's it's it's sort of amazing how how much it parallels the windows malware um you know growth cycle or timeline or whatever you want to call it um it's really just repurposing a lot of old things um you know Android's definitely still not secure um you know 4.0 has got a bunch of cool stuff in it

but it's not like you know it's not like we're entirely secure because of a lot of reasons because of the marketplace because of the nature of you know open source in some ways um but um that's that's that's actually all I have did you guys have any questions on anything how do you feel about the permissions based model do you think it can be secured no no I mean well that's the thing so so all the Android SMS malware that like premium rate stuff it asks you when you install it you know services that cost you money people just next next next right pass it so it's a problem we' you know it's it's it's like

telling people not to click on links in their email it's never going to get fixed so you head one on the back yeah I wonder what are they using for like the CNC what they as the back end you mean yeah like that's one thing that like I've seen talk about mobile malare you got to take account it's a mobile device so it's to be you don't want to do anything Network people for dat transf y as

as so this this like the targeted attack one for example they wait for an SMS message to come in and then send one out okay yep it's sort of it's it waits for triggers um some of them are time based so they'll do you know what like two SMS messages per hour um so they're not just flooding you um and you know I think the US is different from a payment model than a lot of the rest of the world they're just more connected it's less you know it costs less um the the uh interesting thing about the Chuli malware the target attack malware is that they were actually able to locate the back end um and it's just Server

2008 with uh Chinese language turned on so and there's it's hosting a web page and if you go to that web page um it just says title title title in Chinese and then a bunch of random Chinese characters but as you visit a page if you hit it with a mobile device it'll actually download that APK and and try to install it cool did you question so yes sir any comments on the current status of antimalware antivirus for the Android platform vendor non vendor specific just general comments about the quality of it um it's to my knowledge the so here's the problem you have um like I've got you know I think I've got a core i5 in

this thing if I want to do emulation and behavioral analysis and all sorts of things sandboxing on this device it's not going to be very painful you definitely can't do that on mobile platforms yet so to my knowledge all the different antivirus companies are using a signature based detection if somebody really rolls out any kind of quality polymorphic engine you'd never be able to catch it all um the better thing is to I think look for signatures on exploits and and try to do that um but it's still you know you have to wait for the the computing power of the platform to catch up before you can do any kind of quality analysis I

think so do you recommend to your mother to uh to get an antivirus for her Android phone yeah um but only the free ones you know um which I definitely wouldn't have said in the past life but um yeah I mean especially in the US just doesn't happen you know um actually getting an infected phone in the US is pretty tough um if you lived in Amsterdam or Russia definitely y you need it um but uh within our you know within our little cell I don't think it's that important yep what would be some indicators uh if we do see a mass infection of the US devices what would be an indicator I don't know it's hard to see um I guess

my question is more besides money is there any other motivation that we see well so I there's a different question there actually the problem with the US market isn't malware it's advertising when you install an application I mean don't forget Google's an advertising company they do some incredible things I don't want to you know badmouth Google but they are an advertising company at their core um when you install an application from the play market that has advertising injected into it or has modules within the application those modules get the same permission on your phone that the application itself does so the biggest problem right now is that you is data leakage you know if I allow some game

from the Android market to look at my contact list it allows the application or the advertising um instance to also collect my contact list and I bet you know I'm sure friends of mine have gotten you know targeted email campaigns around that stuff um I don't think you're going to see any until everybody's using Google wallet or some sort of payment method like that um I don't think you're going to see any Mass infections you know on the scale of Windows um I think advertising is providing enough money to everybody right now that there isn't really any real motivation for you any else well if you want to come up after that's cool but thank you very much

thank

you