Countering mobile malware in CSP’s network. Android honeypot as anti-fraud solution

Countering mobile malware in CSP’s networkAndroid honeypot as anti-fraud solution

Denis Gorchakov, Nikolay Goncharov

Lies, damned lies, and statistics

Annual AV reports say that Android malware has 95% share among all malicious mobile apps.Russian subscribers are at the top of the list of mobile malware’s potential victims.

More than 50% of all mobile malware (worldwide) targets Russian subscribers. At the end of 2013 there were 1321 banking viruses out in the wild, and at the end of Q1 2014 this number increased to 2503.

On May 1, the Russian Government legally forced implementing Advice of Charge (AoC) for all VAS content services, so cybercriminals shifted their focus to mobile e-commerce & payment services and SMS banking services.Mobile malware is slowly maturing, leveling with modern PC viruses like WinLocker, CryptoLocker, rootkits and RATs.

What’s going on? Typical malware

Bypasses common anti-fraud filter rules: randomizes times, amounts and periods of subscribers’ funds withdrawal.Provides VAS mobile content subscription with AoC bypass (“monetization” offers for webmasters).Shows unwanted ads in notification drawer. Opens different promoted websites (black SEO).Steals call history, SMS logs, phone’s address book.Sends SMS spam to address book contacts or randomly (viral distribution, bypassing SMS antispam services).Automates all SMS activity via built-in parsers for popular payment systems and banks.Combines phishing with clickjacking using interface tricks (like card input overlays in Google Play, launching rogue app above original, etc.)

Marketing APT-stories and spy movies scenarios:Remotely controls your smartphone using microphone, camera and sensors on demand.Uses smartphones for DDoS (data or voice).Smart anti-reversing features:Interface tricks. Uses device location (not only GPS, but cell data too). Checks for dummy/test number or device if no subscriber activity is present (checks SMS history, validates blank IMEI/IMSI, blacklists test SIM cards).Includes antivirus-specific bypass code (like “kavf#cker” class). Checks for root privileges or tries root exploits.

Bad Android!111

Unlike other mobile OSs, Android allows easy app installation from any untrusted source (just one tick in device settings). All it takes is just a little bit of social engineering and common addiction to piracy among risk groups.Criminals are even desperate to distribute malware through Google Play using moderation and sandbox deficiencies.Until Google made recent changes to its Android vendor certification requirements, its firmware update policy was real hell. Cheap as well as one year old devices didn’t receive any updates with vulnerability fixes, hardly speaking of major Android version upgrades.

Lies, damned lies, and statistics #2. The real deal

Only Android 4.2+ has the “More control of Premium SMS” feature that intercepts any premium SMS activity with confirmation dialogue.

SMS activity was redesigned only in Android 4.4, so every SMS sent from any app would be logged system-wide.

Most of these devices won’t receive a major upgrade.

Numbers and interesting facts

Every day we receive about 80 000 links that lead to malicious mobile apps. Most of them aren’t unique and many are dynamically generated, but it’s still enough to begin the automation process.We work at InfoSec Division, we’re not developers, we’re few, we can’t afford researching and developing machine learning algorithms like app stores do.But we have our benefits – access to CSP’s network and specific tools.

«Reich» botnetTargeted large banks. Even a few days of one C&C activity led to 5 500 subscribers being infected; moreover more than 850 of them got their money stolen from bank accounts. SIP virusCreated a SIPNet account after installation and transferred some amount of subscriber’s funds to it. Could be used for voice DDoS, but something went wrong.Script kiddies again?Stupid mistypes and code errors. Hardcoding plaintext decryption key in malware’s body. Extending account subscription on WoW freeshards, seriously?Guys, come on, surprise us with dynamic hostnames?!

Mobile Security (malware-C&C hostname)

Honeypot architecture

Honeypot is used for botnet analysis, traffic capturing and revealing C&C hostnames. It’s also used for detecting subscribers with infected devices and monitoring malware activities like funds withdrawal and remote control.It also automates detection to help with internal business processes.

Honeypot

Server

PostgreSQL WEB interface

Android agent  PC

Operator 

Femtocell

WiFi

WWW

 SMSC

 SMPP client

Service emulation

 DPI/DNS analysis/AV

solution/etc.

Infected/compromised subscriber devices stats.

Report

CSP’s network

Network diagram and service integration

antivirus platform

Monitoring

SGSN

SORM

Exterior gateway

Traffic mirroring

Gateway - loop

traffic processing

GGSN

Control channel (VPN)

Workstation

control channel(Selection of suspicioussessions)

Processingdata

Database server

Control channel (VPN)

Description

Android application (agent):•Gets C&C botnet hostnames and IPs•Gets traffic dumps, network and any other communication activity from malicious apps•Gets C&C MSISDNs and fund collectors’ MSISDNs•Reveals sensitive data leaks to remote servers•Stores its monitoring stats server-side

Server:•DPI-like Traffic analysis•Records traffic signatures, provides stats on C&C hostnames and MSISDNs, infected subscribers•Whitelisting/blacklisting•Dynamic routing, i.e. to antivirus platform or landing page with custom warning. 

Android app

Android PhoneAPPS

VK

Opera

Bot

Sniffer

WWW

  Server

Web interface

Web interface

Web interface

Features

• No root is required, no device-specific requirements

• Doesn’t affect device performance and data transfer speed on device

• Requires Android 4.0.3+ (API level 14+)

• Capturing all data transferred from the device

• Analyses incoming and outcoming SMS- and USSD-messages.

• Stores every app’s activity separately

• Has white/blacklist for apps

• Shows apps that require SMS and Internet permissions

• Client-server architecture

Roadmap

• SSL/TLS MitM attack

• Expanding predefined white/blacklists

• Implementing behavioral metrics

• Optimizing auto-detection logic

• Improving sensitive data leak detection

• Intercepting and modifying C&C server’s commands

• Implementing a traffic analysis solution inside telecom network

Nikolay: [email protected]: [email protected]