How Android Based Phone Helped Me Win American Idol (Elad Shapira)

1

How Android based phone helped me win American Idol

Elad Shapira (elad.shapira@avg.com)

Mobile Security Researcher AVG Mobilation

Today’s agenda…

3

No worries – it will be Gr347!!!

Let’s get crazy..

Agenda

• Bad things a malware can do to Android device (Demo).

• Vectors that can be done With SMSs (Demo).

• Artificial Intelligence in Android (Demo).

• TapJacking Attack (Demo).

• Ideas for Denial Of Service attacks.

• Current/Future Trends to come in malware (Demos!).

• Questions & Answers.

4

Disclaimer: The information contained in this presentation is for learning purposes only.

Please don't use this information for other uses, except doing good to the world.

There are two opponent football clubs in Tel Aviv (Israel)

Maccabi Hapoel

5

Meet our participates for the next few slides

The Target The Attacker

6

The Attacker goes undercover…

Greetings Hapoel fans…

I’m a fanatic Hapoel fan like you.. ahmm..

I want to recommend you my new app

with 24/7 updates about the team..

1337 app… you should install it!

7

How will

The fans

get it?!

The attacker’s honeypot to the fans

If we want to get mass target base…

8

If I want mass Hacker target base

9

10

When scanning the QR code…

we can create more

“legit” url & apk name

that will convince the user to download the app

The app downloaded to the device:

All is quiet.. But when the match is over..

• Background - Changed to Maccabi logo..

• Ringtone - Changed to Maccabi song..

• SMSs - Sent to all contacts found in the device

– “We are losers… I don’t believe this!

I'm such a lame to support this team. Maccabi rulez..”

• GPS coordinates (Latitude/longitude)…

11

Different content (Toast) by physical location

Don’t forget to tell your friends

you witnessed that shame with

your own eyes!

With that ability it’s a good thing you

didn’t show your face in the stadium!

12

Demo workflow

• Step 1 – User installs External APK file.

• Step 2 – External APK request user to install Internal APK.

• Step 3 – Removing External APK (Internal APK still running).

• Step 4 – Date Changed (Trigger for coming actions).

• Step 5 – Background is changed.

• Step 6 – A message given to user (based on user’s GPS location, for example inside stadium).

• Step 7 – SMS sent to contact (Another Device).

• Step 8 – Ringtone is changed.

• Step 9 – SMS from Mobile provider is dropped.

• Step 10 – If the device boots the Internal APK auto starts.

13

This may also lead to the following scenario

I’m telling you it’s the app! It’s the app!

I am Hapoel fan! Aiiiiiiiii!!!!

Tip: This will work for

Cricket too..

14

15

Auto starts

SMS registration

sent to PETA service

SMS text sent to contacts

From demo to real-life (1/3)

DogWar

From demo to real-life (2/3)

16

End of world Trojan

Jifake

Background changed

Usage of QR code

Checking whether SMS originated from mobile operator or provider

Dropping and deleting the SMS

RogueSPPush

From demo to real-life (3/3)

17

RogueSPPush

SpyEye

Usage of high priority to get SMSs before other apps

trick?!

BaseBridge

18 What else can we do with SMSs?

Delete record from the call log

Capable of ending calls

Capable of answering calls

Setting volume to ‘0’

Catch coming phone calls

Phone calls can be manipulated as well

Vectors that can be done with SMSs (1/2)

• Sending SMSs to premium numbers.

• Control a botnet for voting for American Idol.

• Running Linux commands on device via SMSs.

• Get & use information of user’s accounts

– Used in banks, mobile payments.

• Phishing

– Man in the Middle - redirect to website.

– Download my malicious app (with an exploit?)

• SPAM.

19

• Target Mobile Provider

– Drop billing SMSs from operator.

– Offer discounts in the name of provider.

– Change billing value.

• Search for specific words

– ‘revolution’ , ‘bomb’ , ‘password recovery’..

• Used in other ’interesting’ places

– We can steal a car using SMS, SCADA Systems.

20

Vectors that can be done with SMSs (2/2)

Artificial Intelligence in Android

• Automatic chat like famous ‘Eliza’.

• Spotting SMSs with questions (W*?)

– “cancel meeting” or “can’t come to the interview”…

• Spot co-workers and send them SMS

– “I don’t like working with you! You smell bad!!!!”

• Spot close relation contacts and ‘play Cupid’

– “Goodbye… I don’t want to see you anymore… I cheated you with…”.

21

From ClickJacking to TapJacking

• User is mislead into perform undesired actions.

• There is no user indication – Actions taking place in the background.

• Examples for undesired actions: – Installing malicious applications.

– Changing security settings.

– Performing a full device wipe.

– More…

22

Permission-based security model

• Apps are not adequately reviewed before being placed on the Market.

• Permission-based security model

– average user in charge of critical security decisions.

• The following example will be demonstrated:

23

What does ‘READ_PHONE_STATE” means?

• Control a Botnet for Denial Of Service Attacks

– Mobile Operator / Website / Other target.

• Target current Mobile provider/Manufacturer

– Disable the internet & connectivity on the phone.

• Target a person

– disable his connectivity for a while..

• Cause battery loss.

• Erase content and data on the device.

Denial Of Service Attacks

24

Other ways the bad guys can make $

• Blackmail

– Encrypt content.

– Copy user’s files from device to remote server.

• Using devices CPU from remote with botnet.

25

We love Android!

Current and future trends

• Use a device as hacking platform (Demos!). • Anti Debugging techniques (Demo). • Usage of updated exploits (Demo). • Social Engineering. • Anti ‘Anti Virus‘. • Getting malicious updates. • Signed malware. • Google TV. • Android@home + Android@car.

26

Trend #1 – Use a device as hacking platform

• Facesniff.

• Android Network Toolkit (Anti).

• DroidSheep.

• Caribou.

• More to come..

27

‘Point-Click-Root’

Trend #2 - Anti Debugging techniques

• Detecting if running in emulator.

• ‘Debuggable’.

• Encryption.

• Obfuscation.

• Checking Checksum.

28

Trend #2 - Anti Debugging techniques

NickiSpy

29

Getting IMEI of the device

Checking if it’s an emulator

Lena

Encryption Algorithm

Obfuscation - Can you analyze this?

Yesss!!!!

I can read this!

30

Trend #3 – Usage of updated exploits (1/4)

• 1.5 “Cupcake”

• 1.6 “Donut”

• 2.0/2.1 “Éclair”

• 2.2 “FroYo”

• 2.3 “Gingerbread”

• 3.0/3.1 “Honeycomb”

• 4.X “Ice Cream Sandwich”

31 Android Versions

32

Trend #3 – Usage of updated exploits (2/4)

Zimperlich

RATC Exploid

KillingInTheNameOF

GingerBreak

GingerBreak

33

Levitator

Trend #3 – Usage of updated exploits (3/4)

34

Gingerbreak exploit Scripts

GingerMaster

Trend #3 – Usage of updated exploits (4/4)

Trend#4 - Social Engineering

35

NetFlix Lena

Jimm

Trend#5 – Anti ‘Anti Virus’

36

Checking if Anti virus exist in installed packages

The name says it all.. “Sorry”

“Application (in the process) stopped unexpectedly, please try again” “forced off”

BaseBridge

Trend#6 – Getting malicious updates (1/2)

37 Plankton

Connection to remote server

Information collected and sent to remote server

Jar file to download from the remote server

38

Trend#6 – Getting malicious updates (2/2)

Plankton

Dalvik executable

Dynamically loading the file

Trend#7 – Signed malware (1/2)

39

Original legitimate Google certificate

DroidKungFu – Signed with a ‘fake’ certificate

Trend#7 – Signed malware (2/2)

40

• Google TV is a Smart TV platform from Google.

• Announced on May 20, 2010 (Google I/O event).

• Co-developed by Google, Intel, Sony and Logitech.

• Integrates Google’s Android operating system and the Linux version of Google Chrome browser.

• create an interactive television overlay on top of existing internet television and WebTV sites.

Trend#8 - Google TV

41

Few scenarios for exploiting Google TV

1 - Channel Redirection

2 - Adding commercials & Hidden frames

3 - Information warfare

42

How did Jay Leno got higher rating than the Super bowl???

Not a Google TV..

Trend#9 - Android@home

• Android phone/tablet

– Interface between you and every electronic device.

• Using your phone you’ll be able to:

– dim the lights.

– turn up the heating.

– switch on your television.

• Your device has GPS ->

– Switch off the lights

– Put the TV on standby

– turn the heating back down.

43

Trend#9 - Android@car

I repeat. I am in a middle of a car chase!

There’s no driver in the vehicle!!!

44

Now you know how I won American Idol…

45

I'm s-h-o-c-k-e-d.

I think you should not sing. Really.

But it turns out that the audience at home love you..

Simon Cowell

Judge in American Idol

Will this be the topic for next year?

• Feel free to stay in touch..

Elad.Shapira@avg.com

• Thanks goes to :

– ClubHack organizers.

– AVG Mobilation founder & CTO, Dror Shalev.

46

Hacked Windows Phone 7

Q & A

47

Thank you!

48