Embed Size (px)
Citation preview
Classification: Internal
www.nviso.be
Using Mobile Malware tactics for red teaming
November 2019
Classification: Internal
JEROEN BECKERS
― Mobile solution lead at NVISO― Primary author of SEC575 (NVISO)― Co-author of
― OWASP Mobile Security Testing Guide (MSTG)
― OWASP Mobile Application Security Verification Standard (MASVS)
Classification: Internal
Mobile devices
www.nviso.be | 3
Malware tactics for red teaming
Classification: Internal
Mobile Malware in a tiny nutshellMalware tactics for red teaming
Subscription scams
Ransomware Ad fraud
Premium text fraud
Classification: Internal
Mobile Banking TrojansMalware tactics for red teaming
Classification: Internal
Android vs iOS
www.nviso.be | 6
Malware tactics for red teaming
?
Classification: Internal
Necessary stepsMalware tactics for red teaming
Create application
Install application
Get the data
Classification: Internal
Creating an application
www.nviso.be | 8
Classification: Internal
Different optionsCreating an application
Classification: Internal
How does malware do it?Creating an application
0
10
20
30
40
50
60
70
80
90
Create Steal
Classification: Internal
Can we do it?Creating an application
Classification: Internal
» adb pull /data/app/com.limebike-1/base.apk/data/app/com.limebike-1/base.apk: 1 file pulled. 23.6 MB/s (26939075 bytes in 1.090s)»
Obtaining a valid APKCreating an application
Get APK from deviceSTEP 1
Classification: Internal
» apktool d base.apkI: Using Apktool 2.4.0 on base.apkI: Loading resource table... ...I: Baksmaling classes.dex...I: Baksmaling classes2.dex...I: Baksmaling classes3.dex...I: Copying assets and libs...I: Copying unknown files...I: Copying original files...»
Modifying the applicationCreating an application
Decompile the applicationSTEP 2
Classification: Internal
SMALI codeCreating an application
Classification: Internal
Adding SMALI codeCreating an application
ModifySTEP 3
Classification: Internal
» apktool b baseI: Using Apktool 2.4.0...I: Building apk file...I: Built apk...» jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 –keystore keystore.keystorebase/dist/base.apk mykeystore...
adding: META-INF/MYKEYSTORE.RSAsigning: resources.arsc
...jar signed.
Recompiling & signingCreating an application
Recompile & signSTEP 4
Classification: Internal
Testing the applicationCreating an application
Possible hurdles:
- Original application already installed
- Application contains Runtime Application
Self Protection (RASP)
Classification: Internal
A toast message is nice, but …Creating an application
Classification: Internal
Installing the application
www.nviso.be | 19
Classification: Internal
Different approachesInstalling the application
Classification: Internal
How does malware do it?Installing the application
Classification: Internal
Chamois Family
www.nviso.be | 22
Installing the application
- 5 stages of obfuscation and anti-RE
- Dynamic payload system
- Premium SMS & Ad fraud
Source: Chamois: The Most Impactful Android Botnet
of 2018 - Maddie Stone
Classification: Internal
How does malware do it?Installing the application
Source: Android Security & Privacy
2018 Year In Review (Google)
Classification: Internal
Third party app storesInstalling the application
Classification: Internal
Drive-by downloadsInstalling the application
=
Classification: Internal
Can we do it?Installing the application
Yes, but…
Accepts malware
Allowed by EULA
Controlled environment
Loading external code
Easy installation
Classification: Internal
Can we do it?Installing the application
Yes, but…
Accepts malware
Allowed by EULA
Controlled environment
Loading external code
Easy installation
Classification: Internal
Can we do it?Installing the application
Yes, but…
Accepts malware
Allowed by EULA
Controlled environment
Loading external code
Easy installation
Classification: Internal
Get the data
www.nviso.be | 29
Classification: Internal
Application sandboxesGet the data
Classification: Internal
How does malware do it?
www.nviso.be | 31
Get the data
Accessibility Overlay attacks Phishing
Classification: Internal
Accessibility (A11Y)
www.nviso.be | 32
Get the data
Classification: Internal
Accessibility (A11Y)
www.nviso.be | 33
Get the data
Classification: Internal
Overlay attacks
www.nviso.be | 34
Get the data
Classification: Internal
Drawing on top
www.nviso.be | 35
Get the data
http://cloak-and-dagger.org/
Classification: Internal
BankBot
www.nviso.be | 36
Get the data
Classification: Internal
Can we do it?Get the data
Annoy user to give access
Pretend to be Google / Samsung / …
Full control over all visual items
Can be activated with Accessibility
Not granted by default
Probably not needed
Classification: Internal
Can we do it? – Credentials
www.nviso.be | 38
Get the data
Intune Gmail Full controlWIFI
Classification: Internal
Can we do it? – 2FA
www.nviso.be | 39
Get the data
G Suite MS Authenticator
Classification: Internal
Conclusion
www.nviso.be | 40
Classification: Internal
Can we do it?
www.nviso.be | 41
Conclusion
Create application
Install application
Get the data
Social engineering
Blocked by MDM
Easy to copy
Some development
required
Easy social
engineering
Most applications
not protected
Classification: Internal
www.nviso.be
Thank you!
Jeroen Beckers
linkedin.com/in/beckersjeroen
