How we hacked an online mobile banking Trojan

How we hacked an online mobile banking TrojanSebastian Bachmann&Tibor lis

12.10.2015 IKARUS Security Software GmbH#Good evening to everybody and welcome to this presentation about our first encounter with a persistent mobile Trojan for Android.1

About: Sebastian Bachmann & Tibor lisWorking as Mobile Malware AnalystsSpecialized for Android devices and applicationsWorking at IKARUS Software Security GmbH since 2012 / 2014Our daily task involves:Analysis of Android MalwareResearch of possible threadsCreation of proof of concept applicationsTools developmentAnalysis of incidents that involve mobile Malware

12.10.2015 IKARUS Security Software GmbH#First off, a bit about my self and Sebastian (who unfortunately couldnt make it for tonights presentation).Ive been working for IKARUS Software Security GmbH since 2014 as an Android Malware analyst. My specialty is analyzing and identifying malicious Apps as well as developing analysis tools and handle incidents such as the one Im going to talk about now.2

About This PresentationWe present:Example of an Online Banking FraudWhere the analysis went wrong How problems were solved and what we learned from all this

12.10.2015 IKARUS Security Software GmbH#Tonight I will be talking about one of the Online Banking Frauds that managed to hit one of our client. Unfortunately we werent fully prepared for this kind of Malware, so there were a couple of minor hiccups, such as the unintentional locking of a smartphone. In this presentation I will go into the details of how the malware functioned and how we managed to recover the Smartphone.3

Contents The incident detailsInitial analysisAPK analysisOur first encounter with a persistent mobile Malware on AndroidStatic Analysis of the MalwareAbusing DeviceAdmin App componentCrypto code analysisFinding and answering questionsCracking the MalwareReview of options to recover the infected smartphoneManipulation of Malware code in run-timeTo crack the passwordRemove MalwareLessons learned

12.10.2015 IKARUS Security Software GmbH#So, heres a list of things that you will hear about tonight in more detail: 4

Incident DetailsApril, 2014

On a Friday afternoon

Online Banking Trojan was detected on PC

A suspicious mobile component was also involved

12.10.2015 IKARUS Security Software GmbH#In April, 2014 an online banking Trojan was detected on a PC. This malicious software came with a mobile component, which was used to lift money from a bank account.The device that was infected was a Samsung Galaxy Nexus, which had Android 4.2 installed.5

Initial Analysis 1/2+ ADB was not enabled+ Device was not rooted~ No suspicious App icons shown - Unknown sources were enabled- App manager lists a suspicious App- The smartphone was known to be compromised

+ Good indications - Bad indications ~ other indications

12.10.2015 IKARUS Security Software GmbH#So, the first thing we did is, that we took the phone and looked for different indications of software infection on the smartphone. There were no suspicious icons shown in the Android Launch menu and the device was not rooted. That was the good thing. The bad was that, unknown sources were enabled, meaning that there were probably Apps installed on the smartphone that did not come from Google Play. We already knew that the smartphone was compromised judging from the information that we got from the owner.6

Initial Analysis 2/2We enabled Android Debug Bridge (ADB)Pulled all installed APKs from the devicefor app in $(adb shell pm list packages -f | cut -d ':' -f 2 | cut -d '=' -f 1); doDIR =$( dirname $app | tr '/' '_ ');[[ ! -d $DIR ]] && mkdir $DIR ;adb pull $app $DIR /; doneFound a infected APKCalled com.certificate-1.apk

12.10.2015 IKARUS Security Software GmbH#So, what we did is that we enabled the Android Debug Bridge and pulled all installed APKs from the device and ran a virus scanner on the dumbed APK files.What weve found, was an infected APK called com.certificate[dash]1.apk7

com.certificate-1.apkMD5: a10fae2ad515b4b76ad950ea5ef76f72Over 15 positive detections on VirusTotalTrojan-Banker.AndroidOS.HesperbotPackage Name: com.certificateService:LogFilterServiceReceivers:SmsReceiverModuleAdminReceiverActivitiy:ActicationActivity

12.10.2015 IKARUS Security Software GmbH#After running the all the samples on our internal analysis tools we realized that one of the samples was indeed malicious. It was known by many virus scanner on VT includin. So, we took a closer look at it.

LogFilterService Communicates with the Command & Control server through SMS. Decodes incoming commands and executes them. Deletes SMS messages, kills running processes manages an SQLite DB, etc.SmsReceiver responsible for reading and storing SMS messagesModuleAdminReceiver handles Admin request, pop-ups, revocation and locking, but we will get back to it later on.ActicationActivity The only Activity that the user can interact with.

8

com.certificate-1.apk

12.10.2015 IKARUS Security Software GmbH#

To verify that we are dealing with malware indeed, we looked at the contents of the APK file and realized that it had an SQLite DB file called spy.db.9

com.certificate-1.apkandroid.permission.SEND SMSandroid.permission.INTERNETandroid.permission.RECEIVE WAP PUSHandroid.permission.WRITE SMSandroid.permission.PROCESS OUTGOING CALLSandroid.permission.GET TASKSandroid.permission.RECEIVE SMSandroid.permission.READ CONTACTSandroid.permission.RECEIVE MMSandroid.permission.WRITE EXTERNAL STORAGEandroid.permission.READ SMSandroid.permission.READ LOGSandroid.permission.RECEIVE BOOT COMPLETEDandroid.permission.KILL BACKGROUND PROCESSES

12.10.2015 IKARUS Security Software GmbH#To follow up what we learned about the sample, we took a quick peek at the permissions.SMS related dangerous permissions are highlighted in purple color. Most of the other permissions such as the Task reading and killing and writing to the External Storage were unused by the malware or not implemented.

Judging form all the information we gathered the sample was very likely malicious.10

Video Demo

12.10.2015 IKARUS Security Software GmbH#Right, why not try and remove it

The following video demo will show you a removal attempt of Hesperbot.

11

12.10.2015 IKARUS Security Software GmbH#This meant that the malware was foundBut what happened there?

12

Abusing DeviceAdminThe reason why the device was locked just like that:

12.10.2015 IKARUS Security Software GmbH#The reason why the device was locked just like that, is caused by the use of DeviceAdmin component in Android.Here we see a strip of the source code that is responsible for locking and unlocking the smartphone.

Thankfully the source code of the malware was not obfuscated and we were able to decompile it without running into any problems.

The first condition generates a password, while the other code block aquires the device_policy managerAnd when the user tries to revoke the Admin rights from the Malware, it uses the generated password to lock the device.This is done through the use of the resetPassword() function, this is followed up by literarily locking the device and denying the user from accessing his or her smartphone and data that is stored on the locked device. 13

Crypto Code AnalysisThe EncodeThis() function uses RC5Blocksize 32 bit, Cipher Length 64 bit and 12 RoundsThe cipher is initialized using rCode (response code)rCode is acquired by the Malware when it is activated by the user

12.10.2015 IKARUS Security Software GmbH#Right so, the EncodeThis() function is responsible for encrypting the uninstall password. We looked at the implementation of this function, which turned out to be using RC5 encryption protcoll with a block size of 32 bits and a code length of 64 bits running on 12 rounds.The rCode referenced in the previous code is created when the Malware is activated, shown on the illustration.

14

Crypto Code AnalysisrCode is generated using the activation code entered by the user

12.10.2015 IKARUS Security Software GmbH#The rCode is generated using the activation code. Here, no randomization is being used, the algorithm always generates the same number sequence on each instance of activation codes.This is important information: if the activation code is known then the uninstallation code can be generated by encrypting the string uninstall using RC5.15

12.10.2015 IKARUS Security Software GmbH#Unfortunate for us the activation code was unknown to us.16

12.10.2015 IKARUS Security Software GmbH# so what we had to do is go deeper and take apart Malware bit by bit17

Finding and Answering QuestionsHow was the DeviceAdmin enabled on the device?Can we extract the response code (rCode) from the locked device?If not, can we brute force the key? Was there communication with the Botmaster?If so, is it still working?How was the smartphone infected?What if it gets infected right away as the Malware is removed?Is there another trap hidden?

12.10.2015 IKARUS Security Software GmbH#There were a couple of questions that arouse during the analysis which we had to answer in order to unlock and get rid of the Malware?18

How was the DeviceAdmin enabled?Right after starting the first Activity a Service is started This Service invokes the Activity to request Admin rightsThis Service checks if Admin rights are givenThe request is shown in every 3rd second Answer: The dialog window for the Admin window popped up right away each time a no was tapped by the user, making him or tap on the Activate button out of panic or annoyance.

12.10.2015 IKARUS Security Software GmbH#DeviceAdmin RequestTimer creationDeviceAdmin request

12.10.2015 IKARUS Security Software GmbH#Can we extract the rCode from the locked device?cert.db is inside the Apps data folder

These files are not R/W for adb user

No root access on the device

Rooting the device was no optionBecause of data lossBoot loader was locked

Answer: it is a no go

12.10.2015 IKARUS Security Software GmbH#There was no access to the Apps data. No root available, the bootloader was locked and the data on the smartphone was important to the client, so this was a no go.21

Brute Forcing the Key?About 10,000 different activation and rCode pairs availableEvery uninstall code is 25 character longEvery time a 30 second lock is triggered at each 5th wrong attempt5 seconds to enter 5 codes + 30 seconds pause leaves us with about 48 hours in average Not to mention the time to generate the numbers

Answer: probably not

12.10.2015 IKARUS Security Software GmbH# right, well what about bruteforcing the key?22

Was there communication with the Botmaster?Communication with the Botmaster through SMS

12.10.2015 IKARUS Security Software GmbH#Weve managed to communicate with the Malware through specially crafted SMS messages.

This was all tested on an emulator and after figuring out the functionality of the Malware, we understood how the botmaster was chosen.In this illustration you can see all the possible SMS commands that can be given to the Malware through ANY SMS message.For example, if the message started with a + it was treated as a Tel. number and the Malware was expecting commands from this telephone number.There was functionality to enable SMS forwarding as well as uninstalling the Malware remotely. This was the function that interested us the most.So, we explored how an SMS could delete an instance of this Malware. Unfortunately, this required us to have the registered Tel. Number which we did not have.

23

How was the Smartphone infected?

12.10.2015 IKARUS Security Software GmbH#Basically, the infected Computer injects the web browser to overlay banking website pages, such as the one on the example illustration.This form here tells the user that there is a possibility to protect their account if they provide a telephone number. On this telephone number a security certificate is send to them.24

How was the Smartphone infected?

12.10.2015 IKARUS Security Software GmbH#Another example illustration shows the dialog page for providing an Activation code and typing back a response code. 25

Video Demo

12.10.2015 IKARUS Security Software GmbH#Here is a demonstration of the activation code is entered and how the response code is being generated.

26

are there anymore traps to worry about?Answer: Complete static and dynamic analysis showed no sign of a secondary persistent mechanic implemented in the Malware. Although, we have found signs of code parts that were unused or not implemented for other spying and anti-detection functionalities.

12.10.2015 IKARUS Security Software GmbH#What can we do?Rewrite as own Admin? No, activation code needed.

Send uninstall Code? No, activation code needed.

Decrypt Password? No, ...

Conclusion: We need the activation or response code!

12.10.2015 IKARUS Security Software GmbH#Cracking the Malware 1/2Let us use Java Reflection and the DexClassLoader

12.10.2015 IKARUS Security Software GmbH#In order to play the role of the puppeteer:We decided to manipulate the code of the malware, by loading into an Application that would have access to all the Classes, functions of the Malware. Inorder to achieved that we made use of the DexClassLoader and Javas Reflection API.29

Cracking the Malware 2/2Make the Malware generate all possible passwords:

12.10.2015 IKARUS Security Software GmbH#This allowed us to trick the malware into thinking that it is being activated more than once, allowing us to generate a list of activation, rCode and uninstallation codes.

30

12.10.2015 IKARUS Security Software GmbH#The Response CodeIs well hidden in a sqlite3 database in/data/data/com.certificate/databases/cert.dbOnly Readable for the App and rootWe have no root nor the same group as the userBut we can generate now codes from an existing DB!

12.10.2015 IKARUS Security Software GmbH#We were able to locate where the keys were stored by the Malware, but we had no access to these.32

Master Key ExploitDifferent implementation of ZIP parser in Android (By the way

ZIP is a weird format...)

Duplicate items in ZIP will cause different outcomes

Original classes.dex for verification

Our classes.dex for execution!

12.10.2015 IKARUS Security Software GmbH#Extracting the key using the Master Key Exploit from the infected SmartphoneUsed an older version of WinRAR package our code to change the code of the Malware.Use the SMS Receiver to execute our code in the Context of the Malware:

12.10.2015 IKARUS Security Software GmbH#We forced the malware to print the contents of the database onto ADB Logcat. To del34

Extracting the key using the Master Key Exploit from the infected Smartphone

12.10.2015 IKARUS Security Software GmbH#Deploying Master Key Package

12.10.2015 IKARUS Security Software GmbH#Success!Attacker used Ukrainian Telephone NumberLast contact was at 2014-04-08 6:45:44 am CESTThe Attacker disabled the trojanUninstall Code translates to: k3zp7iq4r6ggwktjrmt3jlxl3Activation Code was: 899172

12.10.2015 IKARUS Security Software GmbH#Lessons Learned 1/2If possible analyze the behavior of the code before attempting to remove the Malware from the target deviceCreate a Checklist & Ruleset for your internal useAssume the worst-caseBuild analysis tools to show you the dangerous stuTry not to be too hastyTry to be as precise as possible!Do not start your analysis on friday afternoon ;)

12.10.2015 IKARUS Security Software GmbH#Lessons Learned 2/2Make Backups, even from your SmartphoneIf Ransomware hits you, just reset the device...Dangerous activites are now highlighted

12.10.2015 IKARUS Security Software GmbH#Source of Hesperbot Cracker(Including all Uninstall Codes)https://github.com/IKARUSSoftwareSecurity/hesperbot-crackerSebastian Bachmann

https://www.reox.at

Bachman.s@ikarus.atThank you for your attention!Tibor lis

elias.t@ikarus.at

12.10.2015 IKARUS Security Software GmbH#Backups

12.10.2015 IKARUS Security Software GmbH#