![Page 1: About the Speakers · 2013-10-29 · About the Speakers • Tom Leclerc and Joany Boutet are Security Consultants working for Security, Audit and Governance Services, a Telindus Luxembourg](https://reader034.vdocuments.mx/reader034/viewer/2022050518/5fa1e00e067bb804944aeb0b/html5/thumbnails/1.jpg)
![Page 2: About the Speakers · 2013-10-29 · About the Speakers • Tom Leclerc and Joany Boutet are Security Consultants working for Security, Audit and Governance Services, a Telindus Luxembourg](https://reader034.vdocuments.mx/reader034/viewer/2022050518/5fa1e00e067bb804944aeb0b/html5/thumbnails/2.jpg)
About the Speakers
• Tom Leclerc and Joany Boutet are Security Consultants working for Security, Audit and Governance Services, a Telindus Luxembourg Security department.
• Tom
• Ph.D. in computer science
• Specialist in distributed systems and networks
• Involved in several ESA projects
• Joany
• Main focus on penetration testing
• Has already written paper about Android security
• Paper Malicious Android Applications: Risks and Exploitation - "A Spyware story about Android Application and Reverse
Engineering“ - (22/03/10) – Available in the SANS Reading Room
Tom Leclerc & Joany Boutet Telindus S.A. Luxembourg Hack.lu 2013 Slide 2
![Page 3: About the Speakers · 2013-10-29 · About the Speakers • Tom Leclerc and Joany Boutet are Security Consultants working for Security, Audit and Governance Services, a Telindus Luxembourg](https://reader034.vdocuments.mx/reader034/viewer/2022050518/5fa1e00e067bb804944aeb0b/html5/thumbnails/3.jpg)
What we won’t/will cover
• New phishing technique
• DEF CON 19 - Nicholas J. Percoco & Sean Schulte
• “This is REALLY not the droid you're looking for...”
• Distribution of free copy (virus-free) of GTA V
• Bypass the Android permission model
• New Technique for hiding Android Malware
Tom Leclerc & Joany Boutet Telindus S.A. Luxembourg Hack.lu 2013 Slide 3
![Page 4: About the Speakers · 2013-10-29 · About the Speakers • Tom Leclerc and Joany Boutet are Security Consultants working for Security, Audit and Governance Services, a Telindus Luxembourg](https://reader034.vdocuments.mx/reader034/viewer/2022050518/5fa1e00e067bb804944aeb0b/html5/thumbnails/4.jpg)
Evolution of Android Malware
Hack.lu 2013 Tom Leclerc & Joany Boutet Telindus S.A. Luxembourg Slide 4
• August 2010 - Application “Movie Player” • First Android SMS Trojan Found in the Wild
• December 2010 - Geinimi Trojan • First one that has botnet-like capabilities
• Found in repackaged versions of legitimate applications
• March 2011 - DroidDream Malware
• First one that uses an exploit to gain root permissions
![Page 5: About the Speakers · 2013-10-29 · About the Speakers • Tom Leclerc and Joany Boutet are Security Consultants working for Security, Audit and Governance Services, a Telindus Luxembourg](https://reader034.vdocuments.mx/reader034/viewer/2022050518/5fa1e00e067bb804944aeb0b/html5/thumbnails/5.jpg)
Evolution of Android Malware
Hack.lu 2013 Tom Leclerc & Joany Boutet Telindus S.A. Luxembourg Slide 5
• April 2013 - “BadNews” malware family • Distributed as an ad framework for developers
• July 2013 - First Android Malware that uses the Master Key' Android Vulnerability • Allows attackers to inject malicious code into legitimate Android applications
without invalidating the digital signature
• September 2013 - JollyBot - Malware as a Service
![Page 6: About the Speakers · 2013-10-29 · About the Speakers • Tom Leclerc and Joany Boutet are Security Consultants working for Security, Audit and Governance Services, a Telindus Luxembourg](https://reader034.vdocuments.mx/reader034/viewer/2022050518/5fa1e00e067bb804944aeb0b/html5/thumbnails/6.jpg)
Audience Poll
Hack.lu 2013 Tom Leclerc & Joany Boutet Telindus S.A. Luxembourg Slide 6
• Would you install those applications ?
![Page 7: About the Speakers · 2013-10-29 · About the Speakers • Tom Leclerc and Joany Boutet are Security Consultants working for Security, Audit and Governance Services, a Telindus Luxembourg](https://reader034.vdocuments.mx/reader034/viewer/2022050518/5fa1e00e067bb804944aeb0b/html5/thumbnails/7.jpg)
Audience Poll
Hack.lu 2013 Tom Leclerc & Joany Boutet Telindus S.A. Luxembourg Slide 7
• Would you install those applications ?
![Page 8: About the Speakers · 2013-10-29 · About the Speakers • Tom Leclerc and Joany Boutet are Security Consultants working for Security, Audit and Governance Services, a Telindus Luxembourg](https://reader034.vdocuments.mx/reader034/viewer/2022050518/5fa1e00e067bb804944aeb0b/html5/thumbnails/8.jpg)
Audience Poll
Hack.lu 2013 Tom Leclerc & Joany Boutet Telindus S.A. Luxembourg Slide 8
• Would you install those applications ?
![Page 9: About the Speakers · 2013-10-29 · About the Speakers • Tom Leclerc and Joany Boutet are Security Consultants working for Security, Audit and Governance Services, a Telindus Luxembourg](https://reader034.vdocuments.mx/reader034/viewer/2022050518/5fa1e00e067bb804944aeb0b/html5/thumbnails/9.jpg)
Audience Poll
Hack.lu 2013 Tom Leclerc & Joany Boutet Telindus S.A. Luxembourg Slide 9
• Would you install those applications ?
![Page 10: About the Speakers · 2013-10-29 · About the Speakers • Tom Leclerc and Joany Boutet are Security Consultants working for Security, Audit and Governance Services, a Telindus Luxembourg](https://reader034.vdocuments.mx/reader034/viewer/2022050518/5fa1e00e067bb804944aeb0b/html5/thumbnails/10.jpg)
Audience Poll
Hack.lu 2013 Tom Leclerc & Joany Boutet Telindus S.A. Luxembourg Slide 10
• Would you install those applications ?
![Page 11: About the Speakers · 2013-10-29 · About the Speakers • Tom Leclerc and Joany Boutet are Security Consultants working for Security, Audit and Governance Services, a Telindus Luxembourg](https://reader034.vdocuments.mx/reader034/viewer/2022050518/5fa1e00e067bb804944aeb0b/html5/thumbnails/11.jpg)
Have You Made the Right Choice ?
Hack.lu 2013 Tom Leclerc & Joany Boutet Telindus S.A. Luxembourg Slide 11
Video available on sagsblog.telinduslab.lu
![Page 12: About the Speakers · 2013-10-29 · About the Speakers • Tom Leclerc and Joany Boutet are Security Consultants working for Security, Audit and Governance Services, a Telindus Luxembourg](https://reader034.vdocuments.mx/reader034/viewer/2022050518/5fa1e00e067bb804944aeb0b/html5/thumbnails/12.jpg)
![Page 13: About the Speakers · 2013-10-29 · About the Speakers • Tom Leclerc and Joany Boutet are Security Consultants working for Security, Audit and Governance Services, a Telindus Luxembourg](https://reader034.vdocuments.mx/reader034/viewer/2022050518/5fa1e00e067bb804944aeb0b/html5/thumbnails/13.jpg)
Application Phishing via a Distributed Malware – Phishing under the hood (1/5)
Hack.lu 2013 Tom Leclerc & Joany Boutet Telindus S.A. Luxembourg Slide 13
![Page 14: About the Speakers · 2013-10-29 · About the Speakers • Tom Leclerc and Joany Boutet are Security Consultants working for Security, Audit and Governance Services, a Telindus Luxembourg](https://reader034.vdocuments.mx/reader034/viewer/2022050518/5fa1e00e067bb804944aeb0b/html5/thumbnails/14.jpg)
Application Phishing via a Distributed Malware – Phishing under the hood (2/5)
Hack.lu 2013 Tom Leclerc & Joany Boutet Telindus S.A. Luxembourg Slide 14
Inter-Process Communication via Intents
Chuck Norris Facts Reloaded Application - AndroidManifest file
![Page 15: About the Speakers · 2013-10-29 · About the Speakers • Tom Leclerc and Joany Boutet are Security Consultants working for Security, Audit and Governance Services, a Telindus Luxembourg](https://reader034.vdocuments.mx/reader034/viewer/2022050518/5fa1e00e067bb804944aeb0b/html5/thumbnails/15.jpg)
Application Phishing via a Distributed Malware – Phishing under the hood (3/5)
Hack.lu 2013 Tom Leclerc & Joany Boutet Telindus S.A. Luxembourg Slide 15
• Security Weaknesses introduced by Intents
the com.facebook.katana.LoginActivity had a vulnerable intent which allowed the exfiltration of data
Proof of concept piece of malware - "Facebook" for Android 1.8.1
![Page 16: About the Speakers · 2013-10-29 · About the Speakers • Tom Leclerc and Joany Boutet are Security Consultants working for Security, Audit and Governance Services, a Telindus Luxembourg](https://reader034.vdocuments.mx/reader034/viewer/2022050518/5fa1e00e067bb804944aeb0b/html5/thumbnails/16.jpg)
Application Phishing via a Distributed Malware – Phishing under the hood (4/5)
Hack.lu 2013 Tom Leclerc & Joany Boutet Telindus S.A. Luxembourg Slide 16
• Security Weaknesses introduced by Intents
• Presentation from André Moulu (quarkslab), SSTIC2013
• Around 10 Samsung OEM vulnerabilities related to misconfigured intents
• What about providing applications with (intentional) misconfigured intents ?
Android OEM's applications (in)security and backdoors without permission
![Page 17: About the Speakers · 2013-10-29 · About the Speakers • Tom Leclerc and Joany Boutet are Security Consultants working for Security, Audit and Governance Services, a Telindus Luxembourg](https://reader034.vdocuments.mx/reader034/viewer/2022050518/5fa1e00e067bb804944aeb0b/html5/thumbnails/17.jpg)
Application Phishing via a Distributed Malware – Phishing under the hood (5/6)
Hack.lu 2013 Tom Leclerc & Joany Boutet Telindus S.A. Luxembourg Slide 17
Chuck Norris Facts application
Fetch user credentials
(Fake DME UI)
Ultimate explorer application
Trigger “Application 2” start up
Remote webserver
Upload credentials
Scan local network
Upload SD Card content
File chunk (base 64)
File chunk (base 64)
File chunk (base 64)
Dump SD Card content
Upload scan result
Upload scan result
Upload File chunk (b64)
Upload File chunk (b64)
Upload File chunk (b64)
Gathered device
information
Boot Completed
File rebuild
Intent i = new Intent(Context, TargetClassName.class) i.putExtra(“key”, “value”)
![Page 18: About the Speakers · 2013-10-29 · About the Speakers • Tom Leclerc and Joany Boutet are Security Consultants working for Security, Audit and Governance Services, a Telindus Luxembourg](https://reader034.vdocuments.mx/reader034/viewer/2022050518/5fa1e00e067bb804944aeb0b/html5/thumbnails/18.jpg)
Application Phishing via a Distributed Malware – Google Play Scenario (1/2)
Hack.lu 2013 Tom Leclerc & Joany Boutet Telindus S.A. Luxembourg Slide 18
![Page 19: About the Speakers · 2013-10-29 · About the Speakers • Tom Leclerc and Joany Boutet are Security Consultants working for Security, Audit and Governance Services, a Telindus Luxembourg](https://reader034.vdocuments.mx/reader034/viewer/2022050518/5fa1e00e067bb804944aeb0b/html5/thumbnails/19.jpg)
Application Phishing via a Distributed Malware – Google Play Scenario (2/2)
Hack.lu 2013 Tom Leclerc & Joany Boutet Telindus S.A. Luxembourg Slide 19
![Page 20: About the Speakers · 2013-10-29 · About the Speakers • Tom Leclerc and Joany Boutet are Security Consultants working for Security, Audit and Governance Services, a Telindus Luxembourg](https://reader034.vdocuments.mx/reader034/viewer/2022050518/5fa1e00e067bb804944aeb0b/html5/thumbnails/20.jpg)
Application Phishing via a Distributed Malware – Antivirus testing
Hack.lu 2013 Tom Leclerc & Joany Boutet Telindus S.A. Luxembourg Slide 20
![Page 21: About the Speakers · 2013-10-29 · About the Speakers • Tom Leclerc and Joany Boutet are Security Consultants working for Security, Audit and Governance Services, a Telindus Luxembourg](https://reader034.vdocuments.mx/reader034/viewer/2022050518/5fa1e00e067bb804944aeb0b/html5/thumbnails/21.jpg)
Application Phishing via a Distributed Malware – Antivirus testing
Tom Leclerc & Joany Boutet Telindus S.A. Luxembourg Slide 21
Tested with 10 antivirus programs:
• Avast! Mobile security
• Dr Web Light
• Ikarus mobile
• Lookout
• Mc Affee Security
• Zoner Antivirus
• AVG Antivirus
• Norton Mobile
• Eset Security
• Trend Micro Mobile Security
0 detection!
![Page 22: About the Speakers · 2013-10-29 · About the Speakers • Tom Leclerc and Joany Boutet are Security Consultants working for Security, Audit and Governance Services, a Telindus Luxembourg](https://reader034.vdocuments.mx/reader034/viewer/2022050518/5fa1e00e067bb804944aeb0b/html5/thumbnails/22.jpg)
Application Phishing via a Distributed Malware - Here is the best antivirus …
Hack.lu 2013 Tom Leclerc & Joany Boutet Telindus S.A. Luxembourg Slide 22
![Page 23: About the Speakers · 2013-10-29 · About the Speakers • Tom Leclerc and Joany Boutet are Security Consultants working for Security, Audit and Governance Services, a Telindus Luxembourg](https://reader034.vdocuments.mx/reader034/viewer/2022050518/5fa1e00e067bb804944aeb0b/html5/thumbnails/23.jpg)
Application Phishing via a Distributed Malware - Here is the best antivirus …
Hack.lu 2013 Tom Leclerc & Joany Boutet Telindus S.A. Luxembourg Slide 23
Patton Boggs LLP represents Carlos Ray Norris, aka Chuck Norris, the famous actor and celebrity. … we recently learned that you have developed and are distributing a software application that uses Mr. Norris’s name and/or image without authorization on Google Play. Therefore we have asked Google to remove your application from Google Play because it violates Mr. Norris’s intellectual property rights.
![Page 24: About the Speakers · 2013-10-29 · About the Speakers • Tom Leclerc and Joany Boutet are Security Consultants working for Security, Audit and Governance Services, a Telindus Luxembourg](https://reader034.vdocuments.mx/reader034/viewer/2022050518/5fa1e00e067bb804944aeb0b/html5/thumbnails/24.jpg)
Application Phishing via a Distributed Malware - Here is the best antivirus …
Hack.lu 2013 Tom Leclerc & Joany Boutet Telindus S.A. Luxembourg Slide 24
![Page 25: About the Speakers · 2013-10-29 · About the Speakers • Tom Leclerc and Joany Boutet are Security Consultants working for Security, Audit and Governance Services, a Telindus Luxembourg](https://reader034.vdocuments.mx/reader034/viewer/2022050518/5fa1e00e067bb804944aeb0b/html5/thumbnails/25.jpg)
![Page 26: About the Speakers · 2013-10-29 · About the Speakers • Tom Leclerc and Joany Boutet are Security Consultants working for Security, Audit and Governance Services, a Telindus Luxembourg](https://reader034.vdocuments.mx/reader034/viewer/2022050518/5fa1e00e067bb804944aeb0b/html5/thumbnails/26.jpg)
Distributed Malware via Repackaged Applications – Google Play Scenario (1/4)
Hack.lu 2013 Tom Leclerc & Joany Boutet Telindus S.A. Luxembourg Slide 26
• Goal
• Split permissions and malware components across several applications
• Trick the user into installing all the required components
• Technical methods
• Distribute malware content across repackaged applications
• Communicate between applications using intents
• Social methods
• Choose appealing applications
• Advertise repackaged applications
![Page 27: About the Speakers · 2013-10-29 · About the Speakers • Tom Leclerc and Joany Boutet are Security Consultants working for Security, Audit and Governance Services, a Telindus Luxembourg](https://reader034.vdocuments.mx/reader034/viewer/2022050518/5fa1e00e067bb804944aeb0b/html5/thumbnails/27.jpg)
Distributed Malware via Repackaged Applications – Google Play Scenario (2/4)
Hack.lu 2013 Tom Leclerc & Joany Boutet Telindus S.A. Luxembourg Slide 27
App Type 1App Type 2
Service
)
Main Activity
Service
Main Activity
Intent i = new Intent() i.setComponent(new ComponentName("app1_pkg", "app1_pkg.HackLuApp1Service")) i.setAction("hack.lu.ex.data") i.putExtra("device_unique_id", device_unique_id) i.putExtra("apps_installed", apps_installed)
Generate 128-bit UUID (androidId + macAddr)
Get Installed Apps
Data Exfiltration
Bidirectional Communication
android.permission.INTERNET android.permission.ACCESS_WIFI_STATE
![Page 28: About the Speakers · 2013-10-29 · About the Speakers • Tom Leclerc and Joany Boutet are Security Consultants working for Security, Audit and Governance Services, a Telindus Luxembourg](https://reader034.vdocuments.mx/reader034/viewer/2022050518/5fa1e00e067bb804944aeb0b/html5/thumbnails/28.jpg)
Distributed Malware via Repackaged Applications – Google Play Scenario (3/4)
Hack.lu 2013 Tom Leclerc & Joany Boutet Telindus S.A. Luxembourg Slide 28
• Use the same technique using repackaged applications
android.permission.INTERNET
Type 1: 4 Applications
![Page 29: About the Speakers · 2013-10-29 · About the Speakers • Tom Leclerc and Joany Boutet are Security Consultants working for Security, Audit and Governance Services, a Telindus Luxembourg](https://reader034.vdocuments.mx/reader034/viewer/2022050518/5fa1e00e067bb804944aeb0b/html5/thumbnails/29.jpg)
Distributed Malware via Repackaged Applications – Google Play Scenario (4/4)
Hack.lu 2013 Tom Leclerc & Joany Boutet Telindus S.A. Luxembourg Slide 29
android.permission.ACCESS_WIFI_STATE
Type 2: 4 Applications
![Page 30: About the Speakers · 2013-10-29 · About the Speakers • Tom Leclerc and Joany Boutet are Security Consultants working for Security, Audit and Governance Services, a Telindus Luxembourg](https://reader034.vdocuments.mx/reader034/viewer/2022050518/5fa1e00e067bb804944aeb0b/html5/thumbnails/30.jpg)
Distributed Malware via Repackaged Applications – Here is what can happen …
Hack.lu 2013 Tom Leclerc & Joany Boutet Telindus S.A. Luxembourg Slide 30
![Page 31: About the Speakers · 2013-10-29 · About the Speakers • Tom Leclerc and Joany Boutet are Security Consultants working for Security, Audit and Governance Services, a Telindus Luxembourg](https://reader034.vdocuments.mx/reader034/viewer/2022050518/5fa1e00e067bb804944aeb0b/html5/thumbnails/31.jpg)
Distributed Malware via Repackaged Applications – Here is what can happen …
Hack.lu 2013 Tom Leclerc & Joany Boutet Telindus S.A. Luxembourg Slide 31
![Page 32: About the Speakers · 2013-10-29 · About the Speakers • Tom Leclerc and Joany Boutet are Security Consultants working for Security, Audit and Governance Services, a Telindus Luxembourg](https://reader034.vdocuments.mx/reader034/viewer/2022050518/5fa1e00e067bb804944aeb0b/html5/thumbnails/32.jpg)
Distributed Malware via Repackaged Applications – Here is what can happen …
Hack.lu 2013 Tom Leclerc & Joany Boutet Telindus S.A. Luxembourg Slide 32
![Page 33: About the Speakers · 2013-10-29 · About the Speakers • Tom Leclerc and Joany Boutet are Security Consultants working for Security, Audit and Governance Services, a Telindus Luxembourg](https://reader034.vdocuments.mx/reader034/viewer/2022050518/5fa1e00e067bb804944aeb0b/html5/thumbnails/33.jpg)
Distributed Malware via Repackaged Applications – Here is what can happen …
Hack.lu 2013 Tom Leclerc & Joany Boutet Telindus S.A. Luxembourg Slide 33
![Page 34: About the Speakers · 2013-10-29 · About the Speakers • Tom Leclerc and Joany Boutet are Security Consultants working for Security, Audit and Governance Services, a Telindus Luxembourg](https://reader034.vdocuments.mx/reader034/viewer/2022050518/5fa1e00e067bb804944aeb0b/html5/thumbnails/34.jpg)
Distributed Malware via Repackaged Applications – Here is what can happen …
Hack.lu 2013 Tom Leclerc & Joany Boutet Telindus S.A. Luxembourg Slide 34
![Page 35: About the Speakers · 2013-10-29 · About the Speakers • Tom Leclerc and Joany Boutet are Security Consultants working for Security, Audit and Governance Services, a Telindus Luxembourg](https://reader034.vdocuments.mx/reader034/viewer/2022050518/5fa1e00e067bb804944aeb0b/html5/thumbnails/35.jpg)
Distributed Malware via Repackaged Applications – Here is what can happen …
Hack.lu 2013 Tom Leclerc & Joany Boutet Telindus S.A. Luxembourg Slide 35
![Page 36: About the Speakers · 2013-10-29 · About the Speakers • Tom Leclerc and Joany Boutet are Security Consultants working for Security, Audit and Governance Services, a Telindus Luxembourg](https://reader034.vdocuments.mx/reader034/viewer/2022050518/5fa1e00e067bb804944aeb0b/html5/thumbnails/36.jpg)
Distributed Malware via Repackaged Applications – Here is what can happen …
Hack.lu 2013 Tom Leclerc & Joany Boutet Telindus S.A. Luxembourg Slide 36
![Page 37: About the Speakers · 2013-10-29 · About the Speakers • Tom Leclerc and Joany Boutet are Security Consultants working for Security, Audit and Governance Services, a Telindus Luxembourg](https://reader034.vdocuments.mx/reader034/viewer/2022050518/5fa1e00e067bb804944aeb0b/html5/thumbnails/37.jpg)
Distributed Malware via Repackaged Applications – Here is what can happen …
Hack.lu 2013 Tom Leclerc & Joany Boutet Telindus S.A. Luxembourg Slide 37
![Page 38: About the Speakers · 2013-10-29 · About the Speakers • Tom Leclerc and Joany Boutet are Security Consultants working for Security, Audit and Governance Services, a Telindus Luxembourg](https://reader034.vdocuments.mx/reader034/viewer/2022050518/5fa1e00e067bb804944aeb0b/html5/thumbnails/38.jpg)
Distributed Malware via Repackaged Applications – Here is what can happen …
Hack.lu 2013 Tom Leclerc & Joany Boutet Telindus S.A. Luxembourg Slide 38
![Page 39: About the Speakers · 2013-10-29 · About the Speakers • Tom Leclerc and Joany Boutet are Security Consultants working for Security, Audit and Governance Services, a Telindus Luxembourg](https://reader034.vdocuments.mx/reader034/viewer/2022050518/5fa1e00e067bb804944aeb0b/html5/thumbnails/39.jpg)
Distributed Malware via Repackaged Applications – Here is what can happen …
Hack.lu 2013 Tom Leclerc & Joany Boutet Telindus S.A. Luxembourg Slide 39
![Page 40: About the Speakers · 2013-10-29 · About the Speakers • Tom Leclerc and Joany Boutet are Security Consultants working for Security, Audit and Governance Services, a Telindus Luxembourg](https://reader034.vdocuments.mx/reader034/viewer/2022050518/5fa1e00e067bb804944aeb0b/html5/thumbnails/40.jpg)
Distributed Malware via Repackaged Applications – Here is what can happen …
Hack.lu 2013 Tom Leclerc & Joany Boutet Telindus S.A. Luxembourg Slide 40
![Page 41: About the Speakers · 2013-10-29 · About the Speakers • Tom Leclerc and Joany Boutet are Security Consultants working for Security, Audit and Governance Services, a Telindus Luxembourg](https://reader034.vdocuments.mx/reader034/viewer/2022050518/5fa1e00e067bb804944aeb0b/html5/thumbnails/41.jpg)
Distributed Malware via Repackaged Applications – Here is what can happen …
Hack.lu 2013 Tom Leclerc & Joany Boutet Telindus S.A. Luxembourg Slide 41
Awesome Dirty Jokes App Type 2
Start Main Activity
WikiMovies App Type 1
Start Service
Intent i = new Intent() i.setComponent(new ComponentName("app1_pkg", "app1_pkg.HackLuApp1Service")) i.setAction("hack.lu.ex.data") i.putExtra("device_unique_id", device_unique_id) i.putExtra("apps_installed", apps_installed)
![Page 42: About the Speakers · 2013-10-29 · About the Speakers • Tom Leclerc and Joany Boutet are Security Consultants working for Security, Audit and Governance Services, a Telindus Luxembourg](https://reader034.vdocuments.mx/reader034/viewer/2022050518/5fa1e00e067bb804944aeb0b/html5/thumbnails/42.jpg)
Distributed Malware via Repackaged Applications – Technical Deep Dive (1/4)
Hack.lu 2013 Tom Leclerc & Joany Boutet Telindus S.A. Luxembourg Slide 42
• Develop the malware using Eclipse
1. Type 1 service– used for data exfiltration
2. Type 2 service – used for data fetching
• Mobile device MAC address and installed apps
![Page 43: About the Speakers · 2013-10-29 · About the Speakers • Tom Leclerc and Joany Boutet are Security Consultants working for Security, Audit and Governance Services, a Telindus Luxembourg](https://reader034.vdocuments.mx/reader034/viewer/2022050518/5fa1e00e067bb804944aeb0b/html5/thumbnails/43.jpg)
Distributed Malware via Repackaged Applications – Technical Deep Dive (2/4)
Hack.lu 2013 Tom Leclerc & Joany Boutet Telindus S.A. Luxembourg Slide 43
• Build the project and retrieve the APK file
• Reverse engineer this file to extract Dalvik bytecode
![Page 44: About the Speakers · 2013-10-29 · About the Speakers • Tom Leclerc and Joany Boutet are Security Consultants working for Security, Audit and Governance Services, a Telindus Luxembourg](https://reader034.vdocuments.mx/reader034/viewer/2022050518/5fa1e00e067bb804944aeb0b/html5/thumbnails/44.jpg)
Distributed Malware via Repackaged Applications – Technical Deep Dive (3/4)
Hack.lu 2013 Tom Leclerc & Joany Boutet Telindus S.A. Luxembourg Slide 44
• Retrieve applications APK file on Google Play
• Reverse engineer those files to extract Dalvik bytecode
![Page 45: About the Speakers · 2013-10-29 · About the Speakers • Tom Leclerc and Joany Boutet are Security Consultants working for Security, Audit and Governance Services, a Telindus Luxembourg](https://reader034.vdocuments.mx/reader034/viewer/2022050518/5fa1e00e067bb804944aeb0b/html5/thumbnails/45.jpg)
Distributed Malware via Repackaged Applications – Technical Deep Dive (4/4)
Hack.lu 2013 Tom Leclerc & Joany Boutet Telindus S.A. Luxembourg Slide 45
• Inject Services’ Dalvik bytecode in reverse engineered apps
• Modify the AndroidManifest and Services files accordingly
![Page 46: About the Speakers · 2013-10-29 · About the Speakers • Tom Leclerc and Joany Boutet are Security Consultants working for Security, Audit and Governance Services, a Telindus Luxembourg](https://reader034.vdocuments.mx/reader034/viewer/2022050518/5fa1e00e067bb804944aeb0b/html5/thumbnails/46.jpg)
Distributed Malware via Repackaged Applications – Google Play Scenario Results
Hack.lu 2013 Tom Leclerc & Joany Boutet Telindus S.A. Luxembourg Slide 46
• At first glance, not enough downloads … on October, 16th
Few Type 2 – Applications Downloaded
![Page 47: About the Speakers · 2013-10-29 · About the Speakers • Tom Leclerc and Joany Boutet are Security Consultants working for Security, Audit and Governance Services, a Telindus Luxembourg](https://reader034.vdocuments.mx/reader034/viewer/2022050518/5fa1e00e067bb804944aeb0b/html5/thumbnails/47.jpg)
Distributed Malware via Repackaged Applications – Google Play Scenario Results
Hack.lu 2013 Tom Leclerc & Joany Boutet Telindus S.A. Luxembourg Slide 47
• What about adding an additional Type 2 – Application and advertising our applications ?
![Page 48: About the Speakers · 2013-10-29 · About the Speakers • Tom Leclerc and Joany Boutet are Security Consultants working for Security, Audit and Governance Services, a Telindus Luxembourg](https://reader034.vdocuments.mx/reader034/viewer/2022050518/5fa1e00e067bb804944aeb0b/html5/thumbnails/48.jpg)
Distributed Malware via Repackaged Applications – Google Play Scenario Results
Hack.lu 2013 Tom Leclerc & Joany Boutet Telindus S.A. Luxembourg Slide 48
![Page 49: About the Speakers · 2013-10-29 · About the Speakers • Tom Leclerc and Joany Boutet are Security Consultants working for Security, Audit and Governance Services, a Telindus Luxembourg](https://reader034.vdocuments.mx/reader034/viewer/2022050518/5fa1e00e067bb804944aeb0b/html5/thumbnails/49.jpg)
Distributed Malware via Repackaged Applications – Google Play Scenario Results
Hack.lu 2013 Tom Leclerc & Joany Boutet Telindus S.A. Luxembourg Slide 49
• What about adding an additional Type 2 – Application and advertising our applications ?
android.permission.ACCESS_WIFI_STATE
2 Type 1 Applications android.permission.INTERNET
![Page 50: About the Speakers · 2013-10-29 · About the Speakers • Tom Leclerc and Joany Boutet are Security Consultants working for Security, Audit and Governance Services, a Telindus Luxembourg](https://reader034.vdocuments.mx/reader034/viewer/2022050518/5fa1e00e067bb804944aeb0b/html5/thumbnails/50.jpg)
Distributed Malware via Repackaged Applications – Google Play Scenario Results
Hack.lu 2013 Tom Leclerc & Joany Boutet Telindus S.A. Luxembourg Slide 50
• What about adding an additional Type 2 – Application and advertising our applications ?
android.permission.ACCESS_WIFI_STATE
1 Type 2 Application android.permission.ACCESS_WIFI_STATE
![Page 51: About the Speakers · 2013-10-29 · About the Speakers • Tom Leclerc and Joany Boutet are Security Consultants working for Security, Audit and Governance Services, a Telindus Luxembourg](https://reader034.vdocuments.mx/reader034/viewer/2022050518/5fa1e00e067bb804944aeb0b/html5/thumbnails/51.jpg)
Distributed Malware via Repackaged Applications – Google Play Scenario Results
Hack.lu 2013 Tom Leclerc & Joany Boutet Telindus S.A. Luxembourg Slide 51
![Page 52: About the Speakers · 2013-10-29 · About the Speakers • Tom Leclerc and Joany Boutet are Security Consultants working for Security, Audit and Governance Services, a Telindus Luxembourg](https://reader034.vdocuments.mx/reader034/viewer/2022050518/5fa1e00e067bb804944aeb0b/html5/thumbnails/52.jpg)
Recommendations
Hack.lu 2013 Tom Leclerc & Joany Boutet Telindus S.A. Luxembourg Slide 52
• (unintentional) misconfigured intents
• Use of PendingIntent
• Add permission on sensitive components
• protectionLevel of “Signature”
• (intentional) misconfigured intents
• Inform about intents that an application can send
• Broadcast intents or specific intents
• Modify permissions display accordingly
![Page 53: About the Speakers · 2013-10-29 · About the Speakers • Tom Leclerc and Joany Boutet are Security Consultants working for Security, Audit and Governance Services, a Telindus Luxembourg](https://reader034.vdocuments.mx/reader034/viewer/2022050518/5fa1e00e067bb804944aeb0b/html5/thumbnails/53.jpg)
Conclusion
Hack.lu 2013 Tom Leclerc & Joany Boutet Telindus S.A. Luxembourg Slide 53
• Way to bypass Android permissions model
Hide permissions among several applications
• …Chuck Norris is one of the best Mobile AV
![Page 54: About the Speakers · 2013-10-29 · About the Speakers • Tom Leclerc and Joany Boutet are Security Consultants working for Security, Audit and Governance Services, a Telindus Luxembourg](https://reader034.vdocuments.mx/reader034/viewer/2022050518/5fa1e00e067bb804944aeb0b/html5/thumbnails/54.jpg)
Current/Future works
Hack.lu 2013 Tom Leclerc & Joany Boutet Telindus S.A. Luxembourg Slide 54
Ongoing whitepaper:
• Split well known malwares and test against antivirus programs
• Use broadcast intents as stealthier method
Future enhancements:
• Create a tool to automate the process of payload injection and split between several applications.
• Use techniques to hide malware code
• Upcoming hack.lu talks of Jurriaan Bremer and Axelle Apvrille
Room for the spread of distributed Android malware
![Page 55: About the Speakers · 2013-10-29 · About the Speakers • Tom Leclerc and Joany Boutet are Security Consultants working for Security, Audit and Governance Services, a Telindus Luxembourg](https://reader034.vdocuments.mx/reader034/viewer/2022050518/5fa1e00e067bb804944aeb0b/html5/thumbnails/55.jpg)
Questions ?
Hack.lu 2013 Tom Leclerc & Joany Boutet Telindus S.A. Luxembourg Slide 55
"As penetration testers, we need to figure out what our installed applications offer to perform on behalf of other apps, in an effort to better understand the security risk of the application and the overall device itself"
Chris Crowley, "Intentional Evil: A Pen Tester's Overview of Android Intents“ SANS Penetration Testing Blog, May 2013