Join the phishing dots to detect suspicious mobile apps

transcript

Unifying the Global Response to Cybercrime

Leonardo Amor & Carlos Díaz Telefónica

LeoAmor@telefonica.com & Carlos.DiazHidalgo@telefonica.com

Telefonica Group

21 Countries

120.000Employees

50.377m Income

>340m Customers

Our employees

Mostly: •  Telco engineers •  Computer Science •  Engineers •  ….. •  Science or ScienCst people

But there also space to:

•  Lawyers •  Business administraCon •  Economist •  Psychologist •  Philologist

Diversity

Ideas explosion

ü Unfortunately yet not everyone knows to code ü Fortunately everyday schools are geRng it should be one more basic class.

The need of visual coding

ü  & Visual Data

Sinfonier Our Open project to visual coding

Drag & Drop Interface

AutomaCc Deploy API

Storm Cluster

Sinfonier

Tacyt One of our sources

May 18 19 20 21 22 23 24 New 10.105 5.702 9.998 15.483 15.294 9.394 10.647

Dead 1.140 2.200 2.014 1.917 2.856 1.446 646

Up 3 Million Apps today

21.649 of them contains .apks 50.993 has links to .cn domains

One of these ideas

Laziness

or Intense work

ü  To check human errors inside APPs (Shared CerCficates, e-‐mails, URL’s, APK’s…)

16 DISCOVER, DISRUPT, DELIVER

It’s demo time Tacyt + Sinfonier

ü An innovaCve tool for the monitoring and analysis of mobile threats ü hfps://path5.elevenpaths.com/

Sinfonier

ü Storm Builder for Security Intelligence ü hfp://sinfonier-‐project.net/

Sinfonier

Reinject into the topology the new list of applicaCons

Ducksboard: hfps://goo.gl/uKnHT3

ü A real-‐Cme dashboard ü hfps://ducksboard.com/

Data VisualizaCon

ü hfp://d3js.org/ ü D3.js is a JavaScript library for manipulaCn documents based on data

Data VisualizaCon: Data EnCCes

ü hfp://ecrime2015.us.to:2015/zoom.html

“key” [packageName][version][market]

hfps://play.google.com/store/apps/details?id=com.zaccur.b07.main

GP “developerEmail” embedded link that points an “apk” file

hfp://d.guomob.com/1142/2.apk

Data VisualizaCon: Example1

ü hfp://ecrime2015.us.to:2015/example1.html ü GP link: hfps://play.google.com/store/apps/details?id=com.qfang.qfangmobile

•  One developer –  3117479220@qq.com

•  One mobile applicaCon in GP –  com.qfang.qfangmobile

•  Five embedded “apk” files –  hfp://down.gao7.com/Files/down/wxjx_2.2.3_C227.apk –  hfp://s.51aiya.com/content/down/aiya14100234.apk –  hfp://www.159cai.com/download/vip/43332/159cai_shouji.apk –  hfp://shoufu.3gu.com/Run/Upload/Apk/QFangWang.apk –  hfp://www.wanggouchao.com/data/apk/wgc/v2.5.6/wgc_10021.apk

ü hfp://ecrime2015.us.to:2015/example1.html ü GP link: hfps://play.google.com/store/apps/details?id=com.qfang.qfangmobile

•  One developer –  3117479220@qq.com

•  One mobile applicaCon in GP –  com.qfang.qfangmobile

•  Five embedded “apk” files –  hfp://down.gao7.com/Files/down/wxjx_2.2.3_C227.apk –  hfp://s.51aiya.com/content/down/aiya14100234.apk –  hfp://www.159cai.com/download/vip/43332/159cai_shouji.apk –  hfp://shoufu.3gu.com/Run/Upload/Apk/QFangWang.apk –  hfp://www.wanggouchao.com/data/apk/wgc/v2.5.6/wgc_10021.apk

ü hfp://ecrime2015.us.to:2015/example2.html

•  Three differents developers –  joowill9588@gmail.com –  hong@jingeng.cn –  info@bluby.com

•  Four mobile applicaCons in GP

•  Three applicaCons point to the same embedded “apk” files –  hfp://update.iuoooo.com/Android/

componentvoice/xfyy1.apk –  hfp://update.iuoooo.com/Android/

componentvoice/xfyy2.apk

ü hfp://ecrime2015.us.to:2015/example3.html

•  Three different developers •  7 mobile applicaCons in GP •  13 embedded “apk” files

ü hfp://ecrime2015.us.to:2015/farm.html

Analysis of a Case

ü hfp://ecrime2015.us.to:2015/managementapp.html

One developer: •  gameungdunghay@gmail.com

com.giaitriviet.book.androidgp.bookaudio : 50-‐100

Analysis of a Case: 12 GP applicaCons

com.giaitriviet.android.haivai : 10-‐50

com.giaitriviet.androidgp.womanday : 500-‐1000

com.giaitriviet.androidgp.saigon : 50-‐100

com.giaitriviet.androidgp.wallpaperquotes : 5-‐10

com.giaitriviet.androidgp.wallpapernaturals : 100-‐500

com.giaitriviet.androidgp.vietnam : 10-‐50

com.giaitriviet.androidgp.saigon1950 : 10-‐50

com.giaitriviet.androidgp.masterchef : 50-‐100

com.giaitriviet.androidgp.managerapplicaCon : 1-‐5

com.giaitriviet.androidgp.fallsaigon1975 : 10-‐50

com.giaitriviet.android.caravat : 50-‐100

Domain: mediafire.com

Analysis of a Case: Detail of embedded “apk”

All links are up

Analysis of a Case: HotGirl & ChanDai

Be a variant of a known malware family

The app creates or modifies SMS

Monitors phone state (incoming calls)

Uploads the list of apps currently running to a remote server

The app modifies shortcuts on the home screen

Data VisualizaCon: Satellite Photo

ü hfp://ecrime2015.us.to:2015/ ü If you click this URL, most likely you are running out of memory in your computer

h9p://ecrime2015.us.to:2015/

Data VisualizaCon: Satellite Photo

ü hfp://ecrime2015.us.to:2015/ ü If you click this URL, most likely you are running out of memory in your computer

Conclusions

•  This presentaCon is only the beginning … •  We have generated a RSS feed of embedded “apk” files …

•  We have a graphical representaCon of the relaConship between three types of enCCes …

•  … now is the Cme for analysts

Community

Join us: sinfonier-‐project.net

@e_Sinfonier @flexpired @LeoAmorV

Join the phishing dots to detect suspicious mobile apps

Data & Analytics