1
How Android based phone helped me win American Idol
Elad Shapira ([email protected])
Mobile Security Researcher AVG Mobilation
Today’s agenda…
3
No worries – it will be Gr347!!!
Let’s get crazy..
Agenda
• Bad things a malware can do to Android device (Demo).
• Vectors that can be done With SMSs (Demo).
• Artificial Intelligence in Android (Demo).
• TapJacking Attack (Demo).
• Ideas for Denial Of Service attacks.
• Current/Future Trends to come in malware (Demos!).
• Questions & Answers.
4
Disclaimer: The information contained in this presentation is for learning purposes only.
Please don't use this information for other uses, except doing good to the world.
There are two opponent football clubs in Tel Aviv (Israel)
Maccabi Hapoel
5
Meet our participates for the next few slides
The Target The Attacker
6
The Attacker goes undercover…
Greetings Hapoel fans…
I’m a fanatic Hapoel fan like you.. ahmm..
I want to recommend you my new app
with 24/7 updates about the team..
1337 app… you should install it!
7
How will
The fans
get it?!
The attacker’s honeypot to the fans
If we want to get mass target base…
8
If I want mass Hacker target base
9
10
When scanning the QR code…
we can create more
“legit” url & apk name
that will convince the user to download the app
The app downloaded to the device:
All is quiet.. But when the match is over..
• Background - Changed to Maccabi logo..
• Ringtone - Changed to Maccabi song..
• SMSs - Sent to all contacts found in the device
– “We are losers… I don’t believe this!
I'm such a lame to support this team. Maccabi rulez..”
• GPS coordinates (Latitude/longitude)…
11
Different content (Toast) by physical location
Don’t forget to tell your friends
you witnessed that shame with
your own eyes!
With that ability it’s a good thing you
didn’t show your face in the stadium!
12
Demo workflow
• Step 1 – User installs External APK file.
• Step 2 – External APK request user to install Internal APK.
• Step 3 – Removing External APK (Internal APK still running).
• Step 4 – Date Changed (Trigger for coming actions).
• Step 5 – Background is changed.
• Step 6 – A message given to user (based on user’s GPS location, for example inside stadium).
• Step 7 – SMS sent to contact (Another Device).
• Step 8 – Ringtone is changed.
• Step 9 – SMS from Mobile provider is dropped.
• Step 10 – If the device boots the Internal APK auto starts.
13
This may also lead to the following scenario
I’m telling you it’s the app! It’s the app!
I am Hapoel fan! Aiiiiiiiii!!!!
Tip: This will work for
Cricket too..
14
15
Auto starts
SMS registration
sent to PETA service
SMS text sent to contacts
From demo to real-life (1/3)
DogWar
From demo to real-life (2/3)
16
End of world Trojan
Jifake
Background changed
Usage of QR code
Checking whether SMS originated from mobile operator or provider
Dropping and deleting the SMS
RogueSPPush
From demo to real-life (3/3)
17
RogueSPPush
SpyEye
Usage of high priority to get SMSs before other apps
trick?!
BaseBridge
18 What else can we do with SMSs?
Delete record from the call log
Capable of ending calls
Capable of answering calls
Setting volume to ‘0’
Catch coming phone calls
Phone calls can be manipulated as well
Vectors that can be done with SMSs (1/2)
• Sending SMSs to premium numbers.
• Control a botnet for voting for American Idol.
• Running Linux commands on device via SMSs.
• Get & use information of user’s accounts
– Used in banks, mobile payments.
• Phishing
– Man in the Middle - redirect to website.
– Download my malicious app (with an exploit?)
• SPAM.
19
• Target Mobile Provider
– Drop billing SMSs from operator.
– Offer discounts in the name of provider.
– Change billing value.
• Search for specific words
– ‘revolution’ , ‘bomb’ , ‘password recovery’..
• Used in other ’interesting’ places
– We can steal a car using SMS, SCADA Systems.
20
Vectors that can be done with SMSs (2/2)
Artificial Intelligence in Android
• Automatic chat like famous ‘Eliza’.
• Spotting SMSs with questions (W*?)
– “cancel meeting” or “can’t come to the interview”…
• Spot co-workers and send them SMS
– “I don’t like working with you! You smell bad!!!!”
• Spot close relation contacts and ‘play Cupid’
– “Goodbye… I don’t want to see you anymore… I cheated you with…”.
21
From ClickJacking to TapJacking
• User is mislead into perform undesired actions.
• There is no user indication – Actions taking place in the background.
• Examples for undesired actions: – Installing malicious applications.
– Changing security settings.
– Performing a full device wipe.
– More…
22
Permission-based security model
• Apps are not adequately reviewed before being placed on the Market.
• Permission-based security model
– average user in charge of critical security decisions.
• The following example will be demonstrated:
23
What does ‘READ_PHONE_STATE” means?
• Control a Botnet for Denial Of Service Attacks
– Mobile Operator / Website / Other target.
• Target current Mobile provider/Manufacturer
– Disable the internet & connectivity on the phone.
• Target a person
– disable his connectivity for a while..
• Cause battery loss.
• Erase content and data on the device.
Denial Of Service Attacks
24
Other ways the bad guys can make $
• Blackmail
– Encrypt content.
– Copy user’s files from device to remote server.
• Using devices CPU from remote with botnet.
25
We love Android!
Current and future trends
• Use a device as hacking platform (Demos!). • Anti Debugging techniques (Demo). • Usage of updated exploits (Demo). • Social Engineering. • Anti ‘Anti Virus‘. • Getting malicious updates. • Signed malware. • Google TV. • Android@home + Android@car.
26
Trend #1 – Use a device as hacking platform
• Facesniff.
• Android Network Toolkit (Anti).
• DroidSheep.
• Caribou.
• More to come..
27
‘Point-Click-Root’
Trend #2 - Anti Debugging techniques
• Detecting if running in emulator.
• ‘Debuggable’.
• Encryption.
• Obfuscation.
• Checking Checksum.
28
Trend #2 - Anti Debugging techniques
NickiSpy
29
Getting IMEI of the device
Checking if it’s an emulator
Lena
Encryption Algorithm
Obfuscation - Can you analyze this?
Yesss!!!!
I can read this!
30
Trend #3 – Usage of updated exploits (1/4)
• 1.5 “Cupcake”
• 1.6 “Donut”
• 2.0/2.1 “Éclair”
• 2.2 “FroYo”
• 2.3 “Gingerbread”
• 3.0/3.1 “Honeycomb”
• 4.X “Ice Cream Sandwich”
31 Android Versions
32
Trend #3 – Usage of updated exploits (2/4)
Zimperlich
RATC Exploid
KillingInTheNameOF
GingerBreak
GingerBreak
33
Levitator
Trend #3 – Usage of updated exploits (3/4)
34
Gingerbreak exploit Scripts
GingerMaster
Trend #3 – Usage of updated exploits (4/4)
Trend#4 - Social Engineering
35
NetFlix Lena
Jimm
Trend#5 – Anti ‘Anti Virus’
36
Checking if Anti virus exist in installed packages
The name says it all.. “Sorry”
“Application (in the process) stopped unexpectedly, please try again” “forced off”
BaseBridge
Trend#6 – Getting malicious updates (1/2)
37 Plankton
Connection to remote server
Information collected and sent to remote server
Jar file to download from the remote server
38
Trend#6 – Getting malicious updates (2/2)
Plankton
Dalvik executable
Dynamically loading the file
Trend#7 – Signed malware (1/2)
39
Original legitimate Google certificate
DroidKungFu – Signed with a ‘fake’ certificate
Trend#7 – Signed malware (2/2)
40
• Google TV is a Smart TV platform from Google.
• Announced on May 20, 2010 (Google I/O event).
• Co-developed by Google, Intel, Sony and Logitech.
• Integrates Google’s Android operating system and the Linux version of Google Chrome browser.
• create an interactive television overlay on top of existing internet television and WebTV sites.
Trend#8 - Google TV
41
Few scenarios for exploiting Google TV
1 - Channel Redirection
2 - Adding commercials & Hidden frames
3 - Information warfare
42
How did Jay Leno got higher rating than the Super bowl???
Not a Google TV..
Trend#9 - Android@home
• Android phone/tablet
– Interface between you and every electronic device.
• Using your phone you’ll be able to:
– dim the lights.
– turn up the heating.
– switch on your television.
• Your device has GPS ->
– Switch off the lights
– Put the TV on standby
– turn the heating back down.
43
Trend#9 - Android@car
I repeat. I am in a middle of a car chase!
There’s no driver in the vehicle!!!
44
Now you know how I won American Idol…
45
I'm s-h-o-c-k-e-d.
I think you should not sing. Really.
But it turns out that the audience at home love you..
Simon Cowell
Judge in American Idol
Will this be the topic for next year?
• Feel free to stay in touch..
• Thanks goes to :
– ClubHack organizers.
– AVG Mobilation founder & CTO, Dror Shalev.
46
Hacked Windows Phone 7
Q & A
47
Thank you!
48