Android Malware in Practice Part I Android Filesystem Layout visitor@UOA283090 ~ $ adb shell mount rootfs / rootfs ro,relatime 0 0 tmpfs /dev tmpfs rw,nosuid,relatime,mode=755 0 0 devpts /dev/pts devpts rw,relatime,mode=600 0 0 proc /proc proc rw,relatime 0 0 sysfs /sys sysfs rw,relatime 0 0 none /acct cgroup rw,relatime,cpuacct 0 0 tmpfs /mnt/asec tmpfs rw,relatime,mode=755,gid=1000 0 0 tmpfs /mnt/obb tmpfs rw,relatime,mode=755,gid=1000 0 0 none /dev/cpuctl cgroup rw,relatime,cpu 0 0 /dev/block/mmcblk0p9 /system ext4 ro,noatime,barrier=1,data=ordered 0 0 /dev/block/mmcblk0p12 /data ext4 rw,nosuid,nodev,noatime,barrier=1,journal_async_commit, data=ordered,noauto_da_alloc,discard 0 0 /dev/block/mmcblk0p8 /cache ext4 rw,nosuid,nodev,noatime,barrier=1,journal_async_commit, data=ordered 0 0 /dev/block/mmcblk0p3 /efs ext4 rw,nosuid,nodev,noatime,barrier=1,journal_async_commit, data=ordered 0 0 /sys/kernel/debug /sys/kernel/debug debugfs rw,relatime 0 0 /dev/fuse /mnt/sdcard fuse rw,nosuid,nodev,relatime,user_id=1023,group_id=1023,.... /dev/block/vold/179:17 /mnt/extSdCard vfat rw,dirsync,nosuid,nodev,noexec,noatime,nodiratime, uid=1000,gid=1023,... Android Filesystem Layout The mounts of interest / - root of the filesystem hierarchy /system - the ROM that holds all system binaries /data - RW location for user applications /cache - transient data space for user applications /efs - phone specific information like IMEI number /mnt/sdcard - fat32 filesystem with no inbuilt security Application locations • System applications • /system/app/<AppName>.apk • User applications • /data/app/<AppName>.apk (preloaded) • /data/app/<AppPkgName>-1.apk (downloaded) • /mnt/secure/asec/<AppPkgName>-1.apk (sdcard) App Signing • All apps are signed with a key to provide android with the ability to distinguish distributors of software • Possible to group applications in the same security context when two applications are signed with same key giving identical digital signature Android Debug Bridge • Android Debug Bridge allows the developer access to the Android device connected via usb or IP • Once connected to a device, ADB provides developers an interface to interact with a rich suite of tools to manage the device ADB Push / Pull • Using ADB we are able to transfer files from/to the device • Pull test.txt off the device and place in pwd • adb pull /mnt/sdcard/test.txt [local location] • Push local test.txt to sdcard on the device • adb push ./test.txt /mnt/sdcard Android Manual Install • Manually install application • adb push com.myapp.hello.apk /data/app/ • (Permissions need to be changed to 0644) • adb install com.myapp.hello.apk • Manually uninstall application • adb uninstall com.myapp.hello Package Manager • pm is a tool that is provided to manage and provide details about applications and permissions. • List all applications • pm list packages • Find location of an application • pm path com.myapp.helloworld • List available permissions • pm list permissions -f Activity Manager: Sending Intents • The activity manager provides the mechanism to start an instance of a graphic application • using adb we are able to start applications via • am start -a android.intent.action.CALL -d tel: 021021021 Service Manager • The service manager can also be invoked via command line to send messages • service call isms 5 s16 "+??????????" i32 0 i32 0 s16 "SMS TEXT HERE" Android Startup init (1) • Responsible for creating mounts and file permissions associated with mount • Reads initrc file which contains these directories, mounts and file permissions • Responsible for further starting other processes/daemons daemons (2) • Native linux daemons such as the following are started by init • • • • • • netd (manages network connections) vold (manages volumes such as sdcard) usbd (manages USB connections) debuggerd (debug processes - coredump) rild (manages communication with the radio) zygote zygote (3) • init launches zygote which loads classes and listen for requests to spawn new applications through an instance of a dalvik virtual machine • Utilises copy-on-write memory references when forking its process to reduce memory footprint Runtime/Service Manager (4a/b) • init starts android runtime process which initialises the Service Manager • Service Manager is the context manager for binder that is responsible for service registration and lookups • Android runtime then sends a start signal for zygote to create an instance of System Service (Android Services) dalvik (5) • Zygote has received a signal to instantiate a dalvik virtual machine instance for the Android System Server System Server (6) • Zygote forks itself with appropriate permissions and starts the System Server instance • Its role is to bootstrap all the android services required by the android framework which provide services to applications Native System Services (7) • Native System Services are services that integrate with the operating system to provide low latency and high availability services such as the audio and surface flinger • Audio Slinger provides audio management and multiplexing while Surface Flinger is the composition framework to display graphics Native System Services (7) continued • Native System Services register themselves with Service Manager allowing them to be available through IPC for other applications or processes Android System Services (8) • Android System Services provide high level framework services for applications • These services like Native System Services register themselves with Service Manager allowing for IPC communication from Android applications and other services Android Development • Android provides users familiar with Java an easy route to build mobile applications. Google provides a SDK and NDK which enable the developer to call upon rich libraries and tools. Software Development Kit (SDK) • The android Software development kit provides libraries and tools to develop standard java applications. Some of the tools allow for automatic installation of various android platforms and their associated libraries - eg. Ice Cream Sandwich. • Included in the ADT bundle is the SDK and an eclipse environment configured and setup for building/developing Android applications. Native Development Kit (NDK) • Android allows for native libraries to be used with the android environment. • These libraries are C/C++ based and give developers greater performance gains for intensive hardware operations. Repackaging howto: reverse engineering an application – open the apk archive to access smali$ apktool d com.hello out OR run dedexer (convert apk to jar archive) run a java decompiler or use jdgui http://java.decompiler.free.fr/?q=jdgui Insert the payload • Still have key signing issue • But users can be unaware of the dangers Reverse Engineering Links • http://a4apphack.com/security/sec-code/extract-androidapkfrom-market-and-decompile-it-to-java-source • http://marakana.com/s/post/1109/decompiling_an_android_ app • http://blog.apkudo.com/2012/10/16/reverseengineeringandroid-disassembling-hello-world/ Malicious App 1: SMS DEMO Malicious App 2: Photo/Sdcard DEMO Malicious App 3: Keyswift DEMO Reference: http://www.android-app-development.ie/blog/2013/03/06/insertingkeyloggercode-in-android-swiftkey-using-apktool/ Notes • These attacks were aimed at Samsung devices which have been known to implement their own sdk libraries for android. • These have not been tested as vigorously as would be liked and have been proven to provide further vulnerabilities. http://randomthoughts.greyhats.it/2013/03/owning-samsungphones-for-fun-but-with.html Permissions Concerns android.permission.SEND_SMS / RECEIVE_SMS android.permission.SYSTEM_ALERT_WINDOW android.permission.READ_CONTACTS / WRITE_CONTACTS android. permission.READ_CALENDAR / WRITE_CALENDAR android.permission.CALL_PHONE android.permission.READ_LOGS android.permission.ACCESS_FINE_LOCATION android.permission.GET_TASKS android.permission.RECEIVE_BOOT_COMPLETED android.permission.CHANGE_WIFI_STATE com.android.browser.permission.READ_HISTORY_BOOKMARKS / WRITE_HISTORY_BOOKMARKS Sourced from Google IO 2012 and marakana.com References • • • • Android: http://developer.android.com/index.html Google IO: https://sites.google.com/site/io/ Marakana: http://marakana.com/training/android/ Genome project http://www.malgenomeproject.org/ Questions?