Mobile Malwares: how to avoid them

Transcript

1. None

2. Mobile Malware Mobile Malware Daiane Santos

3. disclaimer

4. Agenda whoamI malwares malware types numbers zero-click one-click services android

   architecture permissions ty activities broadcast receivers

5. Hacking Neuroscience Reverse Engineer Chess Mobile Security Engineer @ Nubank

   CTF Player @ RATF Mobile Security content @mobilehackingbr Autism and AH/SD whoami

6. Malwares Malware is a term used for any type of

   malicious software designed to harm or exploit any programmable device, service or network.
7. None

8. In numbers: 1,661,743 malicious installers 196,476 new mobile banking Trojans

   10,543 new mobile ransomware Trojans In 2022, Kaspersky mobile products and technology detected:

9. 0% 10% 20% 30% 40% 50% RiskTook AdWare Trojan Trojan-Banker

   Trojan-Dropper Trojan-Spy Trojan-SMS Backdoor 2022 2021

10. Zero Click Malware A zero-click breach exploits flaws in your

    device, using a data verification loophole to create a path of entry into your system. Most software uses data verification processes to keep cyber breaches at bay. The software can be installed on a device without the victim taking any action to click on a link. As a result, zero-click or no-click malware is much more dangerous. The reduced interaction involved in zero-click attacks means even less traces of any malicious activity. Furthermore, vulnerabilities that can be exploited by cybercriminals in zero-click attacks are quite rare, which makes them especially prized by criminals.

11. Zero Click Malware Cybercriminals identify a vulnerability in an email

    or messaging application. They exploit the vulnerability by sending a carefully crafted message to the victim. The vulnerability allows malicious actors to infect the device remotely via emails that consume high levels of memory. The hacker's email, message or call does not necessarily remain on the device. As a result of the attack, cybercriminals can read, edit, leak or delete messages. A zero-click attack occurs theoretically as follows:
12. None

13. 1. In July 2020, an Azerbaijani journalist’s iPhone silently received

    a command to open the Apple Music app. Without the journalist’s knowledge or interaction, the app connected to a malicious server and downloaded spyware onto the phone that remained there for 17 months, eavesdropping on phone calls and text messages. The Israeli company says clients use its software to stop terrorism and curb violent crime. Zero Click Malware

14. Zero Click Malware 2. NSO Group also designed zero-click attacks

    that could compromise Android phones by exploiting a flaw in WhatsApp that was used to transmit malicious code onto a device. In April 2019, WhatsApp fixed the vulnerability—saying it said had been used to target more than 1,400 people over a two-month period—and filed a lawsuit against NSO Group.

15. One Click Malware Are vulnerabilities that allows an attacker to

    induce users to perform actions that they do not intend to perform. It allows an attacker to partly circumvent the same origin policy, which is designed to prevent different websites from interfering with each other.

16. https://vulnerable-website.com/email/[email protected] Email changed Change email address

17. Runtime permissions gives additional access to restricted data or let

    your app perform restricted actions that affects the system and other apps. So, you need to request runtime permissions before access the restricted data or perform restricted actions. Permissions

18. After disassembling, to analyze the Java source code of the

    application, we can use dex2jar and JD-GUI. Dex2jar to convert the dex files to jar (java) files. To view the java files we can use JD GUI. This can be done as follows: Download dex2jar. Extract the apk.zip and open it. Copy classes.dex file from the apk folder and paste it to the dex2jar folder. Run the command: sh d2j-dex2jar.sh classes.dex to obtain classes_dex2jar.jar file. Open the generated classes_dex2jar.jar file using JD-GUI. Reverse Engineer

19. Activities: Components that provide a screen with which users can

    interact. Broadcast receivers: Components that receive and respond to broadcast messages from other apps or from the operating system. Services: Components that perform operations in the background. Reverse Engineer

20. AndroidManifest.xml

21. Alarme - Browser - Calculadora - Calendário - Câmera -

    Contatos - E-mail - SMS... Content Providers - Activity - Location - Notifications - Resource, Telephony...

22. Permissions Type

23. Common Permissions in Malwares

24. Bypassing Apps Sandbox

25. Using Accessibility to attack The Accessibility system was developed for

    users with disabilities. Using it, you can create an app that reads captions on all interface elements and enables you to activate these elements with your voice. This became possible because Accessibility grants you full access to the app interface in the form of a tree of elements: you can navigate through it and perform certain operations with its elements.

26. By exploiting accessibility services, the Trojan can access the UI

    of any other apps installed on the phone and steal data from them, including text. Most banking apps don't allow the user to take screenshots when they're being used, but some malwares like Svpeng, gets around this by using accessibility services to create overlays and make actions in background. Using Accessibility to attack

27. Adding accessibility service to AndroidManifest.xml

28. Add the receiver to the AndroidManifest.xml

29. Adding this simple keylogger, all information entered by the user

    in any input field of any app will be displayed in the console

30. system_alert_window In 2019, a vulnerability focused on the Android system

    emerged, which used the system_alert_window permission, focused on PopUps, to overlay the screen with a window over the apps.
31. None

32. BrasDex The focus of malware is precisely to trick the

    user into thinking that the program is useful or beneficial to him in some way. But in reality, the program performs actions that harm the user or application to harm other applications or services. In this case, using accessibility permissions to overlay the main screen and change the data underneath that screen.

33. How to Avoid it As an User

34. Keep your operating system, firmware and applications on all your

    devices up to date as requested. And avoid remove the protection provided by Apple and Google. Basic CyberHygiene Download apps from official stores only Avoid 'jailbreaking' or 'rooting' your phone

35. Use strong authentication to access accounts; Use strong passwords; Run

    backups on systems regularly; Enable pop-up blockers or prevent pop-ups from appearing by adjusting your browser settings. Fraudster and Scammers often use pop-ups to spread malware.

36. How to Avoid it As a Developer

37. Limiting and checking App permissions; Google Play Protect; RASP (Runtime

    Application Self-Protection); Code Obfuscation; In House Solutions. Set some action if a Malware is detected, ex: close the app automatically.

38. Are my phone infected? Slow performance; Random reboots; Unusually data

    usage; Battery draining faster than usual; Unfamiliar apps installed; Overheating; Taking a long time to shut down; Signs of activity in standby mode; Weird sounds during phone calls; Weird text messages.

39. References: Thomas, Tony; Surendran, Roopak; John, Teenu S.; Alazab, Mamoun.

    Intelligent Mobile Malware Detection (Security, Privacy, and Trust in Mobile Communications). CRC Press. Kindle Edition.

40. Daiane Santos @Wh0isdxk @mobilehackingbr daianesantos[at]protonmail[dot]com

41. None