340 likes | 551 Views
Android Malware in Practice. Part I. Android Filesystem Layout. visitor@UOA283090 ~ $ adb shell mount rootfs / rootfs ro,relatime 0 0 tmpfs / dev tmpfs rw,nosuid,relatime,mode =755 0 0 devpts / dev / pts devpts rw,relatime,mode =600 0 0 proc / proc proc rw,relatime 0 0
E N D
Android Malwarein Practice Part I
Android Filesystem Layout visitor@UOA283090 ~ $ adb shell mount rootfs / rootfsro,relatime 0 0 tmpfs /devtmpfsrw,nosuid,relatime,mode=755 0 0 devpts /dev/ptsdevptsrw,relatime,mode=600 0 0 proc /procprocrw,relatime 0 0 sysfs /sys sysfsrw,relatime 0 0 none /acct cgrouprw,relatime,cpuacct 0 0 tmpfs /mnt/asectmpfsrw,relatime,mode=755,gid=1000 0 0 tmpfs /mnt/obbtmpfsrw,relatime,mode=755,gid=1000 0 0 none /dev/cpuctlcgrouprw,relatime,cpu 0 0 /dev/block/mmcblk0p9 /system ext4 ro,noatime,barrier=1,data=ordered 0 0 /dev/block/mmcblk0p12 /data ext4 rw,nosuid,nodev,noatime,barrier=1,journal_async_commit, data=ordered,noauto_da_alloc,discard 0 0 /dev/block/mmcblk0p8 /cache ext4 rw,nosuid,nodev,noatime,barrier=1,journal_async_commit, data=ordered 0 0 /dev/block/mmcblk0p3 /efsext4 rw,nosuid,nodev,noatime,barrier=1,journal_async_commit, data=ordered 0 0 /sys/kernel/debug /sys/kernel/debug debugfsrw,relatime 0 0 /dev/fuse /mnt/sdcardfuse rw,nosuid,nodev,relatime,user_id=1023,group_id=1023,.... /dev/block/vold/179:17 /mnt/extSdCardvfatrw,dirsync,nosuid,nodev,noexec,noatime,nodiratime, uid=1000,gid=1023,...
Android Filesystem Layout The mounts of interest / - root of the filesystemhierarchy /system - the ROM that holds all system binaries /data - RW location for user applications /cache - transient data space for user applications /efs - phone specific information like IMEI number /mnt/sdcard - fat32 filesystem with no inbuilt security
Application locations • System applications • /system/app/<AppName>.apk • User applications • /data/app/<AppName>.apk (preloaded) • /data/app/<AppPkgName>-1.apk (downloaded) • /mnt/secure/asec/<AppPkgName>-1.apk (sdcard)
App Signing • All apps are signed with a key to provide android with the ability to distinguish distributors of software • Possible to group applications in the same security context when two applications are signed with same key giving identical digital signature
Android Debug Bridge • Android Debug Bridge allows the developer access to the Android device connected via usb or IP • Once connected to a device, ADB provides developers an interface to interact with a rich suite of tools to manage the device
ADB Push / Pull • Using ADB we are able to transfer files from/to the device • Pull test.txt off the device and place in pwd • adbpull /mnt/sdcard/test.txt [local location] • Push local test.txt to sdcard on the device • adbpush ./test.txt /mnt/sdcard
Android Manual Install • Manually install application • adbpush com.myapp.hello.apk /data/app/ • (Permissions need to be changed to 0644) • adbinstall com.myapp.hello.apk • Manually uninstall application • adbuninstall com.myapp.hello
Package Manager • pm is a tool that is provided to manage and provide details about applications and permissions. • List all applications • pm list packages • Find location of an application • pm path com.myapp.helloworld • List available permissions • pm list permissions -f
Activity Manager:Sending Intents • The activity manager provides the mechanism to start an instance of a graphic application • using adb we are able to start applications via • am start -a android.intent.action.CALL -d tel: 021021021
Service Manager • The service manager can also be invoked via command line to send messages • service call isms 5 s16 "+??????????" i32 0 i32 0 s16 "SMS TEXT HERE"
init (1) • Responsible for creating mounts and file permissions associated with mount • Reads initrc file which contains these directories, mounts and file permissions • Responsible for further starting other processes/daemons
daemons (2) • Native linux daemons such as the following are started by init • netd(manages network connections) • vold(manages volumes such as sdcard) • usbd(manages USB connections) • debuggerd(debug processes - coredump) • rild(manages communication with the radio) • zygote
zygote (3) • init launches zygote which loads classes and listen for requests to spawn new applications through an instance of a dalvik virtual machine • Utilises copy-on-write memory references when forking its process to reduce memory footprint
Runtime/Service Manager (4a/b) • init starts android runtime process which initialisesthe Service Manager • Service Manager is the context manager for binder that is responsible for service registration and lookups • Android runtime then sends a start signal for zygote to create an instance of System Service (Android Services)
dalvik (5) • Zygote has received a signal to instantiate a dalvikvirtual machine instance for the Android System Server
System Server (6) • Zygote forks itself with appropriate permissions and starts the System Server instance • Its role is to bootstrap all the android services required by the android framework which provide services to applications
Native System Services (7) • Native System Services are services that integrate with the operating system to provide low latency and high availability services such as the audio and surface flinger • Audio Slinger provides audio management and multiplexing while Surface Flinger is the composition framework to display graphics
Native System Services (7) continued • Native System Services register themselves with Service Manager allowing them to be available through IPC for other applications or processes
Android System Services (8) • Android System Services provide high level framework services for applications • These services like Native System Services register themselves with Service Manager allowing for IPC communication from Android applications and other services
Android Development • Android provides users familiar with Java an easy route to build mobile applications. Google provides a SDK and NDK which enable the developer to call upon rich libraries and tools.
Software Development Kit (SDK) • The android Software development kit provides libraries and tools to develop standard java applications. Some of the tools allow for automatic installation of various android platforms and their associated libraries - eg. Ice Cream Sandwich. • Included in the ADT bundle is the SDK and an eclipse environment configured and setup for building/developing Android applications.
Native Development Kit (NDK) • Android allows for native libraries to be used with the android environment. • These libraries are C/C++ based and give developers greater performance gains for intensive hardware operations.
Repackaging howto: reverse engineering an application – open the apk archive to access smali- $ apktool d com.helloout OR run dedexer (convert apk to jar archive) run a java decompiler or use jdgui http://java.decompiler.free.fr/?q=jdgui
Insert the payload • Still have key signing issue • But users can be unaware of the dangers
Reverse Engineering Links • http://a4apphack.com/security/sec-code/extract-androidapk-from-market-and-decompile-it-to-java-source • http://marakana.com/s/post/1109/decompiling_an_android_app • http://blog.apkudo.com/2012/10/16/reverse-engineeringandroid-disassembling-hello-world/
Malicious App 1: SMS DEMO
Malicious App 3: Keyswift DEMO Reference: http://www.android-app-development.ie/blog/2013/03/06/inserting-keyloggercode-in-android-swiftkey-using-apktool/
Notes • These attacks were aimed at Samsung devices which have been known to implement their own sdklibraries for android. • These have not been tested as vigorously as would be liked and have been proven to provide further vulnerabilities. http://randomthoughts.greyhats.it/2013/03/owning-samsung-phones-for-fun-but-with.html
Permissions Concerns android.permission.SEND_SMS / RECEIVE_SMS android.permission.SYSTEM_ALERT_WINDOW android.permission.READ_CONTACTS / WRITE_CONTACTS android. permission.READ_CALENDAR / WRITE_CALENDAR android.permission.CALL_PHONE android.permission.READ_LOGS android.permission.ACCESS_FINE_LOCATION android.permission.GET_TASKS android.permission.RECEIVE_BOOT_COMPLETED android.permission.CHANGE_WIFI_STATE com.android.browser.permission.READ_HISTORY_BOOKMARKS / WRITE_HISTORY_BOOKMARKS Sourced from Google IO 2012 and marakana.com
References • Android: http://developer.android.com/index.html • Google IO: https://sites.google.com/site/io/ • Marakana: http://marakana.com/training/android/ • Genome project http://www.malgenomeproject.org/