Smartphone Spying Tools Mylonas Alexios

Transcription

1 Smartphone Spying Tools Mylonas Alexios Student Number: Supervisor: Keith Martin Submitted as part of the requirements for the award of the MSc in Information Security at Royal Holloway, University of London. I declare that this assignment is all my own work and that I have acknowledged all quotations from the published or unpublished works of other people. I declare that I have also read the statements on plagiarism in Section 1 of the Regulations Governing Examination and Assessment Offences and in accordance with it I submit this project report as my own work. Signature: Alexios Mylonas Date:

2 Abstract In this thesis we examine spying tools running on smartphones, mobile phones where the user can extend their functionality by installing third-party applications. We identify the data which are collected and the methods that the spyware uses to leak the data back to an attacker. We emphasize the security risks that emerge (a) from the use of an identifiable operating system in smartphones and (b) by the execution of unsigned applications, which utilize functionality provided by libraries available for smartphone application development. As proof-of-concept attacks on smartphones, we implement two spying tools running on the Windows Mobile 6 operating system. Furthermore, we implement two different spyware infection vectors for the Windows Mobile device: a) a Trojan horse which uses spoofing system frames and download and execute capability and b) a proof-of-concept code injection attack on a Windows Mobile application. Finally, we propose anti-spyware solutions mitigating smartphone spyware, either before or after the device infection and we provide an implementation of a Windows Mobile spyware removal utility. ii

3 Chapter 8 Conclusion As mentioned beforehand, smartphones are devices containing various types of personal information. As the popularity of these devices increases, so does the interest of the attackers to find and exploit vulnerabilities in these devices and acquire this data. Their potential attacks are aided by the functionality provided by the operating system running in the smartphone, through APIs and by the fact that in some cases the operating system allows execution of unsigned applications. In this project we demonstrated the types of data that spyware authors are collecting from infected devices. As proof-of-concept attacks, we implemented spyware running on Windows Mobile 6 devices, devices where the execution of unsigned applications is permitted. The implementations use functionality, provided to the developers from the API of the CNF. Additionally, for the infection of the devices we implemented a Trojan horse with download and execute capability and demonstrated a proof-ofconcept MSIL injection attack in an unsigned utility application written for Windows Mobile 6. At the end of the thesis, we propose anti-spyware solutions combating the spyware, either before or after the device infection. Furthermore, we implemented a spyware removal utility demo, which breaks the operation of spyware that are intercepting SMS messages without the user knowing. Experience in desktop computer malware has shown that the motivation of malware writers is changing. The malware writers who exploit vulnerabilities for fun or out of curiosity are becoming rare, since attackers nowadays are trying to make money out of their attacks. Since smartphones have a built-in billing system, they are an attractive target for organized crime, since profit can be made, even if the target does not have a bank account or a credit card number. As a result we believe smartphone malware will have a serious security issue in the near future, so the security experts should be able to supply users with technological and non- technological solutions. iii

4 References [AP08] Apple, iphone Developer Program, [CA08] Canalys, Worldwide smart mobile device market, Canalys Q4 2007, [EC06] Ecma International, Standard ECMA-335 Common Language Infrastructure (CLI) 4 th Edition, June 2006, [EL08] ELMS, MSDNAA Online Software System, [EM08] Erez Metula,.NET reverse engineering, 2008, bb18- bc01e09abef3/m5p.pdf [ES08] Erica Sadun, The Unofficial Apple Weblog - iphone Hacking 101: Jailbreaking, [FL08] [FS06] [FS07] FlexiSPY, How FlexiSPY costs compare to NEOCOSTS SMS Forwarding, 2008, F-Secure Corporation, F-Secure Malware Information Pages: Cabir, January 2006, F-Secure Corporation, F-Secure Malware Information Pages: Commwarrior, March 07, [FS08] F-Secure Corporation, F-Secure Malware Code Glossary, [GJ07] GetJar, Super Bluetooth Hack / free download, [HA08] Open Handset Alliance, Android - An Open Handset Alliance Project, [HP08] Hewlett-Packard Development Company, Glossary, 2008, [JN04] [JN08] Jarno Niemela F-Secure Corporation, F-Secure Virus Descriptions: Mquito, August 2004, Jarno Niemelä Senior Anti-Virus Researcher F-Secure, Detecting Mobile Phone Spy Tool, Black Hat Europe 2008 Media Archives, iv

5 08/Niemela/Presentation/bh-eu-08-niemela.pdf. [JP94] J.Postel, Domain Name System Structure and Delegation, March 1994, [JZ08] J Zhang, Location Management in Cellular Networks, 2004, fall_2004_files/locationmanagement.pdf [KM08] [MH07] K. Mayes K. Markantonakis, Smart Cards, Tokens, Security and Applications, Springer Science and Business Media, Mikko Hypponen Chief Research Officer, F-Secure, Status of Cell Phone Malware in Black Hat USA 2007 Media Archives, [M1] Microsoft, Windows Mobile 6, March 2008, [M2] Microsoft, Windows Embedded CE, March 2008, [M3] Microsoft, For Visual Studio Developers, 2008, [M4] Microsoft, Visual C#, 2008, [M5] Microsoft, Visual Basic.NET Language Specification, 2008, [M6] Microsoft, Visual C++, 2008, [M7] Microsoft, Visual Studio 2008, March [M8] Microsoft, Getting Started in Developing Applications for Windows Mobile 6, March 2008, [M9] Microsoft, What's New in Naming Conventions for Windows Mobile 6, March 2008, [M10] Microsoft, Windows Mobile Features (Native), March [M11] Microsoft,.NET Compact Framework, November v

6 [M12] Microsoft, Differences Between the.net Compact Framework and the. NET Framework, November 2007, library/2weec7k5.aspx [M13] Microsoft, What's New in the.net Compact Framework Version 3.5, November 2007, [M14] Microsoft,.NET Compact Framework Downloads, [M15] Microsoft,.NET Compact Framework Architecture, November 2007, [M16] Microsoft, Using COM Interop in.net Compact Framework 2.0, November 2005, [M17] Microsoft, Platform Invoke Support, November [M18] Microsoft, Windows Mobile Features (Managed), March [M19] Microsoft, Messaging API (CE MAPI) Reference, March [M20] Microsoft, System.IO Namespace, November [M21] Microsoft, System.Net Namespace, November [M22] Microsoft, Windows Mobile Powered Device Security Model, March [M23] Microsoft, How Device Security Affects Application Execution, November 2007, [M24] Microsoft, Mobile2Market Program, March 2008, [M25] Microsoft, Privileged APIs, March 2008, [M26] Microsoft, Cab Provisioning Format (CPF) File, 2008, [M27] Microsoft, Pushing XML OTA Using an OMA Client Provisioning Server, March 2008, vi

7 [M28] Microsoft, Delivering Applications, March 2008, [M29] Microsoft, Cabinet (.cab) File Overview, March [M30] Microsoft, CAB Wizard, March [M31] [M32] Microsoft, CAB Files for Delivering Windows Mobile Applications, March 2008, Microsoft, Automatically Run an Application from a Storage Card, March 2008, [M33] Microsoft, The Application Manager, March 2008, [M34] [M35] Microsoft, Creating an Installer for Windows Mobile Applications, March 2008, Microsoft, Description of Windows Mobile Device Center, February 2007, [M36] Microsoft, About the Device Emulator, November [M37] Microsoft, Device Emulator for Windows Mobile, March [M38] Microsoft, ARM Technology Guide, 2008, [M39] Microsoft, Saved-State Files, November [M40] How to: Cradle and Uncradle the Device Emulator, November [M41] Microsoft, Device Emulator Manager, November [M42] Microsoft, Cellular Emulator, March [M43] Microsoft, Cellular Emulator User Interface, March vii

8 [M44] Microsoft, Device Security Manager User Interface, November [M45] Microsoft, Using the FakeGPS Utility, March [M46] Microsoft, Data Synchronization With ActiveSync, March [M47] Microsoft, Installing Developer Tools for Windows Mobile, March 2008 Installing Developer Tools for Windows Mobile [M48] Microsoft, Solution (.sln) File, November 2007, [M49] Microsoft, Device Emulator Configuration Files, November 2007, [M50] [M51] Microsoft, Device Emulator Configuration XML Schema Reference, November 2007, Microsoft, XPath Reference, 2008, [M52] Microsoft, Windows Mobile 6.1 Emulator Images, 2008, C093-4B15-AB0C-A2CE5BFFDB47&displaylang=en [M53] Microsoft, SystemProperty Enumeration, March 2008, [M54] Microsoft, GPS Intermediate Driver Architecture, March 2008, [M55] Microsoft, Creating Applications that Utilize GPS, March 2008, [M56] Microsoft, Accessing Parsed GPS Data, March 2008, [M57] Microsoft, extended GPS Intermediate Driver, March 2008, [M58] Microsoft, Using the GPS Intermediate Driver from Managed Code, March 2008, [M59] Microsoft, A description of Svchost.exe in Windows XP Professional Edition, December 2007, viii

9 [M60] Microsoft, Microsoft.WindowsMobile.PocketOutlook.MessageInterception Namespace, March 2008, library/ microsoft.windowsmobile.pocketoutlook.messageinterception.aspx [M61] Microsoft, MessageCondition Class, March 2008, pocketoutlook.messageinterception.messagecondition.aspx [M62] Microsoft, Microsoft.WindowsMobile.Telephony Namespace, March 2008, [M63] Microsoft, How to Intercept Incoming Short Message System (SMS) Messages, June 2008, [M64] Microsoft, Compiling to MSIL, November 2007, [M65] Microsoft, Compiling MSIL to Native Code, November 2007, [M66] Microsoft, Common Language Runtime Overview, November 2007, [M67] Microsoft, Debug Build Versus Release Build, 2008, [RG08] Red Gate Software,.NET Reflector, 2008, [SF08] SourceForge, Reflexil, May 2008, [SM07] Sun Microsystems, Java Security Architecture, December 2007, [SY08] Symbian, Symbian Developer Network, [WL04] Seow Wei Lim(Louis),.NET Obfuscators, ix