WHOSE PHONE IS IN YOUR POCKET? OR A STORY OF THE LITTLE TROJAN THAT COULD

Similar documents
SECTOR 2015 Malware Activity in Mobile Networks Kevin McNamee (Alcatel-Lucent)

Fourteenforty Research Institute, Inc.

The Mobile Malware Problem

Enterprise Apps: Bypassing the Gatekeeper

What's the difference between spyware and a virus? What is Scareware?

Advanced Endpoint Protection Overview

ANDROID SECURITY ATTACKS AND DEFENSES ABHISHEK DUBEY I ANMOL MISRA. ( r öc) CRC Press VV J Taylor & Francis Group ^ "^ Boca Raton London New York

Security Intelligence Services.

CYBERCRIMINAL IN BRAZIL SHARES MOBILE CREDIT CARD STORE APP

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 2 Systems Threats and Risks

MOBILE MALWARE REPORT

Security A to Z the most important terms

Beyond Aurora s Veil: A Vulnerable Tale

KASPERSKY FRAUD PREVENTION PLATFORM COVERING ONLINE AND MOBILE BANKING RISKS

BYPASSING THE ios GATEKEEPER

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

S3 Control and System Call Indirection

Enterprise Mobility Report 12/2014. Creation date: Vlastimil Turzík

Practical Attacks against Mobile Device Management Solutions

Practical Attacks against MDM Solutions (and What Can You Do About It)

Android Security Data from the Frontlines

Taking a Proactive Approach to Patch Management. B e s t P r a c t i c e s G u i d e

THREAT INTELLIGENCE REPORT

Studying Security Weaknesses of Android System

Mobile Security Framework; Advances in Mobile Governance in Korea. TaeKyung Kim

Contact details For contacting ENISA or for general enquiries on information security awareness matters, please use the following details:

Analysis of advanced issues in mobile security in android operating system

Android Security - Common attack vectors

Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities

Kaspersky Fraud Prevention: a Comprehensive Protection Solution for Online and Mobile Banking

Global IT Security Risks: 2012

BLACKJACKING: SECURITY THREATS TO BLACKBERRY DEVICES, PDAS, AND CELL PHONES IN THE ENTERPRISE

AV-Comparatives. Mobile Security Test. Language: English. February 2015 Last revision: 30 th March

Make it tight, protect with might, and try not to hurt anyone. Michael Johnson, MMPC

IT & DATA SECURITY BREACH PREVENTION A PRACTICAL GUIDE. Part I: Reducing Employee and Application Risks

Kaspersky Security 10 for Mobile Implementation Guide

ASEC REPORT VOL AhnLab Monthly Security Report. Malicious Code Trend Security Trend Web Security Trend

Kaspersky Lab. Contents

Optimizing Windows Security Features to Block Malware and Hack Tools on USB Storage Devices

Making the difference between read to output, and read to copy GOING BEYOND BASIC FILE AUDITING FOR DATA PROTECTION

The Increasing Threat of Malware for Android Devices. 6 Ways Hackers Are Stealing Your Private Data and How to Stop Them

Kaspersky Fraud Prevention platform: a comprehensive solution for secure payment processing

FINANCIAL FRAUD: THE IMPACT ON CORPORATE SPEND IT SECURITY RISKS SPECIAL REPORT SERIES

DDoS Attacks: The Latest Threat to Availability. Dr. Bill Highleyman Managing Editor Availability Digest

Your Customers Want Secure Access

When a student leaves this intensive 5 day class they will have hands on understanding and experience in Ethical Hacking.

file://d:\webs\touch-base.com\htdocs\documentation\androidplatformnotes52.htm

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Anti-exploit tools: The next wave of enterprise security

Mobile Malware Network View. Kevin McNamee : Alcatel-Lucent

Smartphone Security. A Holistic view of Layered Defenses. David M. Wheeler, CISSP, CSSLP, GSLC. (C) 2012 SecureComm, Inc. All Rights Reserved

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

Guideline for Prevention of Spyware and other Potentially Unwanted Software

G Data Mobile MalwareReport. Half-Year Report July December G Data SecurityLabs

Shellshock. Oz Elisyan & Maxim Zavodchik

Cyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies

Android Security Joshua Hodosh and Tim Leek

Design and Implementation of an Android Host-based Intrusion Prevention System

Tutorial on Smartphone Security

The Behavioral Analysis of Android Malware

white paper Malware Security and the Bottom Line

Cyber Security Presentation Cyber Security Month Curtis McNay, Director of IT Security

Kaseya White Paper. Endpoint Security. Fighting Cyber Crime with Automated, Centralized Management.

Types of cyber-attacks. And how to prevent them

Security Engineering Part III Network Security. Intruders, Malware, Firewalls, and IDSs

ESET MOBILE SECURITY FOR ANDROID

Versafe TotALL Online Fraud Protection

Security Intelligence Services. Cybersecurity training.

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

CEH Version8 Course Outline

Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits)

Penetration Test Methodology on Information-Security Product Utilizing the Virtualization Technology

KASPERSKY FRAUD PREVENTION FOR ENDPOINTS

Guideline on Safe BYOD Management

DDoS Attacks Can Take Down Your Online Services

Billion Dollar Botnets:

Cisco Advanced Malware Protection for Endpoints

Trends in Malware DRAFT OUTLINE. Wednesday, October 10, 12

Malware Trend Report, Q April May June

Feature List for Kaspersky Security for Mobile

Defending Behind The Device Mobile Application Risks

Mobile Application Security and Penetration Testing Syllabus

Host-based Protection for ATM's

Security in а multi-device world: the customer s point of view

Trends in Zero-Day Kernel Exploits and Protection 2015

Popular Android Exploits

Lectures 9 Advanced Operating Systems Fundamental Security. Computer Systems Administration TE2003

Certified Ethical Hacker (CEH) Ethical Hacking & Counter Measures Course 9962; 5 Days, Instructor-Led

Next-Generation Penetration Testing. Benjamin Mossé, MD, Mossé Security

Research and Design of Universal and Open Software Development Platform for Digital Home

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Mobile Malware and Spyware: Working Through the Bugs. Detective Cindy Murphy

Stopping zombies, botnets and other - and web-borne threats

ONLINE AND MOBILE BANKING, YOUR RISKS COVERED

Introduction to Android

Blackbox Android. Breaking Enterprise Class Applications and Secure Containers. Marc Blanchou Mathew Solnik 10/13/

Transcription:

WHOSE PHONE IS IN YOUR POCKET? OR A STORY OF THE LITTLE TROJAN THAT COULD Mikhail Kuzin Malware Analyst@Kaspersky Lab Nikita Buchka Malware Analyst@Kaspersky Lab

ANDROID MALWARE STATISTICS The geography of Android malware infection attempts in Q3 2015 Top 5 counties attacked by Android malware # Country * % of users attacked ** 1 Bangladesh 22,57% 2 China 21,45% 3 Nigeria 16,01% 4 Tanzania 15,77% 5 Iran 13,88% * We eliminated countries from this ranking where the number of users of Kaspersky Lab s mobile security product is lower than 10,000. ** Percentage of unique users attacked in each country relative to all users of Kaspersky Lab s mobile security product in the country.

ANDROID MALWARE STATISTICS The number of new Android threats 1800000 1600000 1400000 1200000 1000000 800000 1583094 600000 1048129 400000 200000 0 147835 Q1 2015 Q2 2015 Q3 2015 Malicious installation packages (APKs)

ANDROID MALWARE STATISTICS Distribution of Android malware by type AdWare 19.0% 52.2% RiskTool 28.0% 44.6% Trojan-SMS Trojan-Spy 6.2% 8.1% 5.4% 7.0% Trojan 2.4% 12.4% Trojan-Banker Trojan-Ransom Backdoor Trojan-Dropper Trojan-Downloader 1.5% 0.6% 1.4% 1.0% 0.8% 1.2% 0.7% 0.3% 0.5% 0.7% Q3 2015 Q2 2015 Other 0.8% 5.0% 0.0% 10.0% 20.0% 30.0% 40.0% 50.0% 60.0%

A NEW TREND IN THE ANDROID MALWARE WORLD # Name % of attacked users 1 Trojan.AndroidOS.Rootnik.d 15,7% 2 Trojan-SMS.AndroidOS.Podec.a 11,7% 3 Trojan-Downloader.AndroidOS.Leech.a 9,5% 4 Trojan.AndroidOS.Ztorg.a 8,7% 5 Exploit.AndroidOS.Lotoor.be 7,8% 6 Trojan-Dropper.AndroidOS.Gorpo.a 5,2% 7 Trojan-SMS.AndroidOS.Opfake.a 4,8% 8 Trojan.AndroidOS.Guerrilla.a 4,6% 9 Trojan-SMS.AndroidOS.FakeInst.fz 4,1% In 2015, we have seen a steady growth in the number of Android malware attacks that use superuser privileges (root access) on the device to achieve their goals Five of the ten Android threats in the TOP 10 in Q3 2015 are the rooting malware. It s about 40% of all Android malware detected by our products. 10 Trojan-Ransom.AndroidOS.Small.o 3,7%

A NEW TREND IN THE ANDROID MALWARE WORLD Trojanized advertisement Needs root

MOBILE ADVERTISEMENT NETWORKS

MOBILE ADVERTISEMENT NETWORKS

MOBILE ADVERTISEMENT NETWORKS More agents = More money Can be easily deleted But one day something went wrong

GOING ROOT After launching, Trojans attempts to exploit Android OS vulnerabilities known to it one after another in order to gain superuser privileges In case of success, a standalone version of the malware is installed in the system application folder (/system/app) It regularly connects to the cybercriminals server, waiting for commands to download and install other applications

ANDROID SECURITY MODEL Key points Sandboxing Permissions Read-Only system partition

ANDROID SECURITY MODEL Problems Binder IPC mechanism. Data can be hijacked Root user exists. And it can break the model

ANDROID SECURITY MODEL Zygote process The zygote is a daemon whose purpose is to launch Android applications It receives requests to launch an application through /dev/socket/zygote. Every launch request triggers a fork() system call When fork() occurs the system creates a clone of the process a child process that is a full copy of a parent Despite it significantly increases performance, it s also a convenient way for malware to get injected into every running Android application

ANDROID SECURITY MODEL Gaining root access using kernel root exploit # mount o remount,rw /system # cat /mnt/sdcard/download/malware.apk > /system/app/malware.apk # mount o remount,ro /system

GOING ROOT Cybercriminals are able to create their own advertising networks based on the botnet of infected devices In addition to showing an advertisement, it can actually install the promoted application on the device Even more profit!!!

CHANNELS OF MALWARE DISTRIBUTION Third-party stores

CHANNELS OF MALWARE DISTRIBUTION Installation by retailers

CHANNELS OF MALWARE DISTRIBUTION Installation by retailers Public Media Incident https://www.androidpit.de/xiaomi-mi4-smartphones-werden-teilsmit-trojaner-ausgeliefert

CHANNELS OF MALWARE DISTRIBUTION Installation by retailers http://www.newegg.com/product/singleproductreview.aspx?reviewid=4337361

CHANNELS OF MALWARE DISTRIBUTION Installation by retailers http://www.amazon.com/lenovo-screen-android-qualcomm-snapdragon/product-reviews/b00suwbroi

CHANNELS OF MALWARE DISTRIBUTION Google Play

SECONDARY MALWARE DISTRIBUTION In our research we discovered that discussed malware families usually install each other In addition, it installs different kinds of adware. Many adware. But not only adware

WHEN ADWARE IS NOT ENOUGH Introduction Modular backdoor Actively abusing the superuser privileges Introducing Backdoor.AndroidOS.Triada.a

WHEN ADWARE IS NOT ENOUGH Triada architecture

WHEN ADWARE IS NOT ENOUGH Triada architecture

WHEN ADWARE IS NOT ENOUGH Zygote injection. Start Loads the library that will check a possibility of the injection and gather some information Check if the injection test was successful Inject the library into zygote process

WHEN ADWARE IS NOT ENOUGH Zygote injection. First stage native code Write patched bytecode into zygote process address space via ptrace system call

WHEN ADWARE IS NOT ENOUGH Zygote injection. Second stage native code Map malicious DEX file into the memory and invoke its pppmain method

WHEN ADWARE IS NOT ENOUGH ISMS binder hijacking

WHEN ADWARE IS NOT ENOUGH Stealth technology

WHEN ADWARE IS NOT ENOUGH Triada features for fun and profit Complicated modular architecture Using of advanced malware technics It s hard to detect and hard to delete Diversification of the money flows. I.e. cybercriminals get money not only for showing advertisements It can steal not only user s money but developers money as well

MITIGATION PROBLEMS It s nearly impossible to uninstall such malware from the device The first option for user to get rid of such malware is rooting his device and delete malicious applications manually The second one is to flash stock firmware on the device And the third option

CONCLUSION The complexity of Android malware growing fast Such threats are created not by individuals but companies and even, in some cases, by industry. And it takes industry to fight industry They provide access to the device for much more advanced and dangerous malicious applications

THANK YOU! QUESTIONS? Mikhail.Kuzin@kaspersky.com Nikita.Buchka@kaspersky.com

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information