countering mobile malware in csp’s network. android honeypot as anti-fraud solution
TRANSCRIPT
Countering mobile malware in CSP’s networkAndroid honeypot as anti-fraud solution
Denis Gorchakov, Nikolay Goncharov
Lies, damned lies, and statistics
Annual AV reports say that Android malware has 95% share among all malicious mobile apps.Russian subscribers are at the top of the list of mobile malware’s potential victims.
More than 50% of all mobile malware (worldwide) targets Russian subscribers. At the end of 2013 there were 1321 banking viruses out in the wild, and at the end of Q1 2014 this number increased to 2503.
On May 1, the Russian Government legally forced implementing Advice of Charge (AoC) for all VAS content services, so cybercriminals shifted their focus to mobile e-commerce & payment services and SMS banking services.Mobile malware is slowly maturing, leveling with modern PC viruses like WinLocker, CryptoLocker, rootkits and RATs.
What’s going on? Typical malware
Bypasses common anti-fraud filter rules: randomizes times, amounts and periods of subscribers’ funds withdrawal.Provides VAS mobile content subscription with AoC bypass (“monetization” offers for webmasters).Shows unwanted ads in notification drawer. Opens different promoted websites (black SEO).Steals call history, SMS logs, phone’s address book.Sends SMS spam to address book contacts or randomly (viral distribution, bypassing SMS antispam services).Automates all SMS activity via built-in parsers for popular payment systems and banks.Combines phishing with clickjacking using interface tricks (like card input overlays in Google Play, launching rogue app above original, etc.)
Marketing APT-stories and spy movies scenarios:Remotely controls your smartphone using microphone, camera and sensors on demand.Uses smartphones for DDoS (data or voice).Smart anti-reversing features:Interface tricks. Uses device location (not only GPS, but cell data too). Checks for dummy/test number or device if no subscriber activity is present (checks SMS history, validates blank IMEI/IMSI, blacklists test SIM cards).Includes antivirus-specific bypass code (like “kavf#cker” class). Checks for root privileges or tries root exploits.
Bad Android!111
Unlike other mobile OSs, Android allows easy app installation from any untrusted source (just one tick in device settings). All it takes is just a little bit of social engineering and common addiction to piracy among risk groups.Criminals are even desperate to distribute malware through Google Play using moderation and sandbox deficiencies.Until Google made recent changes to its Android vendor certification requirements, its firmware update policy was real hell. Cheap as well as one year old devices didn’t receive any updates with vulnerability fixes, hardly speaking of major Android version upgrades.
Lies, damned lies, and statistics #2. The real deal
Only Android 4.2+ has the “More control of Premium SMS” feature that intercepts any premium SMS activity with confirmation dialogue.
SMS activity was redesigned only in Android 4.4, so every SMS sent from any app would be logged system-wide.
Most of these devices won’t receive a major upgrade.
Numbers and interesting facts
Every day we receive about 80 000 links that lead to malicious mobile apps. Most of them aren’t unique and many are dynamically generated, but it’s still enough to begin the automation process.We work at InfoSec Division, we’re not developers, we’re few, we can’t afford researching and developing machine learning algorithms like app stores do.But we have our benefits – access to CSP’s network and specific tools.
«Reich» botnetTargeted large banks. Even a few days of one C&C activity led to 5 500 subscribers being infected; moreover more than 850 of them got their money stolen from bank accounts. SIP virusCreated a SIPNet account after installation and transferred some amount of subscriber’s funds to it. Could be used for voice DDoS, but something went wrong.Script kiddies again?Stupid mistypes and code errors. Hardcoding plaintext decryption key in malware’s body. Extending account subscription on WoW freeshards, seriously?Guys, come on, surprise us with dynamic hostnames?!
Mobile Security (malware-C&C hostname)
Honeypot architecture
Honeypot is used for botnet analysis, traffic capturing and revealing C&C hostnames. It’s also used for detecting subscribers with infected devices and monitoring malware activities like funds withdrawal and remote control.It also automates detection to help with internal business processes.
Honeypot
Server
PostgreSQL WEB interface
Android agent PC
Operator
Femtocell
WiFi
WWW
SMSC
SMPP client
Service emulation
DPI/DNS analysis/AV
solution/etc.
Infected/compromised subscriber devices stats.
Report
CSP’s network
Network diagram and service integration
antivirus platform
Monitoring
SGSN
SORM
Exterior gateway
Traffic mirroring
Gateway - loop
traffic processing
GGSN
Control channel (VPN)
Workstation
control channel(Selection of suspicioussessions)
Processingdata
Database server
Control channel (VPN)
Description
Android application (agent):•Gets C&C botnet hostnames and IPs•Gets traffic dumps, network and any other communication activity from malicious apps•Gets C&C MSISDNs and fund collectors’ MSISDNs•Reveals sensitive data leaks to remote servers•Stores its monitoring stats server-side
Server:•DPI-like Traffic analysis•Records traffic signatures, provides stats on C&C hostnames and MSISDNs, infected subscribers•Whitelisting/blacklisting•Dynamic routing, i.e. to antivirus platform or landing page with custom warning.
Android app
Android PhoneAPPS
VK
Opera
Bot
Sniffer
WWW
Server
Web interface
Web interface
Web interface
Features
• No root is required, no device-specific requirements
• Doesn’t affect device performance and data transfer speed on device
• Requires Android 4.0.3+ (API level 14+)
• Capturing all data transferred from the device
• Analyses incoming and outcoming SMS- and USSD-messages.
• Stores every app’s activity separately
• Has white/blacklist for apps
• Shows apps that require SMS and Internet permissions
• Client-server architecture
Roadmap
• SSL/TLS MitM attack
• Expanding predefined white/blacklists
• Implementing behavioral metrics
• Optimizing auto-detection logic
• Improving sensitive data leak detection
• Intercepting and modifying C&C server’s commands
• Implementing a traffic analysis solution inside telecom network
