DeepSec2019 Talk: Android Malware Adventures – Analyzing Samples and Breaking into C&C – Kürşat Oğuzhan Akıncı & Mert Can Coşkuner
Android malware is evolving every day and is everywhere, even in Google Play Store. Malware developers have found ways to bypass Google’s Bouncer as well as antivirus solutions, and many alternative techniques to operate like Windows malware does. Using benign looking applications working as a dropper is just one of them. This talk is about android malware on Google Play Store targeting Turkey such as Red Alert, Exobot, Anubis, etc.
The presentation held at DeepSec 2019 will cover the following issues:
- Techniques to analyze samples: Unencrypted samples are often used to retrieve personal information to sell and do not have obfuscation. Encrypted samples however are used for sophisticated tasks like stealing banking information. They decrypt themselves by getting the key from a twitter account owned by the malware developer and operate by communicating with the Command & Control (C&C) channel. Also,most banking samples are using techniques like screen injection and dependency injection which is mostly used by android application developers.
- Bypassing Anti-* Techniques: To be able to dynamically analyze the samples, defeating anti-* techniques are often needed. We will introduce some (known) Frida scripts to be able to defeat common uses of anti-* checks malware.
- Extracting IoCs: Extracting twitter accounts as well as C&C from encrypted samples is often critical to perform threat intelligence over samples. Extracting IoCs while assets are still active has been crucial for our research since we are also aiming to takeover C&Cs. We will introduce (known) automatization techniques to extract twitter account, decryption key and C&C address.
- Extract stolen information from C&Cs: In order to extract information from C&C, one should act swiftly. The speed of the extraction process is critical since the actors change C&Cs often. We will give a detailed walkthrough about how we approach C&Cs as a target and extract the informations.
The samples and information presented in the talk are the product of our research on many bankbots – such as Anubis, Red Alert and Exobot — as well as other Turkish malware developer actors’ samples. All IoCs in this talk have been shared with the relevant third parties and are now inactive.
We asked Kürşat and Mert Can to answer a few more questions about their talk.
Please tell us the top 5 facts about your talk.
- Google Play Store is not 100% secure.
- There are 3.3 billion smartphone users around the world. Making the smartphone market one of the most valuable market for malware developers in terms of personal information and banking information harvesting.
- Malware developers become more sophisticated every day and analysing TTPs becomes a necessity.
- C&C is an integral part of mobile malware due to the fact that mobile malware, generally, aims to harvest PI.
- Mobile malware as a service is evolving which results in malware in Google Play Store deployed in bulk. Fast analysis and infiltration needs automation.
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
I (Mert Can) was analysing android malware targeting Turkish users. As a red teamer by nature, Kürşat was asked if we can find and infiltrate it’s C&C to salvage the stolen data and report it to the authorities. Then and there, our research began.
Why do you think this is an important topic?
Except for power users, smartphone users are easy phishing targets i.e. malicious raffle apps and banking apps. Considering that the smartphone has become an integral part of our lives which means that much of our personal data resides on our smartphones, by preventing even one campaign you can protect a lot of personal information.
Is there something you want everybody to know – some good advice for our readers maybe?
Keep your smartphone updated and don’t just trust every app in the Google Play Store.
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?
As mobile malware is evolving constantly (and anti-virus solutions becoming less functional), mobile malware sandboxes and intelligence platforms will become an important part of the companies who use mobile device management (MDM).
Kürşat Oğuzhan Akıncı is a Penetration Tester at STM Defence and a lecturer at TOBB University of Economics and Technology. He is also a team leader of Blackbox Cyber Security which is Turkey’s first cyber security volunteer group, coordinator and mentor of Turkcell CyberCamp and Turkish Airlines CyberTakeOff. In his free time Kürşat is performing security research through bug bounties in which he has found several vulnerabilities in critical institutions such as the NSA as well as helping Mert Can to break into C&Cs.
Mert Can Coşkuner is a Mobile Malware Analyst at Trendyol. He is drafting mobile malware analysis reports for Trendyol. He is also maintaining a Penetration Testing and Malware Analysis blog at: medium.com/@mcoskuner