Manual For Mobile Security


Lab 2 Mobile Malware Attack : Trojan



Download 354.78 Kb.
Page6/6
Date21.06.2017
Size354.78 Kb.
#21392
1   2   3   4   5   6

Lab 2 Mobile Malware Attack : Trojan





  • This lab discusses the functionality of the Android Trojan which is to send text messages to others using hacker’s commands. The user is unconscious of the Trojan activities as the Trojan deletes all the messaging history. Below is a workflow of the android Trojan.




Developing the Android Trojan


  • When victim activates the application, The Trojan sends a notification to the hacker which encodes the user’s IP address and a port number for malicious communication. After the communication is set, the Trojan and the hacker set up a TCP/IP communication channel through which the hacker can send commands to the Trojan on the victim’s device. When the Trojan receives a command from the hacker, the Trojan analyses the data packet and then abstracts the target users phone numbers and the content of the malicious message and sends the malicious messages to the target phone users. After sending the messages the Trojan then deletes the messaging history of the user. If the target phone users send complaint messages back to the user, The Trojan will stop the arriving of those complaint messages to user’s phone.




  • For ethical issues the whole code has not been shown only part of it which is important is displayed.




  • The below code is a fragment from the whole code which shows that the Trojan (which has been installed without user’s knowledge) uses the Java ServerSocket class to set up a connection to listen to the hacker’s commands, The Trojan extracts the victim’s phone number and the malicious messages through SMS.





  • The Trojan, to intercept all the incoming short messages and to filter out complain messages from users who receive junk messages setups a SMS Receiver. The configuration of the intercepter in AndroidManifest.xml is shown as below:




  • The next step is to design a code that would filter out complaint messages. The below code shows how to filter messages from specific users.





  • To implement the above code the app must request for permission for Sending and Receiving SMS. The permission requests of the Trojan in AndroidManifest.xml are shown in the following.




Demo


  • First we need to run the hacker server.





  • We need to open two emulators in our eclipse. The emulator 1 serves as the victim that has installed and run the Trojan. The emulator 2 serves as the target phone user.




  • Next we open a windows command prompt on the server and enter the command (“telnet localhost 5554”) to connect to Emulator1.





  • Next is to enter the command to setup port mapping.





  • We now enter the client id in the Target field and enter a message in the Message field in the Hacker Server.






  • We can see the following things in the emulator as shown below.





  • The below screenshot shows the screen of emulator2, which shows the message sent by Emulator1.





  • When the Emulator2 wants to send back a complain to Emulator1 the below screen appears as shown below.





  • This has no effect on Emulator1.



Lab 3 Mobile Malware Defenense
This lab discusses a Trojan defense application from scratch which demonstrates the concept of mobile Malware Defense on Android platform. The main functionality of the defense application is that it sends notification to the user reminding him that few malicious applications installed on his mobile are sending text messages without his consciousness. Consider the flowchart shown below for better understanding.
https://sites.google.com/site/mobilesecuritylabware/_/rsrc/1355182404422/4-mobile-malware/malware_lab_activities/lab-2-mobile-malware-defense/protection.png
Consider the following steps:


  1. The hacker sends the command to the Trojan installed in the mobile device.

  2. The Trojan installed in the mobile device sends an SMS to a specific group of people according to the Hacker’s command and unknown to the users consciousness the sent messages are deleted from the history by the Trojan app.

  3. The specific group of users who receive the malicious message send a complaint message back to the user, but the Trojan app deletes the history of the received messages which is unknown to the user.

  4. Protectionism Mechanism: Is to send notification message to the user when sending or receiving a message.


Notice
The method discussed here is only used for demonstrating a general idea of Mobile Malware Defense. Readers should perform gracefully based on hacking ethics and should not spread or utilize the code in this lab to harm other Android phone users to gain their own benefits. A more thorough specification of hacking ethics can be found here
https://sites.google.com/site/mobilesecuritylabware/7-mobile-short-messaging/mobile-short-messaging-labs/lab-2-attack-secret-sms-attack/lab-activity/ethical-hacking
Please read them carefully.
Code Fragements


  • The below fragment code shows a “Content Observer” which listens to any actions on the internal database of Android.




  • We then have to request permission for sending and receiving SMS in AndroidManifest.xml as shown below:



Demo


  • The developed program runs in the background to monitor any malicious actions of sending text messages. Whenever there is a text message being sent out, there will be a notification.






  • A notification of the Trojan sending the application is shown below :



Mobile Spyware
Detecting and Removing spyware by tool
In this lab we are introduced to detection and removal of Android spyware via the use of off-the-shelf protection tools. In this lab we first install a real-world Android “Spyware” and then install the anti-spyware to detect and remove the spyware.


  • The first step is to install spyware such as SMS tracker on the device.

  • We do this by installing the sms tracker agent.apk file on the emulator device.

The app can be downloaded from
http://android.downloadatoz.com/apps/com.gizmoquip.smstracker,68074.html


  • The below screenshot shows how it is done.





  • The second step is to install the anti-spyware such as Anti-spy mobile. We do so by installing the Anti spy mobile.apk on the emulator device. The apk can be downloaded from

http://mobileapk.tk/anti-spy-mobile-pro-v1-9-1-apk/






  • Now we start the AntiSpy Mobile app which is installed on our emulator device. We get the following screen shot





  • The above screenshot appears for the user who uses the app for the first time. The prompt will prompt a message as shown above.




  • The next step the app scans for installed spyware we get the below screen as the app starts scanning for any installed spyware.





  • Once the app searches for any installed spywares we get the below alert message as shown in the screenshot below





  • In then shows the list of spyware applications that are needed to be unistalled as shown below.






  • Now click on the corresponding icon to see the details of the spyware application.



Penetration Test and Analysis” on spyware Threat/Attack
This lab discusses the use of a malicious Android Application to demonstrate and simulate a spyware (malware) on the android mobile device. The malicious Android application (spyware) can catch user’s contact list from the Android mobile phone, and sends a malicious message to the contacts without user’s conscious, Student can analyse this spyware in this lab.
Notice
The attack method discussed here is only used for demonstrating a general idea of spyware. Readers should perform gracefully based on hacking ethics and should not spread or utilize the code in the lab to harm other Android phones users to gain their own benefits. A more thorough specification of hacking ethics can be found here.
Code Fragments
Let us assume that the malicious application has been installed on a victim’s Android phone carelessly. When the user clicks the button the spyware can catch the user’s contact list. To utilize the contact list on the phone, the malicious code must request the permissions accordingly in AndroidManifest.xml as the following code fragment.

The below fragment code shows how to get contact list information by code:

Demo
To test the Demo we open two emulators on the eclipse.
Emulator1
The API serves as the victim which unknowingly installs and runs the malicious application.
Emulator2
Hello world runs as one of the users on the victims contact list on the emulator1.
The emulator1’s contact list screen is shown below:


The spyware on emulator1 runs as shown below:

When the user clicks the button on emultor1, the other side on Emulator 2 receives a message as shown below:




Here is the Apk for this spyware.

 


https://sites.google.com/site/mobilesecuritylabware/5-mobile-spyware/spyware-reverse-engineering-lab/1-spyware-attact-lab/lab-activity/Simple_Malware.apk?attredirects=0&d=1

Defence Reverse Engineering analysis
Reverse engineering is the most popular malware analysis method specified in android development. This lab provides a malware application and teaches students how to analyse the application and how to protect the mobile device by using reverse engineering from the malware application. We first take a look at some general information about reverse engineering.
Reverse engineering is a method to take apart an object to see how it works in order to duplicate or enhance the object, it is a practise taken from older industries, and is now frequently used on computer hardware and software.
Software reverse engineering involves reversing a program’s machine code (string 0’s and 1’s that are sent to the logic processor) back into the source code that it was written in, using program language statements.
There are many tools that implement reverse engineering in android development. It can fully decompile the apps thus making the code readable and understandable.
XdaDeveloperBrut.all has been working on a decompiler for android apps for a while. He had found the first workaround for enabling google maps navigation outside US by decompiling Google maps for android. The tool is called APKTool and is opensource.
Another called dex2jar, developed by a Chinese student will translate dex to jar file. The next step would be to use jd-gui, the source code is readable as dex2jar makes some optimizations.
An alternative option is use to Smali (http://code.google.com/p/smali/), which provides BAKSMALI which is most excellent reverse-engineering tool for DEX files. The tool was developed by JesusFreke, who is famous for making popular ROMs for android.
The next portion of this manual covers the lab which would give detail by using one of the above tools in reverse engineering.
LAB ACTIVITY
In this lab, a simple malware was given to the students to give a general idea (Reverse Engineering) of analysing this kind of spyware. This lab also gives a Auto-analysis method by checking the result of decompiling.
Part1: Decompile APK to JavaCode
This part of the lab requires to two tools to be downloaded dex2jar and JD_GUI
Dex2jar is a tool to transit classes.dex by converting .apk extention into .jar file . JD-GUI is a decompiler tool.

The tools dex2jar and JD_GUI can be downloaded from the links below


Dex2jar: http://laichao.googlecode.com/files/dex2jar-0.0.7-SNAPSHOT.zip

JD_GUI: http://laichao.googlecode.com/files/jdgui.zip


The first step in this part of the lab is to convert is to change the extension of the apk file from .apk to .zip, and unpack it, by doing which we get the classes.dex. Then unpack the dex2jar, and place the classes.dex into dex2jar folder.

The next step is to run JD-GUI (jd-gui.exe), open classes.dex.dex2jar.jar, where we can see the code as shown below



Part2: Decompile apkfile to get AndroidManifest.xml
The apktool can be downloaded from the link given below:
http://code.google.com/p/android-apktool/downloads/list
download apktool 1.5.2.tar.bz2 and  apktool-install-windows-r05-ibot.tar.bz2
The next step is to upack the two downloaded files, we then get the three following files: aapt.exe, apktool.bat, apktool.jar .
Copy the apktool.jar into the folder containing aapt.exe and apktool.bat. Then using the command prompt go to the folder containing the above mentioned three files and run the following command to get the .xml file
Apktool.bat d c:\*.apk c:\*

The AndoridManifest.xml file gets generated

Code
The general working idea of the application was written as the following:
The spyware has been analysed by a kind of rules, where every rule aims to one specific spyware (malware), in this lab we serve one of the rules, but the rule can be added for aiming to another spyware (malware).

Code:


/*
 * To change this template, choose Tools | Templates
 * and open the template in the editor.
 */
package auto_reverse;
import java.io.BufferedReader;
import java.io.FileReader;
//import java.io.FileWriter;
import java.io.IOException;
import java.util.Scanner;
import java.util.logging.Level;
import java.util.logging.Logger;
/**
 *
 * @author zhengzhe
 */
public class Auto_Reverse {

    /**
     * @param args the command line arguments


     */
    public static void main(String[] args) {
        try {
            int warninglevel=0;//0 is lowest, 2 is highest.
           FileReader fin=new FileReader("AndroidManifest.txt");
           BufferedReader br = new BufferedReader(fin);
           String Line=br.readLine();
           //the rule
      for (int i=0;Line !=null;i++){
       if(Line.contains("android.permission.SEND_SMS")&&Line.contains("android.permission.READ_CONTACTS")){  
           
         FileReader fi=new FileReader("Code.txt");
           BufferedReader b = new BufferedReader(fi);
           String l=b.readLine();
           for (int j=0;l !=null;j++)
           {
               if(l.contains("sendTextMessage"))
               {
                    warninglevel=1;
                    FileReader f=new FileReader("Code.txt");
                    BufferedReader bu = new BufferedReader(f);
                    String le=bu.readLine();
                    for (int h=0;le !=null;h++)
                    {
                        if(le.contains("EditText"))
                        { warninglevel=2;
                        break;
                        }
                        le=bu.readLine();
                        
                    }
                      bu.close();
                      f.close();
      
               }
               
              
               
               l=b.readLine();
           }
             b.close();
             fi.close();
      
       }
     
       Line= br.readLine();
      }

      br.close();


      fin.close();
      System.out.println(warninglevel);
        } catch (IOException ex) {
            Logger.getLogger(Auto_Reverse.class.getName()).log(Level.SEVERE, null, ex);
        }
     
        
    }
}

The result of analysis of the spyware is as shown below:


:

 

https://sites.google.com/site/mobilesecuritylabware/_/rsrc/1355465027492/5-mobile-spyware/lab-activity/spyware-reverse-engineering-lab/lab-2-defence-reverse-engineering-analysis/lab-activity/result.jpg



6. Secure Mobile App Development
Lab1: Android coding Vulnerabilities lab
This lab tries to help students to get familiar with coding vulnerabilities of android programming, which include buffer overflow, input validation, SQL injection etc with other programming languages and platforms. There are some unique coding vulnerability in android programming that we need to be aware of. Ignoring these coding vulnerabilities will cause disastrous security issues.
Tips for android coding vulnerabilities


  1. One must protect any data user input into their device with ones application, and not allow malware to access the application’s special permissions.




  1. Intent recipients like Acitivies, Services and Broad Receivers need to handle potentially hostile callers, and an Intent Filter doesn’t filter a malicious intent. The intentFilters help the system to figure out the right handler for a particular intent, but does not constitute an input filtering system. The reason being the IntentFilters are not a security boundary, they cannot be associated with permissions.

  2. When the intents are started or broadcasted, the intent Filter is used by the system to determine the recipients, one must remember to add as many categories as correctly to apply to the intent. The categories often requires promises about the safety of dispatching an intent, helping stop the intent from having unintended consequences.




  1. Activities cannot rely on IntentFilters to stop callers from passing them badly configured Intents. Misunderstanding this is actually a relatively common source of bugs.




  1. The Developer needs to be careful not just when implementing Activities but when starting them too. One must avoid putting data into Intents used to start Activities that would be of interest to an attacker. An Example where a Malware could register a higher priority IntentFilter and end up getting the user’s sensitive data sent to their Activity instead.




  1.  When starting an Activity if you know the component you intend to have started, you can specify that in the Intent by calling its setComponent() method. This prevents the system from starting some other Activity in response to your Intent. Even in this situation it is still unsafe to pass sensitive arguments in this Intent. You can think of the Intent used to start an Activity as being like the command line arguments of a program, which usually shouldn’t include secrets either.




  1. As with Activities, a broadcast sender can send a receiver an Intent that would not pass its IntentFilter just by specifying the target receiver component explicitly. Receivers must be robust against unexpected Intents or bad data. As always in secure IPC programming, programs must carefully validate their input. 




  1.  if you need to make sensitive calls into a Service, like storing passwords or private messages, you’ll need to validate the Service that you’re connected to is the correct one and not some hostile program that shouldn’t have access to the information you provide.


Lab Activities
The diagram below shows an intent object which contains sensitive information (username and password in this example) is passed from one activity to another in order to start an Activity. However, since a malware has higher priority level in the InterntFilter, It has intercepted the Intent, parsed the Intent object, and then obtain the secret information (username and password). So, in Android programming, we need to keep in mind that sensitive information cannot be passed through an Intent object (please refer to Tip 5).


Fig Basic idea of intent Passing and interception

This lab shows an implicit intent object passed from one activity object to another activity object with vulnerability.
Source Code


  1. Create a new Android project in eclipse.




  1. Create two java source files “Android_intentActivity.java” and “IntentRecevier.java”, copy and paste the source code to the corresponding source files.




  1. Modify the “AndroidManifest.xml” file accordingly.


Android_intentActivity.java
// Android_intentActivity.java: 

// passing an Intent to another Activity

  package android.androidintent;

 import android.app.Activity;

import android.content.Intent; 

import android.os.Bundle;

import android.view.View;

import android.widget.EditText;

 public class Android_intentActivity extends Activity {

       EditText e1,e2;

    /** Called when the activity is first created. */

    @Override

    public void onCreate(Bundle savedInstanceState) {

        super.onCreate(savedInstanceState);

        setContentView(R.layout.main);

        e1=(EditText)findViewById(R.id.editText1);

        e2=(EditText)findViewById(R.id.editText2);

    }


    public void on_submit(View v){

        Intent intent=new Intent();

      Bundle bun = new Bundle();

      bun.putString("Username", e1.getText().toString());

        bun.putString("Password", e2.getText().toString());

      intent.setAction("android.androidintent.IntentReciever");

        intent.putExtras(bun);

        Android_intentActivity.this.startActivity(intent);

    }

}
IntentRecevier.java


// IntentReceiver.java: 

// Intent intercepted and sensitive information extracted

 

package android.androidintent;



 

import android.app.Activity;

import android.content.Intent;

import android.os.Bundle;

import android.util.Log;

import android.widget.TextView;

 

public class IntentReciever extends Activity {



    /** Called when the activity is first created. */

       TextView t1,t2;

    @Override

    public void onCreate(Bundle savedInstanceState) {

        super.onCreate(savedInstanceState);

        setContentView(R.layout.main1);

        Bundle bun = getIntent().getExtras();

        String result1 = bun.getString("Username");

        String result2 = bun.getString("Password");

        t1=(TextView)findViewById(R.id.textView1);

        t2=(TextView)findViewById(R.id.textView2);

        t1.setText("Username:"+result1);

        t2.setText("Password:"+result2);

        Log.d("Username",result1);

        Log.d("Password",result2);

    }


}
AndroidManifest.xml
    package="android.androidintent"

    android:versionCode="1"

    android:versionName="1.0" >

   

   

        android:icon="@drawable/ic_launcher"

        android:label="@string/app_name" >

       

            android:name=".Android_intentActivity"

            android:label="@string/app_name" >

        

               

               

           

       

                       

             

                

               

             

       

     



Results Demo

Activity1: Username/Password typed and intent object created



Malware Activity: Intent Intercepted and Sensitive Information Extracted





Solution

This lab requires us to learn, how to safely pass data between different activity objects. You will need to design a mechanism, which can pass data safely between different activities, without having to wrapping sensitive data within an intent object. The goal being to avoid an intent object being intercepted by malicious activity. There are different ways to achieve this goal, such as SQLLite, intent object creation etc. Please design your own mechanism and implement your solution.



Lab2: Android Activities with intent Security Concern

In this lab, we will use a malicious Android application we wrote to demonstrate a kind of intent security problem on Android platform. The malicious Android application can get the intent information from “Intent app” if the Show Activity has same action name and other characters are also the same with hack activity in Intent Filters. At the same time, the main activity intents according to the action name and other characters in the intent filter. The following diagram shows the basic idea of this security problem.


Fig Intent app has intent Filters in shown activity.

This lab utilizes android attack application that we developed to give user a brief demonstration on how hackers get the data the activities sent in other applications.



Special Notice

The attack method discussed here is only used for demonstrating a general idea of Intent attacks. Readers should perform gracefully based on hacking ethics and should not spread or utilize the code in this lab to harm other Android phone users to gain their own benefits. A more thorough specification of hacking ethics can be found here and here. Please read them carefully.

Code Fragments

The Android Manifest.xml of a common login application, may define an activity like this:



The below activity is for getting the user information of username and password which the user inputs in the previous activity and presses the login button. The activity can be called using:



Next we need to create a hack app with the following activity



The code in the main activity java file of the hack app would have:



If this hack app runs on an android phone together with the previous common app, after the user inputs the user name and password and presses button to active the intent function and try to login, the hack app will also get the information input by the user.

Demo:

First we input the username and password and click Login



The correct login activity that we want is shown below



The information shown in the hacker’s app is as shown in the below screen shot

Defense

In this lab, an android application is updated to defend the intent security problem on android platform. The malicious android application never gets the intent information from “Intent app”, even though the show activity has same action name and other characters are also the same with hack activity in intent filters. The main activity intents according to the class name and the package name. The below diagram shows the basic idea of this solution


The lab utilizes android attack application that we developed to give user a brief demonstration on how to avoid attack hackers to get the data the activities sent in applications



Code fragment

We need to be aware of the below code lines created in the previous lab



SetClassName() for explicit intent is used, instead of using setAction() to reach implicit intent



As the explicit intent will go straight to the activity we want and ignore the intent filters, the hack app will never get the information sent in intent function.



Version 1:

Code:

TestIntentActivity.java

 

package android.testintent;



import android.app.Activity;
import android.content.Intent;
import android.os.Bundle;
import android.view.View;
import android.view.View.OnClickListener;
import android.widget.Button;
import android.widget.EditText;

public class TestIntentActivity extends Activity {


/** Called when the activity is first created. */
String name;
String password;
@Override
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.main);
final Button logb=(Button)findViewById(R.id.logb);
final EditText Uname=(EditText)findViewById(R.id.uname);
final EditText Pword=(EditText)findViewById(R.id.pword);
// final String name;
// final String password;
logb.setOnClickListener(new OnClickListener()
{
public void onClick(View v)
{
name=Uname.getText().toString();
password=Pword.getText().toString();

Intent intent = new Intent();

intent.putExtra("username", name);

intent.putExtra("password", password);

// intent.setAction("android.testintent.Login");

// intent.addCategory(Intent.CATEGORY_DEFAULT);


intent.setClassName("android.testintent","android.testintent.Login");

startActivity(intent);


}
});

}
}

Login.java

 

package android.testintent;



import android.app.Activity;
import android.os.Bundle;
import android.widget.TextView;

public class Login extends Activity {

@Override
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.loginlayout);
final TextView text=(TextView)findViewById(R.id.logindata);
// text.setText("babo");
text.setText("UserName: "+getIntent().getStringExtra("username")+"\nPassword: "+getIntent().getStringExtra("password"));
}
}
Andorid Manifest.xml

 


package="android.testintent"
android:versionCode="1"
android:versionName="1.0">



android:name=".Login"
android:theme="@android:style/Theme.NoTitleBar" />
android:name=".Login"
android:label="Login" >






android:label="@string/app_name">







 

Demo:

The first step is to give username and password as input and click on login

This is the login activity that we want and no information sent to the hack app.





Android_intentactivity.java

package android.androidintent;


 
import android.app.Activity;
import android.content.Intent; 
import android.os.Bundle;
import android.view.View;
import android.widget.EditText;
 
public class Android_intentActivity extends Activity {
       EditText e1,e2;
    /** Called when the activity is first created. */
    @Override
    public void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.main);
        e1=(EditText)findViewById(R.id.editText1);
        e2=(EditText)findViewById(R.id.editText2);
    }
    
    public void onClick(View v){
       
        Intent intent = new Intent(this,Android_intentActivity.class);
        intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);  
        Bundle bun = new Bundle();
 
        bun.putString("Username", e1.getText().toString());
        bun.putString("Password", e2.getText().toString());
 
        intent.setClass(this, IntentReciever.class);
        intent.putExtras(bun);
        Android_intentActivity.this.startActivity(intent);
    }
}


IntentReciever


package android.androidintent;
 
import android.app.Activity;
import android.content.Intent;
import android.os.Bundle;
import android.util.Log;
import android.widget.TextView;
 
public class IntentReciever extends Activity {
    /** Called when the activity is first created. */
       TextView t1,t2;
    @Override
    public void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.main2);
        Bundle bun = getIntent().getExtras();
        
        String result1 = bun.getString("Username");
        String result2 = bun.getString("Password");
        t1=(TextView)findViewById(R.id.textView1);
        t2=(TextView)findViewById(R.id.textView2);
        
        t1.setText("Username:"+result1);
        t2.setText("Password:"+result2);
        Log.d("Username",result1);
        Log.d("Password",result2);
    }
}

AndroidManifest.xml



    package="android.androidintent"
    android:versionCode="1"
    android:versionName="1.0" >

   

            android:icon="@drawable/ic_launcher"
        android:label="@string/app_name" >
                    android:name=".Android_intentActivity"
            android:label="@string/app_name" >
           
               

               


           
       
       
       

   







Download 354.78 Kb.

Share with your friends:
1   2   3   4   5   6




The database is protected by copyright ©ininet.org 2024
send message

    Main page