Sofia, April 12, 2018 Mobile malware threats and countermeasures
Stefaan Seys, PhD Security Architect @ VASCO Entities in Online Banking Application
Data centre ATM network
End-user
Communication network Bank (e.g. Internet, SS7) Main attack vectors: • Phishing Main attack vector: • Financial malware Advanced Persistent Threats (APTs) Trojans
Virtually all banking malware are Banking Trojans.
Trojan = innocent looking app that includes hidden malicious capabilities
Mobile Banking Trojans: a short History
2010: Zeus 2013: Svpeng 2014: Torec 2015: Gugi, Torec becomes Acecard, Marcher, Facetoken 2016: Acecard, Marcher, Facetoken, Svpeng, Asacub, Gugi also includes overlay 2017: Bankbot, Svpeng added keylogger through ACCESSIBILITY Banking Trojans – Main functionality
• Hiding: ensure Trojan cannot be detected by security software
• Obfuscation: make analysis and reverse engineering more difficult
Monitor Self- Infection Update and attack protection
• Download additional software • Installation on mobile device modules • Check banking apps of user • Compare apps with filter list • Update filter list from C2 server • Capture credentials and upload to C2 server via secure channel • Take control of victim app (rooted) Mobile banking Trojans almost exclusively target Android
• Malware is largely targeting Android-based devices • Reasons:
Item iOS Android
Ecosystem complexity Device and OS by same company Google, OEMs, Mobile Operator
Security updates Older and new devices often patched Many devices never patched
App sources Only official app store Allows untrusted sources
Vetting by app store Strong manual vetting Automated Bouncer checks
Ease of rooting Jailbreak window smaller every year Easy to root, or rooted out of the box Mobile malware infection methods
1. Android Play Store (must circumvent bouncer) 1. Does not require user to enabled “untrusted sources” 2. Sometimes heavily pushed using ads
2. Third-party stores (nothing to circumvent)
3. Drive-by download (typically on adult sites as video player)
4. Phishing (SMS and chat very popular on mobile)
5. Exploit security vulnerability to install files without security warning
• E.g. Stagefright vulnerability (August 2015)
• E.g. Chrome vulnerability (November 2016) caused infection of 300,000 Android devices
6. Counterfeit toolchain (XCodeGhost)
Mobile malware capabilities
1. 1) Without Root - malware is “limited” to the capabilities of any normal app
2. 2) With Root, obtained through - User rooting the phone - Exploit vulnerability in OS (e.g., framaroot) Without root: SMS interception
2011: Zeus-in-the-Mobile (Zitmo) and SpyEye-in-the-Mobile (Spitmo) 2013: Perkele
1. Username/password PC Malware (Zeus) Internet Inject code in web page, ask user to install Perkele Steal credentials
Cellular
Zitmo/Spitmo/Perkele Looks genuine (tailored to bank) Keeps running in background Intercepts SMS 2. mTAN Without root: Overlays
Full overlay for Partial overlay for Partial overlay for credential stealing keyboard sniffing stealing credit card Without root: ACCESSIBILITY permission to take control
2017: Bankbot, targeted over 200 banks Bankbot’s Dropper name is “Google Service” and it asks the user for the Accessibility permission Without root: Repackaged App
3rd party Drive-by- Phishing store download
# virtual methods # virtual methods .method public final onClick(Landroid/view/View;)V .method public final onClick(Landroid/view/View;)V .locals 3 .locals 3
.line 122 # Changed by Stefaan invoke-virtual {p1}, Landroid/view/View;->getId()I # send our new string to the log. move-result v0 # this can be used to debug and can be picked up with ddms, logcat sget v1, Lo/Iw$f;->button:I # or log collector. as an exercise look up what the d() function does if-ne v0, v1, :cond_1 # in the android developer documentation. .line 123 sget-object v2, Ljava/lang/System;->out:Ljava/io/PrintStream; iget-object v0, p0, Lo/JE;->B:Lo/JE$c; invoke-virtual {v2, v1}, Ljava/io/PrintStream;->println(Ljava/lang/String;)V .line 4078 # End of changes iget-object v1, p0, Lo/JE;->A:Landroid/widget/EditText; [original code here] Banking Trojans with root access
• Rooting / jailbreaking • Typically, one user of device has “super” powers on device • Mobile OS usually does not allow owner of device to access “root” user • Rooting (Android) or jailbreaking (iOS) provides access to “root” user
• Risks due to rooting: 1. Banking Trojan can read files on device
Any file App 1 App 2 Malware 2. Banking Trojan can write to files on device Private Private Hook agent Including system libraries! Data Data Take control 3. Banking Trojan can hook into another process runtime runtime Hooking script Separate process Separate process Separate process Unique UID Unique UID UniqueROOT UID
Linux Kernel Remote Code Execution
• No “malware” is present on the device • The code is pushed or pulled remotely and executed on the device because of a vulnerability in some library • Usually components running with high privileges (“root”) are targeted
Well-known examples: • Stagefright (2015, media engine) • Chrome Javascript engine exploit (2016, browser) • Blueborne (2017, bluetooth) • Broadpwn (2017, Broadcom WiFi chips)
Every day new vulnerabilities are reported and patched, but very few of them are every exploited on large scale
Classification of Banking Trojans by capability and risk level
Banking Trojan High with root Repackaged access banking app Remote code
execution
Banking Trojan Threat Medium without root
access
Low
Low Medium High Likelihood VASCO Mobile App Protection
VASCO DIGIPASS4Apps
Runtime Application Behavioral Authentication Self-Protection Face Authentication
• Jailbreak & Root Fingerprint Authentication Detection • overlay protection MY Device Binding • trusted keyboards Secure Storage • screen reader detection • app integrity protection Secure Channel • hook & debug Secure Login prevention Transaction Signing • code obfuscation