Hacking Android for fun & profit Mobile Intelligence Security & Training Inc.
Who we are Cyber security professionals Focusing on hacking Android devices and applications Kali and Metasploit users General adversary researchers <Introduce ourselves>
Agenda Overview of Android attack surface Attack framework Custom Attack Platform CLI / Starphish How to “clone” a device Cloning demo This evening, we’ll be going through a brief explanation and overview of the Android attack surface. Here we will explain some vulnerabilities in the Android ecosystem. Then, we will talk about a mobile attack framework and the areas we have covered with our custom platform. Followed by a demo on how we use our custom attack platform that was built to hack and test android applications and device security. Finally we will demonstrate how we can obtain cloud backups, monitor email activity and reset your account passwords.
Android Attack Surface Application Broadcast Receivers, Services, Content Providers and Activities Baseband Cellular Voice and Data, SMS, Radio Interface Layer WIFI & USB ADB, MAC, MLME Sources: https://threatpost.com/how-google-shrank-the-android-attack-surface/127086/ https://source.android.com/images/android_framework_details.png http://newandroidbook.com/AIvI-M-RL1.pdf The Mobile Application Hacker’s Handbook, Wiley https://github.com/ud2/advisories/tree/master/android/samsung/nocve-2016-0004 The Android attack surface is quite large with a variety of mediums to target. Application – applications are vulnerable in their own way. You have 4 components: broadcast receivers, services, content providers and activities. These components provide a means for android applications to interact with the user, device, and even other Android applications. Activities, such as the Main Activity, for example, is what you might see when you first start an application. This is a great place to inject malicious code, because as soon as you start an application and begin to interact with it, the malicious code is run. Content providers act as a means for an application to manage access to data stored by itself, by other apps, and provide a way to share data with other apps. Broadcast receivers are kind of self-explanatory. They receive broadcasts. For example, Android malware can register to run malicious code whenever you get an SMS message. Paired with the READ_SMS permission, the malware can relay that SMS to a webserver. A service is an application component that can perform background operations. A service does not have a user interface and will continue to run even if the user switches to another app. Additionally a component can bind to a service to interact with it and performs interprocess communication. For example, a service can handle network transactions, play media and handle file I/O all from the background. Baseband – is a large attack surface that handles a lot of the cellular communication including sms. It has limited end user visibility and the (Radio Interface Layer) RIL opens a door to the rest of the device. WIFI – Most implementations of WIFI for smartphones are FullMAC, where the Wi-Fi chip is responsible for handling the Physical layer controller. This means the wifi chip could handle significant attacker-controlled input on its own. USB - ADB, the Android Debug Bridge, is a backdoor into your device. It must be enabled, by clicking your build number 7 or more times in the about phone tab, under settings. Once adb is enabled, and you authorize a computer to interact with it, (see how much hoops you have to go through to enable this feature?) it can be used to run commands as the shell user (uid 2000), manipulate the file system such as the temporary directory (/data/local/tmp), install applications, such as malware, and run exploits to obtain root. Sometimes, it is possible to switch the usb profile of a device connected to it, for example a malicious charging unit, to enable adb without the user knowing. Sometimes, manufactures may choose to disable ADB, and so enabling it may not be an option. However, with physical access and an unlocked device you may still be able to obtain information by enabling MTP (Media Transfer Protocol) (the entire /sdcard folder of your device). Information that you can gather from this could be extended to sensitive data Downloads such as private keys, pdfs, pictures that were taken and stored on disk, videos, recordings, application data (such as registered e-mail addresses).
Attack Framework / Matrix MITRE’s Adversarial Tactics, Techniques, and Common Knowledge is a curated knowledge base and model for cyber adversary behavior. ATT&CK is useful for understanding security risks associated with known adversary behavior, which aids in planning security improvements and testing defenses. The custom platform we use, Starphish, covers the majority of of this framework, and keeps growing. Some scenarios that this framework highlights depends on the mobile device configuration and the application being used.. For example, Signal optionally overrides the default SMS application, protecting you from malware that exfiltrates your SMS messages after obtaining the READ_SMS permission. Although Signal is end to end, Whether or not the other recipients use Signal doesn’t matter in this case. Of course, all your previous text messages are still stored from the date prior to using/installing Signal, and is still accessible to malware. There are a LOT of permissions in Android, more than 320. By using Marshmallow, the 6th iteration of Android, or newer, by default permissions that are asked by an application are denied and the user must explicitly allow it by either going to your application settings, or an application can simply ask for it through a third party library. When an adversary has backdoored an application and poisoned the manifest file, which defined the permissions, activities, content provider backends, and broadcast receivers, among other application configurations, with additional permissions, they will not be enabled because the application does not have the required code to ask the user to enable it, since they didn’t need it in the first place. Lolipop, Android’s 5th iteration, however explicitly allows permissions asked for by an application by default, but gives control to the user using PrivacyGuard to disable permissions before even starting the malware. Persistence. If you install AND run an application that is trojanized with Metasploit, it will install a service that listens for the BOOT_COMPLETED broadcast, and attempts to connect back to the attacker through the internet. If you have obtained root on a device, then you can directly install applications that are unremovable by the user (sometimes referred to as bloatware) on the /system partition. The mentality is, if you have obtained root, then you are allowed to install application by dropping them in the system partition. Not all permissions are classified as the same. Dangerous permission are higher risk permissions, they give a requesting application access to private user data. Which include access to camera, contacts, location, microphone, call log, SMS, storage and more. Due to the potential risk, the system may not automatically grant these permissions to a requesting app. Normal permissions on the other hand, are lower-risk, and gives requesting apps access to isolated application-level features, while minimizing the risk to other application, the system and the user. These permissions include, set wallpaper, prevent phone from sleeping, run at startup, full network access and more. The android malware that Metasploit offers operates a bit differently than other metasploit trojans. For example, it will not stop after 5 failed attempts to connect back to an attacker. Applications all have their drawer icons. With Metasploit, a trojanized application can hide itself by hiding its icon, making it difficult to find and remove the malicious application. When was the last time you looked at your application list? The android package manager makes it easy to find installed applications on your device, and it’s also possible for malware to do the same, since there is no required permission for actually performing this operation. Did you know that any installed applications on your android device can access what you, or other applications, may have copied to the clipboard, like your passwords, links, phone numbers, etc. Metasploit recently introduced the clipboard monitor, and is very effective at keeping track of what you have been copying and pasting over time. Metasploit offers dumping contacts, calllogs, and sms’s. It also offers the capability of taking screenshots of trojanized apps. It can record audio, take pictures through your camera, grab your location, system information, process listing, and network connections, ALL WITHOUT ROOT ACCESS. Keep in mind that some of these capabilities do require you to enable permissions, as we previously discussed. However, with root access, an attacker can take screenshots of your entire device, extract your wifi keys, crack your screen lock or lock out the user from their own device. Also, arguably the most interesting capability, is simulating user input, for example, touching the screen on behalf of the user. https://attack.mitre.org/mobile/index.php/Main_Page https://gist.github.com/Arinerron/1bcaadc7b1cbeae77de0263f4e15156f
Android Vulnerabilities So by now some of you may be wondering, Is Android really Vulnerable? The answer is Yes and No. As shown here, the bottom right depicts that Android Vulnerabilities have grown significantly year after year. Vulnerability types have also expanded, with the most being Code Execution, Overflow, Gaining Privilege, and Gaining Information. Exploits are pretty elusive though. So discovering new vulnerabilities is challenging unless you have an entire enterprise behind it. Most compromises though, begin with phishing. Email, Malicious links, Messenger apps and SMS are the most prevalent phishing delivery methods with an outstanding 85 percent growth in click rates each year since 2011. https://www.cvedetails.com/product/19997/Google-Android.html?vendor_id=1224 https://www.lookout.com/news-and-press/press-releases/lookout-advances-mobile-phishing-protection-amidst-growing-enterprise-risk
Attack Platform StarPhish Open-Source platform that creates, modifies, deploys and manages exploits and attacks against Android It leverages the Metasploit framework for a full featured penetration test suite Can be deployed to multiple hardware platforms, from a System-on-Chip to a cloud instance
StarPhish Demo Physical Acquisition
StarPhish Demo Cloning: Empty Device
StarPhish Demo Cloning: Retrieving Cloud Data
Conclusion Android root can be very bad for privacy/security Analyze apps, permissions, device security
Questions? Contact Us: Mobile Security Intelligence & Training Inc. amadeuskonopko@gmail.com Twitter: @AmadeusKonopko jpmitri@gmail.com Twitter: @jpmeetree