join the phishing dots to detect suspicious mobile apps
TRANSCRIPT
Unifying the Global Response to Cybercrime
Join the phishing dots to detect suspicious mobile apps
Leonardo Amor & Carlos Díaz Telefónica
Telefonica Group
21 Countries
120.000Employees
50.377m Income
>340m Customers
Our employees
Mostly: • Telco engineers • Computer Science • Engineers • ….. • Science or ScienCst people
But there also space to:
• Lawyers • Business administraCon • Economist • Psychologist • Philologist
Diversity
Diversity
Ideas explosion
Code!
ü Unfortunately yet not everyone knows to code ü Fortunately everyday schools are geRng it should be one more basic class.
The need of visual coding
ü & Visual Data
Sinfonier Our Open project to visual coding
+ + =
Drag & Drop Interface
AutomaCc Deploy API
Storm Cluster
Sinfonier
Tacyt One of our sources
May 18 19 20 21 22 23 24 New 10.105 5.702 9.998 15.483 15.294 9.394 10.647
Dead 1.140 2.200 2.014 1.917 2.856 1.446 646
Up 3 Million Apps today
21.649 of them contains .apks 50.993 has links to .cn domains
One of these ideas
Laziness
or Intense work
ü To check human errors inside APPs (Shared CerCficates, e-‐mails, URL’s, APK’s…)
16 DISCOVER, DISRUPT, DELIVER
It’s demo time Tacyt + Sinfonier
Tacyt
ü An innovaCve tool for the monitoring and analysis of mobile threats ü hfps://path5.elevenpaths.com/
Tacyt
ü An innovaCve tool for the monitoring and analysis of mobile threats ü hfps://path5.elevenpaths.com/
Tacyt
ü An innovaCve tool for the monitoring and analysis of mobile threats ü hfps://path5.elevenpaths.com/
Tacyt
ü An innovaCve tool for the monitoring and analysis of mobile threats ü hfps://path5.elevenpaths.com/
Tacyt
ü An innovaCve tool for the monitoring and analysis of mobile threats ü hfps://path5.elevenpaths.com/
Tacyt
ü An innovaCve tool for the monitoring and analysis of mobile threats ü hfps://path5.elevenpaths.com/
Tacyt
ü An innovaCve tool for the monitoring and analysis of mobile threats ü hfps://path5.elevenpaths.com/
Tacyt
ü An innovaCve tool for the monitoring and analysis of mobile threats ü hfps://path5.elevenpaths.com/
Tacyt
ü An innovaCve tool for the monitoring and analysis of mobile threats ü hfps://path5.elevenpaths.com/
Tacyt
ü An innovaCve tool for the monitoring and analysis of mobile threats ü hfps://path5.elevenpaths.com/
Tacyt
ü An innovaCve tool for the monitoring and analysis of mobile threats ü hfps://path5.elevenpaths.com/
Tacyt
ü An innovaCve tool for the monitoring and analysis of mobile threats ü hfps://path5.elevenpaths.com/
Sinfonier
ü Storm Builder for Security Intelligence ü hfp://sinfonier-‐project.net/
Sinfonier
ü Storm Builder for Security Intelligence ü hfp://sinfonier-‐project.net/
Sinfonier
ü Storm Builder for Security Intelligence ü hfp://sinfonier-‐project.net/
Sinfonier
ü Storm Builder for Security Intelligence ü hfp://sinfonier-‐project.net/
Sinfonier
ü Storm Builder for Security Intelligence ü hfp://sinfonier-‐project.net/
Sinfonier
ü Storm Builder for Security Intelligence ü hfp://sinfonier-‐project.net/
Sinfonier
ü Storm Builder for Security Intelligence ü hfp://sinfonier-‐project.net/
Sinfonier
ü Storm Builder for Security Intelligence ü hfp://sinfonier-‐project.net/
Sinfonier
ü Storm Builder for Security Intelligence ü hfp://sinfonier-‐project.net/
Sinfonier
ü Storm Builder for Security Intelligence ü hfp://sinfonier-‐project.net/
Sinfonier
ü Storm Builder for Security Intelligence ü hfp://sinfonier-‐project.net/
Reinject into the topology the new list of applicaCons
found
Ducksboard: hfps://goo.gl/uKnHT3
ü A real-‐Cme dashboard ü hfps://ducksboard.com/
Ducksboard: hfps://goo.gl/uKnHT3
ü A real-‐Cme dashboard ü hfps://ducksboard.com/
Ducksboard: hfps://goo.gl/uKnHT3
ü A real-‐Cme dashboard ü hfps://ducksboard.com/
Ducksboard: hfps://goo.gl/uKnHT3
ü A real-‐Cme dashboard ü hfps://ducksboard.com/
Data VisualizaCon
ü hfp://d3js.org/ ü D3.js is a JavaScript library for manipulaCn documents based on data
Data VisualizaCon: Data EnCCes
ü hfp://ecrime2015.us.to:2015/zoom.html
“key” [packageName][version][market]
hfps://play.google.com/store/apps/details?id=com.zaccur.b07.main
GP “developerEmail” embedded link that points an “apk” file
hfp://d.guomob.com/1142/2.apk
Data VisualizaCon: Example1
ü hfp://ecrime2015.us.to:2015/example1.html ü GP link: hfps://play.google.com/store/apps/details?id=com.qfang.qfangmobile
• One developer – [email protected]
• One mobile applicaCon in GP – com.qfang.qfangmobile
• Five embedded “apk” files – hfp://down.gao7.com/Files/down/wxjx_2.2.3_C227.apk – hfp://s.51aiya.com/content/down/aiya14100234.apk – hfp://www.159cai.com/download/vip/43332/159cai_shouji.apk – hfp://shoufu.3gu.com/Run/Upload/Apk/QFangWang.apk – hfp://www.wanggouchao.com/data/apk/wgc/v2.5.6/wgc_10021.apk
Data VisualizaCon: Example1
ü hfp://ecrime2015.us.to:2015/example1.html ü GP link: hfps://play.google.com/store/apps/details?id=com.qfang.qfangmobile
• One developer – [email protected]
• One mobile applicaCon in GP – com.qfang.qfangmobile
• Five embedded “apk” files – hfp://down.gao7.com/Files/down/wxjx_2.2.3_C227.apk – hfp://s.51aiya.com/content/down/aiya14100234.apk – hfp://www.159cai.com/download/vip/43332/159cai_shouji.apk – hfp://shoufu.3gu.com/Run/Upload/Apk/QFangWang.apk – hfp://www.wanggouchao.com/data/apk/wgc/v2.5.6/wgc_10021.apk
Data VisualizaCon: Example2
ü hfp://ecrime2015.us.to:2015/example2.html
• Three differents developers – [email protected] – [email protected] – [email protected]
• Four mobile applicaCons in GP
• Three applicaCons point to the same embedded “apk” files – hfp://update.iuoooo.com/Android/
componentvoice/xfyy1.apk – hfp://update.iuoooo.com/Android/
componentvoice/xfyy2.apk
Data VisualizaCon: Example3
ü hfp://ecrime2015.us.to:2015/example3.html
• Three different developers • 7 mobile applicaCons in GP • 13 embedded “apk” files
Data VisualizaCon: Example4
ü hfp://ecrime2015.us.to:2015/farm.html
Analysis of a Case
ü hfp://ecrime2015.us.to:2015/managementapp.html
One developer: • [email protected]
com.giaitriviet.book.androidgp.bookaudio : 50-‐100
Analysis of a Case: 12 GP applicaCons
ü hfp://ecrime2015.us.to:2015/managementapp.html
com.giaitriviet.book.androidgp.bookaudio : 50-‐100
com.giaitriviet.android.haivai : 10-‐50
Analysis of a Case: 12 GP applicaCons
ü hfp://ecrime2015.us.to:2015/managementapp.html
com.giaitriviet.book.androidgp.bookaudio : 50-‐100
com.giaitriviet.android.haivai : 10-‐50
com.giaitriviet.androidgp.womanday : 500-‐1000
Analysis of a Case: 12 GP applicaCons
ü hfp://ecrime2015.us.to:2015/managementapp.html
com.giaitriviet.book.androidgp.bookaudio : 50-‐100
com.giaitriviet.android.haivai : 10-‐50
com.giaitriviet.androidgp.womanday : 500-‐1000
com.giaitriviet.androidgp.saigon : 50-‐100
Analysis of a Case: 12 GP applicaCons
ü hfp://ecrime2015.us.to:2015/managementapp.html
com.giaitriviet.androidgp.wallpaperquotes : 5-‐10
Analysis of a Case: 12 GP applicaCons
ü hfp://ecrime2015.us.to:2015/managementapp.html
com.giaitriviet.androidgp.wallpaperquotes : 5-‐10
com.giaitriviet.androidgp.wallpapernaturals : 100-‐500
Analysis of a Case: 12 GP applicaCons
ü hfp://ecrime2015.us.to:2015/managementapp.html
com.giaitriviet.androidgp.wallpaperquotes : 5-‐10
com.giaitriviet.androidgp.wallpapernaturals : 100-‐500
com.giaitriviet.androidgp.vietnam : 10-‐50
Analysis of a Case: 12 GP applicaCons
ü hfp://ecrime2015.us.to:2015/managementapp.html
com.giaitriviet.androidgp.wallpaperquotes : 5-‐10
com.giaitriviet.androidgp.wallpapernaturals : 100-‐500
com.giaitriviet.androidgp.vietnam : 10-‐50
com.giaitriviet.androidgp.saigon1950 : 10-‐50
Analysis of a Case: 12 GP applicaCons
ü hfp://ecrime2015.us.to:2015/managementapp.html
com.giaitriviet.androidgp.masterchef : 50-‐100
Analysis of a Case: 12 GP applicaCons
ü hfp://ecrime2015.us.to:2015/managementapp.html
com.giaitriviet.androidgp.masterchef : 50-‐100
com.giaitriviet.androidgp.managerapplicaCon : 1-‐5
Analysis of a Case: 12 GP applicaCons
ü hfp://ecrime2015.us.to:2015/managementapp.html
com.giaitriviet.androidgp.masterchef : 50-‐100
com.giaitriviet.androidgp.managerapplicaCon : 1-‐5
com.giaitriviet.androidgp.fallsaigon1975 : 10-‐50
Analysis of a Case: 12 GP applicaCons
ü hfp://ecrime2015.us.to:2015/managementapp.html
com.giaitriviet.androidgp.masterchef : 50-‐100
com.giaitriviet.androidgp.managerapplicaCon : 1-‐5
com.giaitriviet.androidgp.fallsaigon1975 : 10-‐50
com.giaitriviet.android.caravat : 50-‐100
Analysis of a Case: 12 GP applicaCons
ü hfp://ecrime2015.us.to:2015/managementapp.html
Domain: mediafire.com
Analysis of a Case: Detail of embedded “apk”
ü hfp://ecrime2015.us.to:2015/managementapp.html
All links are up
Analysis of a Case: Detail of embedded “apk”
ü hfp://ecrime2015.us.to:2015/managementapp.html
Analysis of a Case: Detail of embedded “apk”
ü hfp://ecrime2015.us.to:2015/managementapp.html
Analysis of a Case: HotGirl & ChanDai
ü hfp://ecrime2015.us.to:2015/managementapp.html
Be a variant of a known malware family
The app creates or modifies SMS
Monitors phone state (incoming calls)
Uploads the list of apps currently running to a remote server
The app modifies shortcuts on the home screen
Data VisualizaCon: Satellite Photo
ü hfp://ecrime2015.us.to:2015/ ü If you click this URL, most likely you are running out of memory in your computer
h9p://ecrime2015.us.to:2015/
Data VisualizaCon: Satellite Photo
ü hfp://ecrime2015.us.to:2015/ ü If you click this URL, most likely you are running out of memory in your computer
Conclusions
• This presentaCon is only the beginning … • We have generated a RSS feed of embedded “apk” files …
• We have a graphical representaCon of the relaConship between three types of enCCes …
• … now is the Cme for analysts
Community
Join us: sinfonier-‐project.net
@e_Sinfonier @flexpired @LeoAmorV