stealing sensitive data from android phones the hacker way
DESCRIPTION
null Hyderabad Chapter - August 2013 MeetTRANSCRIPT
Who Am I ???
• An Independent Security Researcher
• Security Consultant at Tata Consultancy Services
• Introduction to Android
• Android Architecture
• Android Internals • Android Security Model
• Reverse Engineering
• Writing Android Malwares
• Demos • Discussion
Agenda
Why Android???
Android Market Share 2013
http://www.onbile.com/info/us-android-market-share/
ANDROID PLATFORM BASICS
Android is a software stack for mobile devices that includes an operating system, middleware and key applications.
Developed by Google and Open Handset Alliance
What is Android?
Android was engineered from the beginning to be online. Ability for users to extend the functionality of the device. Ability for users to store their data on the devices.
Core Features
Android Internals
Android platform is based on Linux technology. Uses java Programming language No monopoly status - Allows anyone to develop own applications. Good news for Hackers
Android Architecture
Dalvik Virtual Machine
Register based Interpreter only virtual machine. The Dalvik VM executes files in the Dalvik Executable (.dex) format which is optimized for minimal memory. The VM is register-based, and runs classes compiled by a Java language compiler that have been transformed into the .dex format by the included “dx” tool.
java
Byte code
Dalvik Code
Dalvik VM
.java
.class
.dex
javac
dx
ANDROID APP BASICS
Android App will have an extension .apk It’s nothing but a zip file. Can be extracted using winrar, winzip etc.
Android App Basics
META-INF
res
AndroidManifest.xml
Classes.dex
Resources.arsc
App illustrated – User Perspective
Activity
Intents
Content Providers
Service
Broadcast Receivers
App illustrated – Developer Perspective
DEMO
ANDROID PLATFORM SECURITY
Mandatory application sandbox for all applications
Application-defined and user-granted permissions
Robust security at the OS level through the Linux kernel Secure inter process communication Application signing
Android Platform Security
Dalvik Virtual Machine
Every Android application runs in its own process. The UID will typically be something like app_XX Runs with its own instance of the Dalvik virtual machine.
UID 1000
Dalvik VM
App 1
UID 1001
Dalvik VM
App 2
UID 1002
Dalvik VM
App 3
UID 1003
Dalvik VM
App 4
Declared in AndroidManifest.xml XML file contains all the components and permissions
Binary XML formatted text. We cant read directly.
An App can only use the declared permissions (Theory )
Android Permission Model
Attacking Android Devices -The known ways
Exploitation 1
Find your target Device Check for exploits Exploit it
Malwares 2
DroidDream. Geinimi - Android malware with botnet-like capabilities.
Trojan-SMS for Android FakePlayer.
iCalendar acbcad45094de7e877b656db1c28ada2.
SMS_Replicator_Secret.apk.
http://contagiodump.blogspot.in/
Some Popular Android Malwares
1. Reverse Engineering 2. Build from Scratch
Building Android Malwares
Legitimate developer
1 2
3 4
5
Hacker
Android Market
Third party market
User
1. Reverse Engineering
6
java
Byte code
Dalvik Code
.apk
.java
.class
.dex
javac
dx
Reverse Engineering
Tools APK Tool – Smali files Dex2jar, jdGUI – java files
DEMO
Hacker Market place
2. Develop from Scratch
Can Spy on SMS, CallLogs, Contacts, IMEI, Current Location, Browser History etc.
Implemented with Broadcast Receivers.
Doesn’t make noise – because, it’s a service.
Uploads everything to a remote server if internet is available on the device.
Will store them as text file onto SDcard if Internet is not available.
My Own Android Malware
DEMO
DISCUSSION
[1] www.thenounproject.com [2] http://mekeel.org [3] http://www.gfi.com [4] http://www.theverge.com [5] http://www.google.com
Image Credits
Greetzz!
Imran Mohammed
Sai Satish
Null HyderabadTeam
Sri. Sagi ManiRaju