[Q] How can antivirus apps work? - Android Software/Hacking General [Developers Only]

Hi tech-guys, developers,
i had a discussion with some other linux administrators if and how an android antivirus app is technically working.
As far as I understood the functionality of android apps, there is a sandbox for every app with its own user und homedir.
This means the antivirus app is also sandboxed and can access only public api or its own directory.
Scenario:
Open browser, goto hackallmyandroids.com (just an example)
On this page exists an exploit for webkit which executes some shellcode and writes a wiper-script to /usr/bin/badbinary (or equivalent directory)
How would the antivirus app be able to scan this file or even remove this file without superuser privileges?
Am I wrong or is no antivirus app useful?
Or did someone develop some security software for android and can explain how they work?

Pushing one time, because it can be a very important question.

Related

[Q] Android questions

I'm new to Android and have a few question that didn't get answered by trying to Google it. I have bought my first Android phone (A Samsung Galaxy S2, after years of being a Symbian fanboy), but have not received it yet.
1. Does everything run on top of Dalvik JVM? At the bottom is the Linux kernel. Then there is a Linux process which runs Dalvik VM. Could for instance Sun's JVM run on a Linux process of its own or another Linux application?
2. Can C/C++ Linux program run on Android? Though compiled for ARM. Android has NDK (Native Development Kit) which allows it to run C/C++ applications inside Android applications, but I'm wondering about running C/C++ applications directly on Android. BusyBox is coded in C, but runs on Android. Is it running directly on the kernel's linux process or within an Android application on Dalvik?
3. The latter(Q2) would indicate that not everything run on top of Dalvik. Otherwise C/C++ programs would not run.
4. Android uses ADB (Android Debug Bridge) for its CLI magic. BusyBox uses Ash. Can one install bash as the default shell, with full GNU Core Utilities commands? Some forum posts indicate that it is possible to install an ARM re-compiled bash version.
5. Android can be rooted by installing applications like Super User or BusyBox that would let the user execute applications as root. That would indicate that there exist a root user, in addition to the actual user. Is this similar to how it is on Linux? Can I define a password for the root user so that no applications can run root directly?
Edit: Seems each application is a different user on the system.
6. Are all user data stored in the database SQLite that are stored on the phone? User data is accessible through different applications, but how does Android determine access rights to it?
7. I have read that Android applications run on their own Linux process and are assigned a unique user ID. Does this mean that we can run ps to see all running processes or does it act like the Sun JVM just showing each VM process? However looks like different applications can run in the same process. Can these be distinguished or do we just the the once process.
8, Is the camera application (that some have made modifications of) a Google app or Samsung app? Just wondering since the former would allow such modified versions to run on other than Samsung phones, but given that different phones have different camera specs I don't see how this could go well.
9. Can the codes typed in the dialer be executed through a shell instead (adb)?
10. Can I get an overview of permissions given to applications? Can they be revoked after once granted?
i have question,too.thanks
Ill Be back with most of your answers. Im on my phone. Ill be at a comp in few.
Sent from my Incredible using Tapatalk
I'm also wondering about how the methods of rooting works.
Some offers rooting by means of a modified kernel.
Another method entails using programs like SuperOneClick or GingerBreak.
Can anyone describe to me what exactly does these methods do?
In order to have root I guess the user root needs to be created/activated/enabled on the phone. Also programs like su and Superuser needs to be installed, perhaps with Busybox.
Those are the methods for root, but I want to know what needs to be done on the phone in order to root it.
Can I root my device (Samsung Galaxy S2) manually without any modified kernels or special programs?
DJViking said:
10. Can I get an overview of permissions given to applications? Can they be revoked after once granted?
Click to expand...
Click to collapse
You can see the permissions an app has through Settings->Apps->Manage Apps i think. There are also apps on the market summarising that.
Revoking or granting only certain permissions is not available natively.
I believe they are working on that in cyanogenmod.
Revoking a needed permission will usually make the app in question crash.
DJViking said:
8, Is the camera application (that some have made modifications of) a Google app or Samsung app? Just wondering since the former would allow such modified versions to run on other than Samsung phones, but given that different phones have different camera specs I don't see how this could go well.
Click to expand...
Click to collapse
If you have a samsung device, the camera app will be from samsung.
It is not impossible to have the google camera app running on your device, it might need some tinkering though (see cyanogenmod).
DJViking said:
7. I have read that Android applications run on their own Linux process and are assigned a unique user ID. Does this mean that we can run ps to see all running processes or does it act like the Sun JVM just showing each VM process? However looks like different applications can run in the same process. Can these be distinguished or do we just the the once process.
Click to expand...
Click to collapse
Yes you can, here is the about from running "ps" on my i9000 : http://pastie.org/2089555
Only apps from the same developer ( meaning signed with the same signature), can be run in the same process. This is not default and only happens when the developer requests it. This is not very common.
DJViking said:
6. Are all user data stored in the database SQLite that are stored on the phone? User data is accessible through different applications, but how does Android determine access rights to it?
Click to expand...
Click to collapse
Through the android permission system.
PHP:
<uses-permission android:name="android.permission.READ_SMS"></uses-permission>
<uses-permission android:name="android.permission.WRITE_SMS"></uses-permission>
will be needed to read and write from/to the sms database.

best crypt for Android. fail

I recently saw this on Google play.
It's a volume container encryption application that runs on many platforms including Windows Linux and Android and possibly others (ok I admit I'm pretty blind to Mac and Apple).
I thought I would give it a try. I have not used best crypt since I found true crypt.
I was able to create and mount a container in Android.
But that was about it.the built in file browser that you NEED to use is about as user friendly as a bed of thumb tracks. You had no options on what encryption methods to create the container or any other options. That's a pretty glaring problem.
I tried to install the desktop application but it requires internet to install..
And only an idiot would use such a system
(What happens is you need to reinstall to get to your data and you have no internet? All your backups are useless with internet required applications be it installing or running)
Security applications in any form should never NEED the internet to function in any way.
So basically I cannot even recommend looking at this software for any use.
I could understand issues like these in a new software company that knew nothing of security and was just starting out..
But the makers of best crypt have been around for years. And personally I could never see a situation where I would pay for a application that had such issues right at the start.
Even free I would never use it
It's NOT open source software so I can't even comment on their encryption techniques..
(Once again it would not matter as the desktop needs internet access to install and the app has no encryption options)

System Input Method app installs & reinstalls by itself without notification

System Input Method's playstore link
[Playstore link: https://play.google.com/store/apps/d...ster&hl=en_GB]
Application Process: System Input Method (Process Name: com.ss.android.secure.cleanmaster)
listed as a system file.
Installed APK: /data/user/0/com.ss.android.secure.cleanmaster-1/base.apk
/data path: /data/user/0/com.ss.android.secure.cleanmaster
Version: 1.05
Target SDK: 22
Permissions:
Have full network access.
View WiFi connections.
View network connections.
Download files without notification.
Read phone status and identity
Modify or delete the contents of your usb storage.
Read contents of your Usb storage
Prevent phone from sleeping
Retrieve running apps
Draw over other apps
MainService: ime.mobile.ime.main
NOTE: This app written for older Android OS. So if installed in newer android versions, all permissions will be allowed even if you blocked it.
Last edited by SniperAlert2046; Today at 09:27 PM.
Malwarebytes classified it as riskware.
But after uninstalling it, the app came back again at random hours. seemingly downloading and installing other apps (like Haike News - communist news; and Ireader)
Drains battery and used data (to download files and maybe mine for crypto)
tried using ADB to remove it but as the base.apk is stored in root folder, the app can reinstalls itself when triggered (by the programmer / hacker or randomly)
Rooted phone and then installed Afwall+ firewall. But the firewall steathily disables internet filtering at odd hours. (or maybe the firewall is bugged).
So decided to deactivate Updater app (linked to redstone) and the OTAupdater... system app since phoine already rooted and that the Leagoo company does not provide regular OS updates. (except pushing Haike News, System Input Method and H5plugins riskwares to phone).
Well, although AFwall+ firewall did not work, thereby exposing my phone to the internet without filtering IP traffic, the riskwares did not return. So uninstalling Updater (the one with the com.redstone.ota.ui pathname) and the System Update (com.sprd.systemupdate) works for me.
Netguard firewall managed to blocks internet access by system apps. The Leagoo's Built-in Weather app created Baidu folder in root folder (collecting many encrypted log files probably for sending back to Baidu servers in China.). Would be better to uninstall Leagoo Weather app and install a 3rd party one.

Noob: Privacy and security

Hi, i'm very interested in privacy and security but I'm a complete noob when it comes to android and phones so hopefully i can learn something from this forum.
I currently own a samsung A51, unmodified. I'm unsure if i should root it.
I have recently read that samsung collects a lot of data and sells it to third parties, google and apple collects data just as well but they don't sell data to third parties. I'm worried about this.
My win10 machine has been hardened pretty well, it doesn't call home to microsoft in any way i know. Simply by setting the rules to "deny by default" unless something has specifically been whitelisted by, and blacklisting microsoft IP's.
Can this be done on a stock samsung phone as well? Is there any firewall app that can do this? Something like tinywall? Or IPtables in linux? to prevent any data connection from samsung?
Read my post, depending on who wants access to your phone, there isnt anything you can do. With permissions of most apps any by default most operating systems have backdoors within them, and with your advertising i.d u can be followed from website to website and tracked just by having wifi turned on. ..
E.g owning a samsung ssd, in their privacy statement they tell you they are gonna identify you from your ssd serial number and use it the same way the telemnttry u are blocking does, so unless u wanna block and change every device i.d u got...
Long story we all fuuuuucd
Windows OS has a hosts file, Linux OS has a host file, MacOS has an hosts file and Android OS has a hosts file, too. That's the place people use to block unwanted Internet connections.
jwoegerbauer said:
Windows OS has a hosts file, Linux OS has a host file, MacOS has an hosts file and Android OS has a hosts file, too. That's the place people use to block unwanted Internet connections.
Click to expand...
Click to collapse
Yeah i get that but that dont work with my issue as the access to my devices goes around the layer of the operating system

get access to RAM dump, app data while app's running

how i can exctract RAM dump, or RAM contents, while apps are running, i have rooted phone, so i can perform whatever needed to accomplish this.
Specificaly, i want to surveillance app via RAM, to perform pentesting on security of my server.
I know, android, makes separate process for every app, but would like to know, how to access all, or specific app RAM data, with root (maybe via terminal, i don't know how this can be accomplished)
I have method in my app that contains hard coded server credentials (uses TCP/IP port, and SSL), method is obfuscated, and only way attacker would be able to get server credentials is exctracting RAM data while app is running. Because, android must put it in RAM before proceding to process it.
Is there any tool for this? i'm use linux, and familiar with command line, how to do this?
Look inside here:
Is there a way to perform a memdump of an android device?
Is there a way to perform a memdump of an android device? I need the content of the entire memory (RAM). Maybe there is a shell command (meminfo will not do because it displays only memory informat...
android.stackexchange.com
httpcanary shows API address used by apps and support https too
ineedroot69 said:
httpcanary shows API address used by apps and support https too
Click to expand...
Click to collapse
yes, it is mitm attack, and it worked succesfully, tnx

Categories

Resources