Android Security - Security Discussion

Welcome everyone,
I am making a presentation about android security as a whole system and I'd like to ask you for little help.
As far as theory goes it seems there is enough clear information to find but to finish my project I need to show practical vulnerabilities of the system like an exploit ( I was thinking about showing a process of rooting ) or some kind of virus. Could you guys recommend to me something in this taste? 'Safe' malicious app and a way to monitor it.
Another idea of mine is to get control of android using pc but all I could think of was get 'the user' install an app which would get additional privilege to let control the system.
I was thinking of using android system on virtual machine - like this one: osboxes.org/android-x86
If you guys know some app which would let me monitor every movement in the system like even facebook app to show how many connections it does it would help me greatly.
Sorry if my English is not the best it is not my first language.
Thanks in advance Keve LiSipi

You could discuss the Anserverbot Trojan, which is used to infect non-virus applications and fetches the malicious payload. There exists a whole paper on the analysis.
To take control, you could look at the Stagefright vulnerability, you could use an exploit to get root shell on a device.

And also you can show the exynos abuse xploit

Related

android malware prototype

Hi,guys, l want to implement a malware on android as my graduation paper, and now i am hard to think more good ideas, would you like to share your novel ideas with me ?
thank you very much!
How bout something useful, like gps logger, call log, browser history. Make an app/server side interface that can customize various parameters such as minutes between gps logs and upload server. Several small companies would love to trace their employees activities on company phones. Might even get you paid.
westwind1120 said:
Hi,guys, l want to implement a malware on android as my graduation paper, and now i am hard to think more good ideas, would you like to share your novel ideas with me ?
thank you very much!
Click to expand...
Click to collapse
Sent from my MB855 using XDA App
1) Build an android HTTP server that parses the user agent and serves a different browser exploit depending on what android version is on, if it's a miss, forward to the actual requested page, if it's a hit, go for it!
2) + Arpspoof
3) ???
4) Graduation
Or something that will overwrite the default CD .iso image in the device (the one that is mounted when you plug the phone on the pc) and make a modified version of that with something evil that will jump on the pc.
jk... so is it going to be some app or PoC or a paper explaining potentials of exploiting from/to Android (like Zimperium - Anti / Faceniff / Droidsheep)?
I made a malware-related graduation paper many years ago...
jokersax11 said:
How bout something useful, like gps logger, call log, browser history. Make an app/server side interface that can customize various parameters such as minutes between gps logs and upload server. Several small companies would love to trace their employees activities on company phones. Might even get you paid.
Sent from my MB855 using XDA App
Click to expand...
Click to collapse
As a matter of fact, i want to write a rootkit on android, but at moment, it is lack of some useful cases, so as above, i need some ideas.....i promise it is just for study not for profits
ell3 said:
1) Build an android HTTP server that parses the user agent and serves a different browser exploit depending on what android version is on, if it's a miss, forward to the actual requested page, if it's a hit, go for it!
2) + Arpspoof
3) ???
4) Graduation
Or something that will overwrite the default CD .iso image in the device (the one that is mounted when you plug the phone on the pc) and make a modified version of that with something evil that will jump on the pc.
jk... so is it going to be some app or PoC or a paper explaining potentials of exploiting from/to Android (like Zimperium - Anti / Faceniff / Droidsheep)?
I made a malware-related graduation paper many years ago...
Click to expand...
Click to collapse
oh, guy, i just want to do some security research on mobile phone,and i don't want to attack others, i am a student who love researching information security.Forgive my poor english
This is the kind of thing you need to learn about yourself. Knowledge is a dangerous thing, and those who know how to exploit Android aren't about to share that kind of knowledge here unless it is clearly as a part of how to PREVENT such exploits.
lotherius said:
This is the kind of thing you need to learn about yourself. Knowledge is a dangerous thing, and those who know how to exploit Android aren't about to share that kind of knowledge here unless it is clearly as a part of how to PREVENT such exploits.
Click to expand...
Click to collapse
thanks, my friend, i am also realize that it is a long way to study android,and i will do my best,thank you again
I would recommend start learning reversing android malware, As you progress you will know the tricks of the trade and you can write your own stuff.
I been doing some reversing for a while as part of my job, A simple idea would be to write a small piece of code which sends sms to preminum rate numbers with out users knowlege (there are loads of them already doing it)etc..Start with simple ones which does not have support for command and Control center (C&C).
Read more about exsiting malwares which are around and i am sure you can prototype the one you wish to start with.
Random off the top of my head something I'd probably consider playing with someday:
if running on rooted device: install a system app and whatever is necessary, to then attempt overclocking the CPU enough to make the device go ape . 5Ghz Optimus One anyone?
Sent from my Transformer TF101 using Tapatalk

Security does matter![Updated 25th. Jan]

Introduction
I have not seen much talk about security in XDA, and not at all on Neo Section.
SO here's just one informative link talking about using and developing apps and security risks involved
http://www.technologyreview.com/computing/25921/?mod=related
Any bug in software could potentially be used as a security loophole to gain access to private information, spy on you, get your credit card info(should you do such things on phone).
What is kind of unsettling is that everyone seems fine with modding, tweaking, developing and using those ROMs made in XDA without worrying if there could be that kind of bug in your made or used ROM.
You don't need a malicious app only to have risks. Most people use Windows so they should know that it is OP systems bugs and vulnerabilities that allow for unwanted access to your files, data, etc.
Android itself is having very non-foolproof security system. All apps on unrooted phone are in sandbox. That's no security measure at all. It doesn't limit app from stealing your private info at all, it only cant delete the whole ROM. That's just idiotic security system, for it is the only thing beside encrypting shut off phone on 3.0 and 4.0. So that means Android on it's own has no security measures while it's working. Even Windows has... some... but not too much... so you could pay for antivirus and antispyware software ofc.
It has always been the goal of big corporations to make money from insecurity, be they software developers, arms dealers and you name it. They all benefit from insecurities existing. Same is with Google and it's Android. But the good news is that we the users can modify Android. We could all say "Au revoir security bugs and loopholes!" if we would care about developing ROMs designed to make Android more secure... alas that's not happening yet!
Overview of Linux/Android security issues.
It's a short condensed description just to get you interested in the topic. There's lots of material on net, you only need to search, read, watch videos.
Linux becomes more vulnerable with more applications with different permissions installed. Same is true for Android.
Say your Phone Exporer has root access, that means it has root access to whole Android. To remove unnecessary risks, this app's root access should be limited to only most necessary functions it needs to operate.
Currently for Android there is no such solution. For Linux there is Apparmor.
http://en.wikipedia.org/wiki/AppArmor
Total root access is obvious vulnerability, but it is at least known one. Let's look at possibility of apps having hidden permissions and what that could mean to you.
Blade Buddy from Market.
On market it does not list permission to "Unique Device ID"(IMEI for GSM and MEID; ESN for CDMA) for free nor for paid version.
That means the author of BB has left the code from free version in paid one. This permission is used by ads to track you. It's not necessary code for ads, but it helps the dev know who clicked on the add and generated him some money. To see your money generating zombie empire stretch across the whole globe.... quite a thrill, isn't it?
So it's a latent code, with no benefit to user and an exploit only calling to be abused.
Unique Device ID allows you to be tracked on net and also where you are physically. GPS is just one way to find you, police for example have scanners to locate your devices physical location by the IMEI code. You can count on the "bad guys" having this technology as well, for it's quite a tool for burglars and other criminals.
The risks of your home being marked as the next dungeon to be looted by some raiders, I mean criminals(or perhaps WoW players sleepwalking and sleepraiding?) or getting your ID and bank details stolen by trojan/hacker is random. Yet the threat would not exist without apps having so flagrant hidden permissions.
Next app with ludicrous permissions
Brightest Flashlight
It does list many permissions, among them "Hardware controls - take pictures and videos ". No, it does not need a permission to take photos through cameras to operate the flashlight. But it's fun nonetheless for the dev to see his trusty peasants, or maybe he just likes to observe people like some watch fish in aquarium or hamsters in cage( "Look at that dork!", "You're one ugly m...f...er","ummm a couple kissing in dark with ma flashlight, what are they searching?", "what's that you eat, mr Korean, brains?" "hey show me that document again.")
You don't even need to run the app yourself. It can be triggered by hacker on background and take a snapshot of you.
On top of this little needless permission it has following hidden permissions:
1. Unique IMSI, read about here http://en.wikipedia.org/wiki/IMSI
2. MCC+MNC (CDMA)
3. Unique Devide ID
4. Cell Tower Name.
That's a lot of needless permissions for flashlight, these are there just to track you the app user and have nothing to do with your comfortable use of the app.
These are just 2 apps with totally needless permissions for their intended functioning. If you don't want your Windows and Linux have such security holes then why do you want your Android have them?! You don't want, that's the point and these apps would not be so popular if people would really know and care about their phone being secure.
It can be stated for sure that above exemplified permissions not listed on market are more useful for pranksters, criminals or someone plainly looking-down-on-all-the-dumb-sheep and not at all for any legitimate, user or customer friendly purposes.
There are very few tools to check for security and privacy problems in apps. That gives a sense that majority of devs do not want Android to be secure and private, because Android is another revenue generating platform through Google ads business of course. Were people more educated about the matter then Google ads business would shrink down as well. A private and secure Android can't be tracked or annoyed with ads. No ads, no profit. No security therefore means profit. Unfortunately this lack of security can be exploited by anyone with criminal or malignant intentions so very easily.
The most important thing is to read the permissions before installing.
If you had read the article I linked. Those permissions don't matter anything really if stuff developers use doesn't reveal what it does, or developer itself doesn't disclose what the app does.
We can safely say that those permissions asked are just to make ordinary users of Android think that all is under their control.
I use Privacy Blocker app and it keeps finding app permissions that are not listed. Even that app doesn't find those permissions which Cyanogenmod permission manager shows. And I've sanitized all my apps, still I find my phone connecting to some odd servers while using certain paid and seemingly legit apps. I even found shapshots from front camera made by some app... and I am checking all permissions I can, even for those not listed.
What seems harmless but could reveal your IP address and potentially other data about you is... advertisements used by apps.
Ads can be far more than just a little annoyance that slows your device. Any file, picture loaded from some location in internet can be used to locate you.
I had a problem of getting phone call bills for calls lasting 10 to 20 secs that I never made after using a slew of market apps, flashlights, fun stuff, etc.
I paid two months for such calls trying to find out which app did it and still don't know which one it was. Skype(phone app has fake IP of Holland but actual connection goes to Moscow... oh come one what is this? Why such hiding? Like anyone would trust their phone's Skype connection stream through Moscow... no thank you! Then wonder still if the phone gets so slow and Skype call quality is so bad even over wifi while Windows Skype does just fine?), Brighest flashlight, some photo editors, and slew of other garbage I've already forgotten about cause I don't use any of it anymore.
First post updated
How about the new 4.3 update..in includes some security and privacy control..will this thing prevent you had mentioned?
Is there any way to reactivate this post? maybe start working on a security enhanced android ROM? I'm agree, Security does matter!

[Q] Technical Feasibility / Android Dev

Hello I am an entrepreneur and I am trying to determine technical feasibility of an application idea. If this is viable, I am willing to hire developers.
Please let me know if this is feasible.
The basic idea is an app that blocks users from opening other apps for a specific time period. for example, you open an app, determine the time frame that you do not want to allow yourself to be on facebook. save the information. then if you try to access the facebook android app, you will get a notification from the other app that says you cannot access the app turning the specified time period.
I'm aware of the sandbox structure but I want to know if permissions can be altered so that the information entered in one app can block facebook usage for a set time.
I greatly appreciate this.
Luke B
I am not familiar with Android per se, but am pretty familiar with several comparable app sandboxing schemes.
Sandboxing is specifically used to prevent this kind of thing. If you go low-level (break\mod the operating system), you can go around it.
Low-level techniques are not "mainstream" and will not work for a consumer app, as most users will not be willing to run in a custom configuration required for this to work.
sorry bro me not familr

How about more security on rooted devices for rookies?

I have been rooting phones for a fw years now and one thing i have realized is that rooted phones are much more suseptibe to being attacked by "hacks". its also much easier for someone to access your device remotely and hide the fact that you are being accessed remotely. what I wish would happen is experienced developers come together and help rookies like me have a quick and easy way of securing rooted devices and having more control and knowlege on how to identify threats and unwanted device access without loosing su privilege and without bricking the device. (I've done plenty of that) i know some terminal commands like pm list packages and am list activities and there are a few apps like simple system monitor and magisks offeres a bloatware remove mod but as for system hijacking protection, remote access awareness, remote keylogger and loggers in generale awareness. it seems trial and error has been my only text book. A lot of system props look like they could be something they aren't a lot of sytem app names look like they could be as well. ihaving the ability to add users, configure users, delete users and even hide users makes it possible for there to be something hidden in the device lurking around unbeknownst to the owner/admin user but wouldnt be a problem if it was common knowlege on how to be able to identify and expose that type of threat. That is one example of the type of knowlege that i would like to see rookie developers have access to.

Subject: Root, security and privacy

about root and privacy
Introduction:
nowadays android phones are much more controllable without root access, and bloatwares can be deleted or disabled without root permissions by using the android's settings app, or through the developers' ADB shell. and even firewalls like "Netguard" don't need root access nowadays in order to control the network, and there are so many other opensource apps like "Blokada" and "ublock" that don't require root anymore in order to block ads, YouTube Vanced to watch videos without ads... all of this was impossible to perform three or four years ago, so why still bother with rooting ?
about root:
Root is gaining super user permissions in linux, or being an administrator. you don't need me to mention how many years this super user wasted in order to be able to understand and to become an administrator, or super user.
what I'm trying to say if you don't know what you're doing while acquiring "Root" privileges on your phone, don't do it just for fun.
Root exposes the user to some higher risks even from the trusted play store apps.
"With great powers comes great responsibilities", if you can't assume total control of every aspect of your rooted phone (thousands of files) then don't root it.
and I'm not saying you should let everything to Google or even trust the google softwares, in fact I created a thread especially to limit their disrespectful or exaggerated behaviors by debloating and using firewalls.
real hackers or developers who understands how a mobile operating system works, and how hacking works, can hack a rooted phone much more easier than hacking a non rooted phone.
speaking for myself I can't fully control a rooted smartphone because there are thousands of files : which are written in different development languages, doing different tasks, and they have different dependencies..
and contrary to what some people think, using strong long passwords can't sometimes help, and installing an realtime antivirus protection can't sometimes detect a hacker intrusion (when your phone is being truly exploited and completely controlled by strangers)
I'm not only saying don't root if you aren't an android developer, but you should limit Google and your installed apps behaviors as well.
nothing is unbreakable, and backdoors exist within the google O.S and within google or the manufacturer apps or else, but a firewall can limit some of their behaviors.
a word of truth :
very few people can actually be a super user of a complicated mobile operating system such as android, but if you're one of them, then you already know more than all of this.
I hope this can help anyone, feel free to copy paste, modify and share on your website.
and feel free to comment, debate, saying thanks, or providing some more informations.
I just wanted to share this for anyone who is concerned by root's real life review, from a privacy oriented point of view.​
....or another point of view is that unaccountable multinationals like Alphabet who own Google and companies like Samsung and Apple have no moral or ethical compass and are building up a long track record of trust-breaking behaviour that is only accelerating. Without root, you cannot remove or at least minimize the "telemetry" and "walled garden" that every new phone is crammed with. A small percentage of us refuse to be treated like a lamb being led to slaughter so root is absolutely necessary for privacy and security, not the other way around.....
jajk said:
..... Without root, you cannot remove or at least minimize the "telemetry" and "walled garden" that every new phone is crammed with. A small percentage of us refuse to be treated like a lamb being led to slaughter so root is absolutely necessary for privacy and security, not the other way around.....
Click to expand...
Click to collapse
Thanks for your reply :fingers-crossed: , well I think telemetry services are linked to the 'Google play services', and if we don't use any Google accounts and disable and block the Google play services from sending usage data to Amazon and Google servers by using a non-root firewall like 'netguard' (like I specified in this thread) then they can't have anything or too little from us, :laugh: I have set up the firewall to block everything except my open source browser see attachment :laugh::laugh:

Categories

Resources