DEFCON 26 Sheila A Berta and Sergio de Los Santos Tracking Android Malware Developers

ROCK APPROUND THE CLOCK!
Tracking Malware Developers

by Android “AAPT” Timezone Disclosure Bug
@unapibageek - @ssantosv
Sheila Ayelen Berta Sergio De Los Santos
Security Researcher Head of Innovation and Lab
ElevenPaths ElevenPaths
(Telefonica Digital cyber security unit) (Telefonica Digital cyber security unit)
WHAT WE DID?
WHAT WE DID?
WHAT WE DID?
WHAT WE DID?
WHAT IS AAPT?
WHAT IS AAPT?
Aapt timezone
disclosure
Aapt timezone
disclosure
Aapt timezone
disclosure
Aapt timezone
disclosure
ANALYZING
SOURCE CODE
ANALYZING
SOURCE CODE
ANALYZING
SOURCE CODE
ANALYZING
SOURCE CODE
ANALYZING
SOURCE CODE
ANALYZING
SOURCE CODE
ANALYZING
SOURCE CODE
ANALYZING
SOURCE CODE
ANALYZING
SOURCE CODE
EVEN = 0
ANALYZING
SOURCE CODE
ANALYZING
SOURCE CODE
THE PROBLEM
BUG = LOCALTIME(0)
THE PROBLEM
BUG = LOCALTIME(0)
EXPECTED = LOCALTIME(TIMESTAMP)
runtime
analysis
runtime
analysis
runtime
analysis
runtime
analysis
runtime
analysis
WHY A TIMEZONE?
Localtime():
HOUR = UNIX EPOCH +/- TIMEZONE
WHY A TIMEZONE?
Localtime():
HOUR = UNIX EPOCH +/- TIMEZONE
E.g:
GMT +3 = UNIX EPOCH + 3Hs
GMT -3 = UNIX EPOCH - 3Hs
WHY A TIMEZONE?
AAPT BUG = 0 +/- TIMEZONE
WHY A TIMEZONE?
AAPT BUG = 0 +/- TIMEZONE

E.g:
GMT +3 = 0+3 = 01-01-80 03:00
GMT -3 = 0-3 = 12-31-79 21:00
A LITTLE DETAIL
A LITTLE DETAIL
A LITTLE DETAIL
GMT +0 = 01-01-80 00:00 Offset table
GMT +1 = 01-01-80 01:00
GMT +2 = 01-01-80 02:00
GMT +3 = 01-01-80 03:00
GMT +4 = 01-01-80 04:00
GMT +5 = 01-01-80 05:00
GMT +6 = 01-01-80 06:00
GMT +7 = 01-01-80 07:00
GMT +8 = 01-01-80 08:00
GMT +9 = 01-01-80 09:00
GMT +10 = 01-01-80 10:00
GMT +11 = 01-01-80 11:00
GMT +0 = 01-01-80 00:00 Offset table
GMT +1 = 01-01-80 01:00
GMT +12/-12 = 01-01-80 12:00
GMT +2 = 01-01-80 02:00
GMT -11 = 12-31-80 13:00
GMT +3 = 01-01-80 03:00
GMT -10 = 12-31-80 14:00
GMT +4 = 01-01-80 04:00
GMT -9 = 12-31-80 15:00
GMT +5 = 01-01-80 05:00
GMT -8 = 12-31-80 16:00
GMT +6 = 01-01-80 06:00
GMT -7 = 12-31-80 17:00
GMT +7 = 01-01-80 07:00
GMT -6 = 12-31-80 18:00
GMT +8 = 01-01-80 08:00
GMT -5 = 12-31-80 19:00
GMT +9 = 01-01-80 09:00
GMT +10 = 01-01-80 10:00 GMT -4 = 12-31-80 20:00
GMT -3 = 12-31-80 21:00
GMT +11 = 01-01-80 11:00
GMT -2 = 12-31-80 22:00
@unapibageek - @ssantosv GMT -1 = 12-31-80 23:00
EVEN BEYOND AAPT
EVEN BEYOND AAPT
EVEN BEYOND AAPT
apks == zip
apks == zip
SELF SIGNED
YOU CAN CREATE CERTIFICATES
CERTIFICATES
AD-HOC WHEN YOU ARE ABOUT TO
COMPILE YOUR APK
SELF SIGNED
CERTIFICATES STORE THE TIME AND
CERTIFICATES
DATE OF THE COMPUTER WHERE THEY HAVE BEEN CREATED, IN UTC TIME
DATETIMES
Signature file datetime is the local
computer time (timezone included):
Certificate creation datetime (UTC):
DATETIMES
Signature file datetime is the local
computer time (timezone included):
+-50 seconds later than the certificate
2018/05/24 15:27:10
Certificate creation datetime (UTC):
2018/05/24 22:26:22
rock appround
The clock
File time Cert time
2018/05/24 15:27:10 - 2018/05/24 22:26:22
=
-7 hours and 48 seconds: GMT -7
rock appround
Another example:
The clock
File time Cert time

2018/07/08 14:30:16 - 2018/07/08 13:30:12
=
1 hour: GMT +1
(File created 4 seconds after the cert…)
mapping the timezone
UTC 0
STORED IN CERTIFICATE
Assuming minutes
and seconds are “close
in time” because
certificate and
signature are created
together
UTC +8
STORED IN ZIP FILE
mapping the timezone
UTC 0
STORED IN CERTIFICATE
Assuming minutes
and seconds are “close
in time” because
certificate and
signature are created
8 HOURS
together
UTC +8
STORED IN ZIP FILE
GMT CHECK TOOL
GMT CHECK TOOL
GMT CHECK TOOL
GMT CHECK TOOL
statistics
statistics
TIMEZONE LEAKAGE BY AAPT BUG: 179.122 APKs
TIMEZONE LEAKAGE BY DATETIMES: 477.849 APKs
61056 31708 18479 62863

3082 APKs APKs 2969 APKs
APKs
APKs TIMESTAMP AAPT APKs TIMESTAMP
AAPT BUG LEAK BUG
LEAK
UTC +0 UTC +7
MORE THAN HALF A MILLION OF APKs LEAKING THEIR TIMEZONE
FROM OUR 10 MILLION APKS DATABASE
Is this useful for malware?
MALWARE (1000 SAMPLES) ANALYZED WITH AAPT TIMEZONE DISCLOSURE
Detected only Detected only Detected only Detected by +3
Type # of APKs TOTAL % detected
by 1 AV by 2 AV by 3 AV AV
UTC +0 1000 45 13 6 22 86 8,60%
UTC +1 1000 55 5 4 30 94 9,40%
UTC +2 1000 60 6 4 26 96 9,60%
UTC +3 1000 38 21 6 21 86 8,60%
UTC +4 1000 71 28 27 72 198 19,80%
UTC +5 1000 74 7 6 22 109 10,90%
UTC +6 1000 54 0 1 3 58 5,80%
UTC +7 1000 66 18 9 46 139 13,90%
UTC +8 1000 102 47 39 126 314 31,40%
UTC +9 1000 57 4 0 4 65 6,50%
UTC +10 532 15 3 2 10 30 5,64%
UTC +11 276 18 0 4 47 69 25,00%
UTC +12 72 6 0 0 0 6 8,33%
UTC -1 1000 61 10 11 19 101 10,10%
UTC -2 1000 42 25 17 17 101 10,10%
UTC -3 391 19 2 3 2 26 6,65%
UTC -4 1000 74 3 6 16 99 9,90%
UTC -5 1000 53 13 11 6 83 8,30%
UTC -6 1000 30 10 9 68 117 11,70%
UTC -7 1000 92 11 8 62 173 17,30%
UTC -8 21 3 1 0 0 4 19,05%
UTC -9 10 0 1 0 0 1 10,00%
UTC -10 2 0 0 0 0 0 0,00%
UTC -11 6 0 0 0 0 0 0,00%
statistics
1000 SAMPLES WITH AAPT TIMEZONE DISCLOSURE
% of samples identified as malware
Is this useful for malware?
MALWARE (1000 SAMPLES) ANALYZED WITH FILE/CERTiFICATE DATETIMES
Detected only by Detected only by Detected only by Detected by +3
Type # of APKs TOTAL % detected
1 AV 2 AV 3 AV AV
UTC +0 1000 35 16 11 107 169 16,90%
UTC +1 1000 58 8 2 26 94 9,40%
UTC +2 1000 76 13 16 80 185 18,50%
UTC +3 1000 91 28 15 60 194 19,40%
UTC +4 1000 72 27 18 65 182 18,20%
UTC +5 1000 58 29 31 153 271 27,10%
UTC +6 1000 98 24 16 70 208 20,80%
UTC +7 1000 53 20 3 43 119 11,90%
UTC +8 1000 83 31 16 218 348 34,80%
UTC +9 1000 71 51 3 36 161 16,10%
UTC +10 1000 43 7 16 44 110 11,00%
UTC +11 1000 53 12 7 139 211 21,10%
UTC +12 1000 55 10 1 59 125 12,50%
UTC -1 1000 17 6 3 31 57 5,70%
UTC -2 1000 29 9 6 29 73 7,30%
UTC -3 1000 36 3 4 40 83 8,30%
UTC -4 1000 59 11 5 145 220 22,00%
UTC -5 1000 49 7 2 153 211 21,10%
UTC -6 1000 43 15 8 383 449 44,90%
UTC -7 1000 33 11 7 23 74 7,40%
UTC -8 1000 35 10 4 32 81 8,10%
UTC -9 276 16 4 2 24 46 16,67%
UTC -10 588 36 21 4 24 85 14,46%
UTC -11 293 26 4 1 20 51 17,41%
statistics
1000 APKS WITH FILE/CERTiFICATE DATETIMES (do not forget DST!)
% of samples identified as malware
DISTRIBUTION OF MALWARE BY
TIMEZONE AND USING…
statistics
3807 APKS IDENTIFIED AS MALWARE WITH 2055 APKS IDENTIFIED AS MALWARE WITH
FILE/CERTIFICATE DATETIMES AAPT TIMEZONE DISCLOSURE
statistics
IN OUR DATABASE, THE STANDARD RATE IS: FOR EACH
RANDOM 1000APKS WE IDENTIFY 60 AS MALWARE, So:
Times more likely to be malware than
1000 APKs sample # APKs Detected by +3 AV
Standard Rate
UTC +5 153 2,55
UTC +8 218 3,63
UTC -5 153 2,55
UTC -6 383 6,38
UTC +4 72 1,20
UTC +8 126 2,10
IN SHORT: AN UTC-6 APK IS 6,38 TIMES MORE LIKELY

TO BE MALWARE THAN STANDARD RATE
EXAMPLES
EXAMPLES
FILE/CERTiFICATE DATETIMES
REAL EXAMPLE: DEATHRING
AAPT TIMEZONE DISCLOSURE REAL EXAMPLE: JUDY
EXAMPLES
CHINESE COMPILED APKS IN THE SPOTLIGHT
EXAMPLES
HIDDAD MALWARE, COMES FROM…
EXAMPLES
BOTH TECHNIQUES EXAMPLES:
certificateValidFrom signatureFileLastUpdateDate oldestDateFile File/Certificate DateTime Technique
2016/12/04 07:27:57 2016/12/04 10:30:14 1980/01/01 03:00:00 03:02:17

2016/12/03 16:21:02 2016/12/03 19:24:30 1980/01/01 03:00:00 03:03:28
2016/12/03 11:52:30 2016/12/03 14:55:54 1980/01/01 03:00:00 03:03:24
EXAMPLES
BOTH TECHNIQUES EXAMPLES:
certificateValidFrom signatureFileLastUpdateDate oldestDateFile File/Certificate DateTime Technique
2016/12/04 07:27:57 2016/12/04 10:30:14 1980/01/01 03:00:00 03:02:17

2016/12/03 16:21:02 2016/12/03 19:24:30 1980/01/01 03:00:00 03:03:28
2016/12/03 11:52:30 2016/12/03 14:55:54 1980/01/01 03:00:00 03:03:24
FULLY
AUTOMATED?
metadata
WANNACRY METADATA, THE INSPIRATION
metadata
WANNACRY METADATA, THE INSPIRATION
metadata
WAS IT USEFUL IN ANDROID MALWARE?
metadata
WAS IT USEFUL IN ANDROID MALWARE?
strings
./aapt d --values strings android_app.apk
strings
./aapt d --values resources android_app.apk
| grep '^ *resource.*:string/' --after-context=1 > output.txt
Our tool
Conclusions & Future Work
We presented different ways for not just leaking
timezone but as well…
• Possibly detecting automated malware creation
• Possible better Machine learning features in
detecting APK malware
• A tool for a quick view of all this useful
information around APKs metadata
Future work should be more accurate about DST and
using more samples
Thank you!
Sheila Ayelen Berta Sergio De Los Santos
Security Researcher – ElevenPaths Head of Research – ElevenPaths
(Telefonica Digital cyber security unit) (Telefonica Digital cyber security unit)
@UnaPibaGeek @ssantosv
sheila.berta@11paths.com sergio.delossantos@11paths.com

DEFCON 26 Sheila A Berta and Sergio de Los Santos Tracking Android Malware Developers

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

DEFCON 26 Sheila A Berta and Sergio de Los Santos Tracking Android Malware Developers

Uploaded by

Copyright:

Available Formats

ROCK APPROUND THE CLOCK!

Tracking Malware Developers

AAPT BUG = 0 +/- TIMEZONE

AAPT BUG = 0 +/- TIMEZONE

Certificate creation datetime (UTC):

File time Cert time

61056 31708 18479 62863

IN SHORT: AN UTC-6 APK IS 6,38 TIMES MORE LIKELY

certificateValidFrom signatureFileLastUpdateDate oldestDateFile File/Certificate DateTime Technique

2016/12/04 07:27:57 2016/12/04 10:30:14 1980/01/01 03:00:00 03:02:17

certificateValidFrom signatureFileLastUpdateDate oldestDateFile File/Certificate DateTime Technique

2016/12/04 07:27:57 2016/12/04 10:30:14 1980/01/01 03:00:00 03:02:17

You might also like