Scribd Logo
Upload

Welcome to Scribd!

  • 4 5896477458701484470 PDF

    Uploaded by

    Diego Gustavo Anders
    5 views16 pages

    Original Title

    4_5896477458701484470.pdf

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    5 views16 pages

    4 5896477458701484470 PDF

    Uploaded by

    Diego Gustavo Anders

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 16

    Android Banking Malware

    MAX ‘LIBRA’ KERSTEN


    Table of contents
    o Who am I?
    o Ah that little bit of information!
    o But my phone is safe, right?
    o Android banking malware
    o Current threats
    o Questions

    © MAX 'LIBRA' KERSTEN - SECURE[ID] 2020 2


    Who am I?
    o Max ‘Libra’ Kersten (@LibraAnalysis)
    o Graduated cum laude in January 2019
    o Blogs about reverse engineering
    o Such as my Binary Analysis Course
    o Custom tools are released open-source on my Github
    o Notably AndroidProjectCreator
    o Gave a workshop on Android malware analysis at Botconf2019

    © MAX 'LIBRA' KERSTEN - SECURE[ID] 2020 3


    Who am I?
    o Employed at ABN AMRO
    o Cyber Threat Intelligence & Analytics team
    o Red Team
    oFocus on outside threats to provide timely and
    actionable intelligence to internal departments
    o Research focused projects, with the aim to also give
    something back to the community
    o Such as Genesis, a talk, or a workshop

    Copyright © ABN AMRO 2019

    © MAX 'LIBRA' KERSTEN - SECURE[ID] 2020 4


    Poll!
    o Who thinks mobile banking is safer, when compared to the desktop platform?
    o Who thinks mobile phones share more data, when compared to the desktop platform?

    © MAX 'LIBRA' KERSTEN - SECURE[ID] 2020 5


    Ah that little bit of information!
    o “I dont share that much”
    o “They won’t find me”
    o “I dont have anything to hide”
    o “I am not interesting enough to follow”
    o “There is not that much information available about me”

    o Read “Nee, je hebt wél iets te verbergen” by De Correspondent


    o “No, you do have something to hide”

    © MAX 'LIBRA' KERSTEN - SECURE[ID] 2020 6


    Ah that little bit of information!
    o A working day as a case study
    o Get up
    o Commute to work
    o Work
    o Commute home
    o Eat at home
    o Go on a date in the city
    o Travel back home
    o Watch some Netflix
    o Sleep

    © MAX 'LIBRA' KERSTEN - SECURE[ID] 2020 7


    Ah that little bit of information!
    o What is known about you?
    o When you get up
    o Your address
    o The route to and from work
    o Browser history
    o Shopping location
    o With whom you went on a date
    o TV preference
    o Time you you go to bed

    © MAX 'LIBRA' KERSTEN - SECURE[ID] 2020 8


    But my phone is safe, right?
    o What is the difference with the Windows platform?
    o Applications run in their own sandbox
    o OS versions are fragmented
    o Updates are not pushed centrally
    o The Play Store is moderated
    o Mobile banking is the safest options

    © MAX 'LIBRA' KERSTEN - SECURE[ID] 2020 9


    Android banking malware
    o Three commonly used techniques
    o Overlay attacks
    o Default application replacement
    o Keylogging
    o Malware is continuously being developed
    o Acts as a Remote Access Trojan (RAT)

    Copyright © Google 2019

    © MAX 'LIBRA' KERSTEN - SECURE[ID] 2020 10


    Overlay attacks
    o A overlay webview is used as a ‘phishing page’
    o The malware is dormant until the bank’s application is opened
    o The overlay harvests the credentials, and sends them to
    criminal actor
    o After the overlay, the victim has to log in again

    o Google takes measures against the malicious techniques


    o Cat and mouse game

    Copyright © Avast 2017

    © MAX 'LIBRA' KERSTEN - SECURE[ID] 2020 11


    Default application replacement
    o Examples are
    o SMS applications
    o Telephone manager
    o Makes a preferable target
    o Stealing 2FA tokens
    o SMS phishing (smishing)
    o Access to the phone’s contacts

    © MAX 'LIBRA' KERSTEN - SECURE[ID] 2020 12


    Keylogging
    o Hooking functions is not possible without root permissions
    o The Accessibility Service is often abused
    o Has to be requested in the AndroidManifest.xml
    o Makes detection easy
    o Screenshot each keypress
    o The pressed key is shortly highlighted (by default)
    o The screenshot will provide context for the attacker
    o Keylogging based on touch coordinates
    o Found in the wild at my previous job, and blogged about it here

    © MAX 'LIBRA' KERSTEN - SECURE[ID] 2020 13


    Current threats
    o Telephones can, should, and ‘need’ to be increasingly capable of anything
    o There are more and more detection mechanisms to prevent Android banking malware
    o The malware’s capacity increases gradually
    o As is the logical result from the cat and mouse game
    o Criminals can control the victim’s phone
    o Harder to see who performs the fraudulent transactions

    Copyright © Google 2019

    © MAX 'LIBRA' KERSTEN - SECURE[ID] 2020 14


    Back to the scenario
    o A working day as a case study
    o Get up
    o Commute to work
    o Work
    o Commute home
    o Eat at home
    o Go on a date in the city
    o Travel back home
    o Watch some Netflix
    o Sleep

    © MAX 'LIBRA' KERSTEN - SECURE[ID] 2020 15


    Questions

    © MAX 'LIBRA' KERSTEN - SECURE[ID] 2020 16

    You might also like