Table of contents o Who am I? o Ah that little bit of information! o But my phone is safe, right? o Android banking malware o Current threats o Questions
Who am I? o Max ‘Libra’ Kersten (@LibraAnalysis) o Graduated cum laude in January 2019 o Blogs about reverse engineering o Such as my Binary Analysis Course o Custom tools are released open-source on my Github o Notably AndroidProjectCreator o Gave a workshop on Android malware analysis at Botconf2019
Who am I? o Employed at ABN AMRO o Cyber Threat Intelligence & Analytics team o Red Team oFocus on outside threats to provide timely and actionable intelligence to internal departments o Research focused projects, with the aim to also give something back to the community o Such as Genesis, a talk, or a workshop
Poll! o Who thinks mobile banking is safer, when compared to the desktop platform? o Who thinks mobile phones share more data, when compared to the desktop platform?
Ah that little bit of information! o “I dont share that much” o “They won’t find me” o “I dont have anything to hide” o “I am not interesting enough to follow” o “There is not that much information available about me”
o Read “Nee, je hebt wél iets te verbergen” by De Correspondent
Ah that little bit of information! o A working day as a case study o Get up o Commute to work o Work o Commute home o Eat at home o Go on a date in the city o Travel back home o Watch some Netflix o Sleep
Ah that little bit of information! o What is known about you? o When you get up o Your address o The route to and from work o Browser history o Shopping location o With whom you went on a date o TV preference o Time you you go to bed
But my phone is safe, right? o What is the difference with the Windows platform? o Applications run in their own sandbox o OS versions are fragmented o Updates are not pushed centrally o The Play Store is moderated o Mobile banking is the safest options
Android banking malware o Three commonly used techniques o Overlay attacks o Default application replacement o Keylogging o Malware is continuously being developed o Acts as a Remote Access Trojan (RAT)
Overlay attacks o A overlay webview is used as a ‘phishing page’ o The malware is dormant until the bank’s application is opened o The overlay harvests the credentials, and sends them to criminal actor o After the overlay, the victim has to log in again
o Google takes measures against the malicious techniques
Default application replacement o Examples are o SMS applications o Telephone manager o Makes a preferable target o Stealing 2FA tokens o SMS phishing (smishing) o Access to the phone’s contacts
Keylogging o Hooking functions is not possible without root permissions o The Accessibility Service is often abused o Has to be requested in the AndroidManifest.xml o Makes detection easy o Screenshot each keypress o The pressed key is shortly highlighted (by default) o The screenshot will provide context for the attacker o Keylogging based on touch coordinates o Found in the wild at my previous job, and blogged about it here
Current threats o Telephones can, should, and ‘need’ to be increasingly capable of anything o There are more and more detection mechanisms to prevent Android banking malware o The malware’s capacity increases gradually o As is the logical result from the cat and mouse game o Criminals can control the victim’s phone o Harder to see who performs the fraudulent transactions
Back to the scenario o A working day as a case study o Get up o Commute to work o Work o Commute home o Eat at home o Go on a date in the city o Travel back home o Watch some Netflix o Sleep