Android Market allows any app developer to develop and publish its app to the Android Market. On the top of all, Android Market also allows app publishing as Anonymous , so that the user downloading the app won t be able to know, who is the original developer of the application.
Android Application consists of components namely: Activities, Services, Intents, Content Providers, and Shared Preferences. We will be using the features provided in the Android SDK for our benefit, and to create the malware.
The steps involved in this would be
1. Fetching all the important and private information from the phone
2. Sending the information to a remote server, managed by us
3. Receiving the data
4. Executing further commands on the phone
After that, we will be showing an Android Botnet setup, developed by us. We will be able to send commands to each of our slaves using the Botnet.
Also, we will be demonstrating the framework, which we have made for the creation of malwares. The old-school-way of doing this in Android is, taking a legitimate app, decompiling it, using either apktool or dex2jar & jd-gui, inserting our codes, repackaging it, and then getting the infected app which appears to be a legitimate one.
2.02::Main Presentation:Part II
When used on a large scale, this process will take a lot of time, and also, some other coding issues, may come in, while repackaging.
So, we've developed a framework, named AFE (Android Framework for Exploitation), which which will be released internationally in your conference. The framework, still in development, will be used to create a malware, receive the incoming information, control the victims and do a lot more. Also, we have created some templates for the malware, such as File Explorer, Tic Tac Toe, Jokes app and few more.
For the malware part, we have written our own services and stored them in the Android Framework for Exploitation modules. We have prepared 8 templates (more to be added soon), from which the user will be asked to select one of them. The template selected, will then be modified by the IP address variable being replaced by the listening IP of what the user has entered. Since, all the connection would then be sent to that IP address, the user will have to set up a listener too, which is also included in the AFE. The APK would be created, which will automatically be signed with a certificate, using keytool and jarsigner.
The following features could be used in a malware right now:
1. Getting the Call logs
2. Getting the Contacts Information
3. Getting the Inbox/Outbox
4. Sending new text messages
5. Downloading any file from the SD Card
6. Creating a new file on the SD Card
7. Viewing the browsing habits
8. Creating new Bookmarks
9. Recording and listening to Phone Conversations
10. Changing the Phone State (ON/OFF)
11. Running root exploits
12. Capturing the screen
13. Make a call to the specified number
14. Capture images with camera and send to us
15. Start at boot up
16. Undetected by all AntiMalwares for Android
17. Obfuscated network data
18. Respawn after it s closed
19. Access the GPS location
20. Start any other application installed on the phone
We will also demonstrate exploitation of Android to get a reverse shell, as well as steal a file from the phone, using available Android exploits and customizing them according to our need.
Also, a user could use AFE to use Android Exploits and steal the databases from the victims phone, apart from execution of commands over the phone.
We would also be telling on how to write plugins for AFE to extend the framework.
3.01 :: Hacking Android Applications
After talking about Android Malwares and Botnets, we will shift on to Android application vulnerabilities.
The following vulnerabilities will be discussed:
- SQL Injection
- Cross Site Scripting
- Insecure File Storage
- Open Content Providers
We will also show how to find Android Application vulnerabilities, both manually and using our framework.
3.02 :: Secure Application Coding
We will discuss about how one can develop secure applications, and the need to pentest own apps before publishing to Android Market.
Aditya Gupta is a well known Mobile Security Researcher and Penetration Tester. His main expertise includes Exploiting Web Applications, Evading Firewalls and Exploit Research. He is an expert in mobile research. Aditya is responsible for the discovery of much serious vulnerability in websites such as Google, Apple, Microsoft, Skype, Adobe, and a variety of other major software technologies. Aditya has worked on many Android security projects and has been a frequent speaker to many conferences.
Subho Halder is a Programmer, Security Researcher and Penetration Tester. He loves writing exploits and programming in PHP, Java, Perl and Python. He is well equipped and has a deep understanding of Android and Blackberry frameworks.