 Hello everyone thank you for joining me for this lecture about financial mobile bankers and when I say mobile bankers I actually mean Android bankers because we don't really see significant threats for iOS so don't worry they will come for you too so a little bit about myself and my name is Julia I'm a researcher at the F5 research team what I mostly do is reverse engineering of Windows and Android malware so I'm going to tell you a little bit about the mobile threat landscape the main actors that we see in this threat landscape later on I'll talk about the old tricks that we're familiar with that they employ and also about new tricks that they have adopted from Windows malware and otherwise so if we look at this timeline we can see although it started before 2013 the main actors right now are Marcher which was first discovered in 2013 dark target in Russia in March 2014 it became fully fledged banking region mother boat first discovered in a fraudster form ad in November 2015 and also would you malware which was introduced later that year and bangbot a year later discovered this brand was discovered and this year 2017 we've seen some of my threats new threats we're going to talk about and we're also looking forward to seeing new threats before this year ends so the old tricks I'll start with SMS grabbing so mobile bankers were first used in conjunction with Windows banking trojans Windows banking trojans were a very widespread and banking system had to find a way to fight and the way they fought and the browser attacks is sending a token to the user so that the token so that the user inserts this token in order to complete a transaction and so the bank knows this is actually the user committing the transaction and not the malware and the fraudster had to come up with a solution for this so they came up with mobile banking trojans which were named after their Windows versions like Z-Tmo Zeus in the mobile speed mom spy in the mobile and they were downloaded by you the user after being quant by web injects to give away their phone numbers so the user gave away their phone numbers they got this SMS text which is asking them to download the safety cape afterwards and after they download the safety cape which was presented as an interval part in the transaction they would commit the transaction on their web banking page and the token that was sent to their device was stolen by the mobile one heard that was already residing with their device so nowadays SMS grabbing capabilities can be found in standalone mobile malware types they're used to steal the token sent by the bank in order to confirm a transaction and the fraudster uses the token to complete the transaction started after stealing the rest of the users credentials from his mobile banking so nowadays they don't really need the banking site on the web they can use the mobile banking app to steal credentials from there and then their app will intercept the token and use it to complete the transaction the most common way of stealing credentials among mobile banking trojans is using an overlay this means that the malicious app waits in the background for the moment the user opens his or her online banking app once they do the malware launches an app that looks exactly like the original banking application the user inserts his or her banking credentials into the malicious app without suspecting the same so let's take a look at how this happens what the malware is doing behind the scenes so it wants to get the most activity it wants to check is this activity banking app activity and if it is it launches the fake login activity which belongs to the malware and uses it to steal the credentials of the unsuspecting user this method has been in use for quite a while since 2013 Google being aware of this has tried to deprecate functionality that allows attackers to discover what is the top most app as well as overlaying other apps however both attackers and developers have been coming up with new ways of completing this task so we're talking about the overlay attack vector and how it can be accomplished programmatically so first they used to use this was deprecated in Lollipop later on they used the get running app processes which was again deprecated in Marshmallow on Marshmallow they started using the slash proc method this method actually enumerates the pseudo files that represent processes in the Linux operating system and using their properties it is possible to tell which one is the top most activity but that was deprecated as well and you can't use it in Nougat but you can still use the accessibility service and the usage stats to do that and there's a wonderful lecture about using the accessibility services from SkyCure I really recommend it but both of those features actually require a user to be more involved and give them certain permissions so let's talk a little bit about the new tricks that Malware had to employ in order to deal with this difficulty so the banking notification attack what happens on the device is that the user sees in the notification bar he sees a notification which looks like a notification from the bank it has the icon of the bank and it says you received a new message so if we look at it carefully you can see that the application name is Optus MMS I don't know if you can see this but it says Optus MMS and this is obviously not the banking application this is the malware trying to trick the user into clicking this and user thinks to himself okay this is obviously a message notification from my bank I should probably click it and then he clicks it and what he gets is an activity fake login activity looks exactly like the login of the bank but it's actually an activity that belongs to the malware now this attack factor is much more efficient than overlay for two reasons it doesn't require waiting for the user to actually open the original banking app and it doesn't require finding a way to get the topmost activity programmatically because as we've seen Google is really trying to fight hard on that front and so it is very useful and another attack vector is the socks proxy after the fraudsters steal the user's banking credentials he or she still need to bypass the banks server side protections some security vendors keep track of user devices using fingerprinting a unique signature for each user is created using their device info if the fraudsters price committed transaction from his or her device it will be detected suspicious behavior this fraudsters are using socks proxy overcome this obstacle they're using the user's device as a network proxy this way the traffic from their device goes through the user's device before reaching the banks server the bank is tricked into thinking this traffic is coming from the real user and no malicious behavior is detected so reflection it's not a new method at all for hiding malicious intentions we've seen in the past however here we can see a usage very similar to windows API obfuscation by Windows Trojans instead of calling system functions directly the function name class and parameters are passed to a single routine that will invoke the function instead as all the strings are also obfuscated this can put a significant hindrance on research a little bit about Android plugins this is something that's becoming very popular especially this year among fraudsters most common and legitimate usage of plugins is logging in to multiple counts simultaneously for example if I have a private Twitter account and business Twitter account and I want to look into both of them at the same time I wouldn't be able to do it if I use the regular Twitter app I'd have to install app that runs two instances of Twitter as plugins for example parallel space which is quite popular and this technology is different from dynamic loading because it can load or launch a whole APK not just the X or Java file and there's no need to declare any specific interfaces or components for the loaded applications very convenient for fraudsters it allows you to create a virtual space where you can install and run an APK it doesn't require a route it is running on the local process as we said it's super useful for fraudsters and because fraudsters want to launch their apps without installing and avoid declaring their app components and there are two types of fraud observed in the wild which are using this technology two common frameworks for this are virtual app and the Droid plugin open source projects so one way to abuse the technology is to pick you back a legitimate looking app the user installs a legitimate looking app that passes all the static security inspections successfully in the assets of the legitimate app there's an encrypted malicious payload which will later on be decrypted and installed on the user's device once the application is launched the malicious payload is decrypted and executed in virtual space in April Android malware blog reported of woody financial malware using this functionality in order to avoid a detection and he was using this framework the specific fair mention if we look at this in this diagram the user sees a legitimate apps icon adobe flash okay and then he presses the icon at that moment the application will take the hidden APK from the assets it will be encrypted and install it on the user's device it will then launch it and using the plugin framework and running on the user's device so this is one way another way to abuse this technology is having a malicious app running a legitimate app the malware poses a dual instance app this is a type of apps that allow you to run several accounts simultaneously there are a lot of them available on the Google Play Store I don't think all of them are malicious but there are a lot of options here in case you want to run several instances simultaneously so the malware poses is one of those applications and it's running a modified version of the social media app for example Twitter it looks exactly like the real app the difference is there are function pools and functions such as get text or edit text or any network functions and which allow the malicious app to wrap the credentials inserted into the social media app first discovered in China and double dual instance malware this particular malware pretends to be a legitimate Twitter dual instance app however the strict can be used with any app that requires user credentials for example any banking app can be used in this way so what actually happens is that we have this evil app which has the plugin framework and it's using this plugin to launch the real Twitter application but it also uses it in order to who this application so once the user inserts his or her credentials into this app the who the function will send these credentials straight to the command control server belonging to fraudster another attack vector which we recently seen all kinds of malware is web view the web view object and it's commonly used for example for premium SMS and sending for like expensive expensive wall which was explained in a blog by checkpoint interesting another usage is indeed a smile where like yrex and published in a five published a blog about this year and click for malware like Judy or plug-in phantom and yrex previous version was also a click for malware so what's so interesting about this web view object for fraudsters it's very easy to use it because it's sort of a browser inside your application you can instantiate as many as you like it has a webkit rendering engine and you can use it to the JavaScript capabilities to intercept URL and inject Java objects into a pages JavaScript contacts which actually means there's an actual bridge between the JavaScript running in the browser to the Java running in the app this JavaScript which is downloaded from the malicious server can trigger in-app behavior in the job so this is very very useful for fraudsters and this method was actually used in expensive wall what before in order to make the user list the user to premium services without their knowledge using JavaScript let's take a closer look and why are it smaller and how it does its deal so that this function is actually the core of the malware this is where all the stuff happens so if we take a closer look we can see that it creates a hundred instances of the web you climbed when it creates this web view instance it changes the headers of the request there is an extra question with header which is sent by default and it contains the name of the package fraudster doesn't want the name of the package to appear on server so he will put an empty string instead we can also see that while creating the web view instance the malware will delete all the history and the cache from the user's device this is done because the fraudster doesn't want any resources to come from the user's cache once everything can to come from all the resources to come from the server which is taking in order to create an overload and here we can see that loads the URL in order to attack the target so and what we foresee in the future for all these types of malware is going to continue adopting methods from Windows bankers because Windows bankers have been around for a while they have they're very mature they have a lot sophisticated methods and functionality so what we can adapt what they can adapt to the mobile industry why not and they will continue trying to overcome Google's security enhancement new features that appear in new operating systems or deprecated features they need to overcome that and also trying to bypass Google Play Store to bypass the bouncer we know that there are a lot of malicious apps that are finding their way to the play store and finding a way to bypass the bouncer actually so thank you very much any questions Julia really interesting thank you I wonder did you do any research about the business ecosystem of these Trojans for example are the authors of these Trojans the same ones as the authors the Windows Trojans are the ones that fight all the new tricks the one that all wrote the previous Trojans is the payload the same are people selling them to each other are the Brazilians selling to the Russians and so on but if you can comment a bit about that that's entirely familiar with that ecosystem I know a lot of them come from Russia because we can see that them don't operate on Russian phones so that much and we respect those are people who are not Windows developers originally but people who actually do Java for a living