 bir şey yapıcıyız. Bu konuda 3 kısmı var. İlk, biz biz, biz, biz, biz, biz, biz, biz, biz, biz, biz, biz, biz, biz, biz, biz, biz, biz, biz, biz, biz, biz, biz, biz, biz, biz, biz, biz, biz, biz, biz, biz, biz, biz, biz, biz, biz, biz, biz, biz, biz, biz, biz, biz, biz, biz, biz, biz, biz, biz, biz, Lütfen bir konusunda yayınlanabilirsiniz. Bu konusu, otelik yapıp, bir kuytula yürümüşünün Poncları da gelsinler. Bu termesi, jeito alışveriş. Nice. 3. 2. 3. 4. 5. 2. 1. 2. 1. 2. 2. 3. 4. 5. 2. 2. 3. 1. Google Play Store canın sona inet edilmesi için SMS ve Kullo permission alışverişleri kullanan tüm yaşlı değeri. Ayrıca Android Q hala daha zorluydu. Android Q RumiWood clipboard monitoring, background activity ve limited security recording. Ayrıca Restrict Bubbles API, bu üretim için bir günlük kullanılıyor. Ayrıca Google Play Store'ın gizemli ilerleyip gizemli ilerleyip gizemli ilerleyip gizemli ilerleyip gizemli ilerleyip gizemli ilerleyip gizemli ilerleyip Maliir'in adı ve muhbezinin empatini destek restore etmeye devam ediyor. Android Malīr'e bakın. Maliir'te alakalı bir sürü tüm var. İек 1. Ad diving. Adın veren bir sahnearde, hiddetli bir çikolata kadar açıklardır. İki 1. Spivere. Spivere için ziyaret ilerleyen her gün hızlı bir il oilyäil burası. İlk üç. ekstrujen. İslindeki sitel bankik il. İlliğe konusundapiece, İslindeki rense il. İlk üç. RamSomware. They commonly is used as feature in bank port nowadays. When you try to remove malware is activates RamSomware feature. And lastly, Crypto Miners. There is where common back then, but nowadays do it to some restrictions like background activities. Are no longer a thing in android operations system. They are decreasing. Trade actor usually to companies through social media advertisement to separate malware. There is also malware as a service malware. At first there was GM bot which aspires marcher. After marcher, exobot, emergence and it evolves into a red alert. Red alert has distinct feature which also carried on to anubis. Nowadays, server's malware is active and popular in as a service scene. They evolve in time as teletaktör change. They all use under techniques and droppers. Exobot uses dropper to distribute itself in google play store. It also use root detection and anti-manuator with checking device ID, country and operator in device. It also tries to run shell command to find subinary which is present when the device is rooted. You can see what exobot looks for in-sitrings. You can bypass anti-manuator with filter like this. And root detection like this. Red alert use twitter for c2. The last tivit contains ip of c2. It fades last tivit to find out current c2 and upload the data it stolen there. It ask for device admin permission to take over POM. It also checks runx apps to looks for specifics apps. Anubis is a good bank bot example. It operates as a service. It has multiple version which legendaly has multiple different developers. It uses fake apps and phishing campaigns to distribute samples. These are all turkish bank or popular applications. It also uses dropper. And uses obfuscation in dropper sample. Dropper Anubis samples is encrypted. Once you decrypt it, you can see it uses call forwarding for bank numbers. And it uses overlay attack to still banking credentials. If you try remove it, ransomware feature activates. Anubis decrypts in self memory and try decrypt code to a jar file. Anubis decrypti to insert which contains modules function. This further script change delete function so that you can fetch decrypted file from device. You can fetch decrypted code like this. And like this if native code is used. Hydra is another service. Its imitase government apps to distribute is served. Once you create hydra sample in panel, it has time limit to activate. It uses overlay attack to still banking and other personal information. You can bypass time limitation like this. And like this if native code is used. Cerberus is must updated and dangerous one among them. They are highly active on twitter. And regularly updates Cerberus malware, which commonly bypass sponsor and can be found in google play store. It uses sensor data to detect emulator. You can imitase sensor movement and bypass this check. C2s are mainly used to distribute samples and manage both and they contain still information. You can use this script to automate C2 extraction for some samples. But every samples has automated C2 extraction decryptor or unpacker. But you can find some useful ones in the github page that helps you to analyze samples faster. Now let's look at some vulnerabilities we found C2s. Not that most of the C2s are a part of SS service. So if you find vulnerability in one panel, it's highly present on the other panels using the same malware. Red Alert Panels has directory listing vulnerability. You can fetch infected device information from panels. You can find all infected phone data and stolen information. And also find encryption keys. Let's look at another panel. One of custom malware panel had password in page source. Using this, you could login to panel. It has many effected host and functions to control. It also had file upload feature. Exploiting file upload, the gut shell, we purge all data and shut down its operation. Some other custom panel had SQL injection. We'll log in as admin with it and take over the panel. All Twitter phishing campaigns and malware distribution campaigns had set root access vulnerability. With this, you can sniff admin token to login and see all stolen information and all stolen credit card data. And social security numbers. These set up is cron job to delay them daily. Main takeaways for our presentation are we identified malware as a service users. And had these set used to purge stolen data. We also share overfinding with taskforce and have 13th redactor gut arrested. If you have any question, we will be on Discord to answer them. Don't forget to check your downloaded apps from Google Play Store. Never trust any application. Thank you all for listening. It was a pleasure to be here today. Welcome to our presentation. We will talk about Android Malware and how we hack their C2s. Our presentation will have 3 parts. First we will introduce ourselves, our work and basic knowledge about Android. Second, we will introduce Android Malware since and analysis of some families. Third, we will look at how we exploit C2s. I am Kursat and my co-speaker is Mert. We both security engineers at Trent Yoll and Black Box Security. We are finding Android Malware samples and analyze them. We find IOCs and hack them to purge stolen data. Now let's look at Google Play Store. To find Android Malware, Google introduce Bonsur as an anti-malware tool. But it has distinct feature and you can easily detect it. When you upload your APK file, it applies it to an emulator. This emulator has only one contact to photos. You can also detect Bonsur IP range while it's running your APK which you can also use it to evade Bonsur. Because you can detect its feature, you can use different techniques to bypass it. Implementing, anti-analyse, anti-emulator techniques is just some examples of it. You can also download your Maljus text file separately and load into your APK. With this Bonsur can't even see your Maljus code. Android was by design not that secure back then. But nowadays they are implementing the feature to harden it. With Android P, weather encryption, process isolation and authentication is implemented. Not just that. But Google Play Store changed its rules to prevent SMS and call log permission to be used in apps. With Android Q, even more hardling is introduced. Android Q RumiWood clipboard monitoring, background activity and limited security recording. It's also restrict bubbles API which is commonly used for phishing bytes redactors. Also, Google introduced AppDefense Alliance to Combat malware in Google Play Store. Alliance itself includes companies which specialized in mobile malware. Let's look at Android Malware scene. There is 5 types of malware common in Android. First is Adware. It shows your open advertisement in hidden manner. Second is spyware. Spyware commonly still personal information in order to sell it. Third is Trojan. They commonly used to Citibank information. Fourth is ransomware. They commonly is used as feature in bank bot nowadays. When you try to remove malware is activates ransomware feature. And lastly, Crypto Miners. There is wear common back then, but nowadays do it to some restrictions like background activates. Arnologer think in Android operation system. They are decreasing. Trade actor usually to companies through social media advertisement to separate malware. There is also malware as a service malware. At first there was GM bot which aspires marcher. After marcher Exibot emerges and it evolves into a red alert. Red alert has distinct feature which also carried on to anubis. Nowadays server malware is active and popular in as a service scene. They evolve in time as teletaktör change. They all use under techniques and droppers. Exibot uses dropper to distribute itself in Google Play Store. It also use root detection and untaminator with checking device ID, country and operator in device. It also tries to run shell command to find subinary which is present when the device is routed. You can see what Exibot looks for in Citrings. You can bypass untaminator with filter like this. And root detection like this. Red alert use Twitter for C2. The last event contains IP of C2. It fades last event to find out current C2 and upload the data it stolen there. It ask for device admin permission to take over POM. It also checks running apps to looks for specific apps. Anubis is a good bank bot example. It operates as a service. It has multiple version which legendaly has multiple different developers. It uses fake apps and phishing campaigns to distribute samples. These are all Turkish bank or popular applications. It also uses dropper. And uses obfuscation in dropper sample. Dropper anubis samples is encrypted. Once you decrypt it, you can see it uses call forwarding for bank numbers. And it uses overlay attack to still banking credentials. If you try remove it, ransomware feature activates. Anubis decrypts in self memory and write decrypted code to a jar file. After that it lost jar file into in self which contains malicious function. This filter script change delete function so that you can fetch decrypted file from device. You can fetch decrypted code like this. And like this if native code is used. Hydra is another service. It imitates government apps to distribute itself. Once you create hydra sample in panel, it has time limit to activate. Like some step to finish time. It uses overlay attack to still banking and other personal information. You can bypass time limitation like this. And like this if native code is used. Cerberus is must updated and dangerous one among them. They are highly active on Twitter. And regularly updates Cerberus malware. Which commonly bypass sponsor and can be found in Google Play Store. It uses sensor data to detect emulator. You can imitate sensor movement and bypass this check. CQs are mainly used to distribute samples. And manage both and they contains to information. You can use this script to automate C2 extraction for some samples. Not every samples has automate C2 extraction decryptor or unpacker. But you can find some useful ones in the github page. They helps you to analyze samples faster. Now let's look at some vulnerabilities we found C2s. Not that most of the C2s are a part of SS service. So if you find vulnerability in one panel, it's highly present on the other panels. Using the same malware. Redilot Panache has direct realistic vulnerability. You can fetch infected device information from panels. You can find all infected from data and stolen information. And also find encryption keys. Let's look at another panel. One of custom malware panel had password in page source. Using this, you could login to panel. It has many affected host and functions to control. It also had file upload feature. Exploiting file upload, we got shell. We purged all data and shut down its operation. Some other custom panel had SQL injection. We log in azetmen with it and take over the panel. All Twitter phishing campaigns and malware distribution campaigns has set root access vulnerability. With this, you can sniff admin token to login and see all stolen information and all stolen credit card data. And social security numbers. These set up is cron job to delay them daily. Main takeaways for our presentation are we identified malware as a service users and had tier seed used to purge stolen data. We also share overfinding with taskforce and had 13th detector got arrested. If you have any question, we will be on discord to answer them. Don't forget chat your downloaded apps from Google Play Store. Never trust any application. Thank you all for listening.