 So I'm Nick Percoco and this is Christian and you're at this is not the droid you're looking for Okay Okay, so what you see on the screen is the agenda We're not gonna really talk through it because we're gonna see it in the next 50 minutes, but basically this is what we're gonna talk through today and let's just jump into the introduction here It's a little bit about me Like I said, I'm Nick Percoco. I'm the senior vice president head of spider labs at Trustwave about 15 years info sec experience I actually built and and still lead the spider labs team at Trustwave So my interests targeted malware attack prevention, you know mobile devices and really from a business and social impact analysis Standpoint and and this is Christian here. Hi everyone My name is Christian Papa and I see you. I'm a security consultant at Trustwave based out of London I've got eight years in infosec My interests are within root kids anti-root kid detection Algorithmic trading which is more financial rated related and web application security Okay, so a little bit of background and you're an introduction here, so Basically, I'm sure everybody here knows what Android is and that's probably why you're here You know, it's you know, 60,000 100,000 I don't know how many phones are being sold or activated on a daily basis is a very popular platform From what we were able to find it ranks about number four in the in the in the in the in the handset or the in the mobile device Your rankings there. So I guess we'll show hands. How How many people here in the room have Android phones? Okay, you guys are all fucked Not really we're just gonna drop you down a few levels and we'll bring you back up at the end of this You'll be hugging each other so Basically, you know not much research here You know we were able to find has been really done in the in the mobile root kit area And so there's some that's been out there, but basically you know Android equals Linux equals You know almost a 20 year old operating system and we're back when I was you know in school freshman in college Installing a very early version of Linux from a big stack of floppy disks Compiling the kernel for about eight or 12 hours and then to find out it actually didn't work But because of that I'm not saying that that's a bad thing that is 20 years old There's a very established body of knowledge around Linux root kits And so we were able to find a lot of information that helped us sort of on our journey here And so what we did we do we created a kernel level Android root kit it's a loadable kernel module and it basically is activated or triggered by a phone number so inbound phone call So a little bit of background just you know This is a real nice pretty picture here when we pulled this from Google This is basically the model for the stack that the Android runs on so basically at the bottom You see the kernel level you know a Linux kernel and at the top you see the applications and when I look at this I sort of think of time machine And not the not the Mac OS you know backup utility sort of think of the time machine the book You know the book of the movie Basically at the top you have the Eloi right you know that's from the Elois are up there And then the more locks are down at the Linux kernel the Elois are like Facebook and Twitter And they're all excited about that but they don't see anything below the surface And they don't know what's going on down there. We'll get a little more more on that later But basically this is what this looks like and we're gonna walk through some of these layers with you So basically the current Linux kernel that's that's the base level there It's based on the Linux 2.6 kernel. It is a hardware abstraction later So everything above it doesn't have to worry about the hardware right everything's just represented as a file Makes it makes it very very nice and very clean for everything. That's above it It offers the same things that every other Linux offers, you know memory management process management security networking But then the whole Android platform that we're going to be talking about really sits on top of that kernel This is where we focused our focused our attention in the research You know, we didn't really focus at the application layer. We focused at the at the kernel level The libraries are where most of Android's core functionality lives The main libraries of interest are SQLite, which is the main storage subsystem So Android uses SQLite databases for storing its messages its contact database And anything really that needs to store is stored in SQLite databases For browsing it uses the WebKit library and Cryptos handled by the SSL library So one thing that is interesting based on the libraries that are used is that Because it's a SQLite database you can read see that you can if you have root access on the device You can actually read the SMS messages by just using the SQLite client Another idea slash hint is that you can intercept browser sessions by hijacking the library You can also do that through the kernel and because it's using SSL the SSL library and that requires it to be seeded without a prime random prime Random number generator You can see that with static low numbers and that would mean that your cryptos basically can be cracked easily So Android's runtime environment is the Dalvik VM What is Dalvik? Well, it's a virtual machine on Android devices. It Runs applications Which are converted in dex format the dex format is Specifically designed for Low memory low processor speed devices just like your phone We didn't spend much time here The application layer is where your user applications live like your Facebook app your Twitter app your browser It's they usually either come with a phone or they are installed with your market app Downloaded from the internet We didn't spend much time here either So all your higher layer layer applications they ultimately interface with the Linux kernel Which acts like the hardware abstraction layer between the hardware and your user land applications Therefore by hijacking the Linux kernel you in effect hijack the higher layer applications the And then it basically this is where we sort of start to explore You know the concept of sort of abstracting The the rest of the phone the rest of the functionality of that phone from the end user So basically, you know if you're if you're abstracting everything below the application layer from the end user That's a usability advantage, right? So your grandma that's using a phone isn't seeing you know Council messages and things popping up on their screen and all sorts of crazy stuff going on You know, all they know is that they can make a phone call They can send a text message they can read their email and then don't worry about anything else below and that's that's great And that's that's great for a consumer device But then complete user abstraction in that form is basically a somewhat of security disadvantage, right? If someone's on your phone and we're gonna we're gonna show what that looks like, but if someone's on your phone Doing things at the at the kernel level You have no idea and you really don't know I mean I have a phone here And someone could be on it right now and I wouldn't know by looking at the screen or using my apps So that's that's a security disadvantage and then even if an attack like an attacker sloppy They get on the phone and they are causing problems They they cause it to slow down and now you have to reboot it the end user is not gonna think well No, maybe a hacker's on my phone. I'm there basically not think the phone is crappy. I need just reboot it So so basically they just call it a bug or there's reboot their phone and they'll be done with it So so what are some of the motivations behind this so you know people are asking, you know Now why did you guys look into this? Why did you guys, you know, write the the root kit and basically this was just sort of a Discussion that the Christian I had at black hat Europe Talking about sort of the implications of someone of root kits being on mobile phones I mean mobile phones are everywhere right so these you know 4.85 million devices on 3g network So that basically means that there are that many devices that almost have an always-on connection, right? So my phone sitting on my table. It's connected to the internet. You know, it's on the it's on the 3g network I I go and I drive across town while in the car. It's on there as well So it's always on which is very similar to what we saw in the you know in the late 90s when people started getting always-on connections in their home And some research that we looked into showing that by 2010 there'll be 10 billion devices On high speed always active on my connections. So, you know, that's that's that's an incredible growth You know, that's that's it's much faster than you even saw one PC revolution or the or the the internet revolution took place I mean people some people have two and three mobile devices that are that are on 3g networks And then the other piece there's that 60% of us, you know, maybe even higher probably, you know much higher percentage of people in this room Carried those devices with them at all times So if you think about you know, you have your home computer, right? You don't carry well, you may you may have a laptop But if you had a home PC and you it's plugged into your home network You're not carting that thing around with you wherever you go You know, you know, there's people who probably take their their phones to the bathroom with them You probably don't take your PC to the bathroom with you So basically for high-profile and business people, you know, even even government officials And they probably have that phone with them like nearly a hundred percent of time I know myself personally. I don't think I've had a smartphone leave a two-foot perimeter From here maybe a little bit further and probably the last five years So think of the implications of someone getting access to that phone and doing things like turning on a camera or listening to a Conversation or or doing things other things like that So and then our other piece there the powerful the power nature of the smartphone, right? You know, you know the phone that you have in your pocket today is probably much more powerful than a PC from eight years ago You know, at least the average PC and so the other you know The location of our pieces is there as well You know, you can go wherever you want and there's GPS on there and someone could possibly track you so their piece other little motivations here is that Users access highly sensitive information from their smartphones. I mean, how many people here have done a single sort of financial Transaction from their phone that may be checking their balance on their bank account or doing something from there from their smartphone Only got a handful of people here And then users typically would trust their smartphones before they would trust like another computer, right? I know I would I would I would trust my phone before I would trust like a kiosk at a hotel To make a transaction or do something Then you don't really ever question that your phone's integrity But in many cases you don't have any ability as an end user not ability to to interrogate the integrity of your phone I mean you get to sit in your desk and you walk away and go to the bathroom you come back You don't really worry that someone got on your phone while you were gone And another motivation for this work is that Lots of times for mobile operators to operate within a certain jurisdiction. They must allow governmental entities access to subscriber information Recent case scenario is in the UAE where a company called Eddie Salat pushed a performance update to all their blackberry subscribers This in essence was malware which was intentionally Installed to allow at the government officials to monitor blackberry users so blackberry users are in Are likely going to be Government officials or high-ranking executives or business? exact so That was the purpose of that motivation Instead of having Instead of an attacker installing it. We're looking also at a governmental entity Or a communication service provider installing the root kit on the actual phone and providing it to you shipped So a bit about what we're not doing here So what we haven't done is developed a new attack vector to get the root kit on the phone So, you know, basically, there's a lot of people who were at the previous presentation There were some some notes about that as well You know, we're not we're not we're not showing, you know, you're not gonna be weaponized To be able to attack everybody's phones here at here at DEF CON after this talk But what we what we do what we did do is we we developed the root kit that on that is could be the end reason That's the end result, right? So if you have a if you have an exploit that you you you use our root kit and deploy on someone's phone It'll be we highly effective and there's other ways, right? So you have you know malicious apps that could be deployed that would be able to contain that root kit on it And so basically, you know, we re-chose Android not because we don't like Android You know, you know Christians has an Android phone. I'm an iPhone user But it was there's no bone to pick with that with Android at all We chose it for our research basically because it runs Linux And and everyone has access to the source code and that really that really aided us in in our in our research and be able to develop this So let's get on to how we built our actual root kit What our root kit is is a Linux kernel module and what a LKM is is Is a software that allows the kernel to be extended dynamically So usually if you want if you wanted conventionally rather to extend your kernels functionality what you would usually have to do is Write the code recompile your whole kernel and reboot your machine into that kernel to have it run LKMs allow you to flash kind of your kernel dynamically and get that functionality installed immediately So as it's running in the kernel, it obviously has the same capabilities as code in the kernel and System LKMs in our case we're hijacking system calls Used for file processing network operations and these system calls are listed in what is called as a system call table So imagine that's a big array With a whole bunch of system calls Which are indexed by a system call number so How does a kernel root kit differ from a conventional root kit well early in the late 1990s or early 2000 there was like a there's a couple of root kits out there one of which was something called Turing kit Which replaced system binaries like LSPS and that's that the main Difficulty in in that was that it was easily detected by doing MD5 timestamp Hashes on the actual binaries against known good media So that would detect that your binaries were tampered with and that would be a telltale sign that something was wrong so a Kernel root kit Doesn't replace your system binaries So if you do your MD5 hash against all your system binaries, they all appear the same what it does is subvert the kernel Therefore it it's more difficult to detect it. So How do we? redirect system calls We redirect system calls by creating a hook and what that in essence is is When the system calls a specific system call We intercept that and call our own code and then redirect them back So by doing that we place ourselves kind of like a man in the middle attack for the system call Within that man in the middle within that middle is our code our exploit code which performs the functions we wanted to do so by hijacking the kernel we Are not not only subvert the layers above the kernel, but we also subvert the end user himself While developing this root kit there were a few hurdles to overcome It was it wasn't as straightforward as it would have been on a usual commodity PC likes PC One of the hurdles which which exists also on commodity diseases to retrieve the system call address another hurdle was how do we compile the actual module against the the source code for the device and another hurdle which we had to overcome was to enable system call debugging which would allow us to Determine higher layer phone functions, which would we would then be able to tap into and hijack and Perform actions that we want to perform So in kernels great Greater than 2.5. There's a certain memory address called the system system call table structure Which is no longer exported. They did that for security reasons primarily as In kernels 2.4 and below This was exported by this by the kernel and it allowed lots of root kits to Use this functionality to use to get the address of Cisco table and then hijack the system calls Recently around 2006 if I'm not mistaken there was a frack article by a guy called SD and another guy called Sevik I believe and that was called how to Obtaining Cisco addresses without He basically used devkman to obtain this is called table address using certain heuristics Because all Android devices ship with the same hardware firmware in kernel, this is not really necessary in our case So unless a user has actually flashed their device root to their device, which most users haven't You can simply obtain the Cisco table address from the system.map file of the compiled kernel This also means that You can obtain lots and lots of targets for different devices and you can create an installation script which depending on the username of the actual Device it loads the specific Cisco table address for that specific device We obtained Target addresses for the HTC legend for the HTC desire and for the actual emulator itself another hurdle we had to overcome was to Load our our kernel module within the actual running kernel. It was quite weird because the HTC HTC legend HTC rather they provided the kernel source code for the legend and You would expect that if you compile a kernel module against it It would actually allow you to load it onto the device itself This wasn't the case because you name of the actual HTC legend was extended by Saying instead of 2.6.29, which is the actual default kernel provided by HTC They the you name said it was 2.6.29 9a30 26a7 So when you try to load your kernel your module into the into the legend's kernel It said the ver magics don't match and it wouldn't allow you to do that so we looked into the source code of the actual HTC legend kernel and Modified that and then recompiled the module against it and It allowed us to run to load the model successfully. We found that we modified to load that was the file called UTS release.h so At this point we had successfully loaded our module into the HTC legends kernel What we next needed to do was to Understand which higher layer phone functions we needed to intercept now all Google Android has Hundreds thousands of appies these all in the end interface with a set of 255 to 300 system calls So the main ones which we were we targeted were the sys write sys read and sys open sys and sys close system calls And these are the system calls. These are the functions within the kernel which perform all the read write Open and close operations So by determining the arguments that are past these system calls we can find specific events that we want to hijack so Having created this sys call debugging script LKM, which is also available in the Defcon CD It allowed us to print all these system call and their arguments and this was all found in Dmessage. Dmessage is basically log file which Shows you all the print case that we we would show we would send into the that were coming from the kernel with the arguments of those system calls So what we try what we went on to do was we sent SMS messages to the phone. We called it and we trapped these events We then determined that certain events we can hijack them and proceeded to hijack them to create our rootkit So here's the here's the rootkit itself So this is a tool called on mind trick. It's an Android rootkit and basically, you know Explain what it does today, and then we're going to demo it for you so It allows us to send an attacker a reverse shell over 3g or Wi-Fi and so basically once the rootkit is loaded on a phone if If it's just if it's if the phone number is defined Before the of course before the global kernel module is compiled when it receives a phone number or phone call from that specific phone number It'll then open up a reverse shell to an IP address that's specified in there as well So it's basically a trigger and you could you could define multiple phone numbers You can find multiple places. You know, it's really you know, it's C code. So you could extend this to however you want and then basically once that happens the attacker has as root access on the phone and it's it's a It's a 3g connection or Wi-Fi connection, whatever it may be Across the internet wherever you're located and you can do whatever you want on that on the user's phone The user may be on the phone talking and you're on their person's on that person's phone Also, the root kit is hidden from the kernel itself. And so we included that In the functionality and so when you load the kernel and when you load the the root kit and you look you do alice mod It doesn't show up So the source for that is on the DEF CON CD so that you if you're interested you could you could play around with it So now we get to the live demo And so we I guess we pray to the demo gods that this goes well. We are using a lot of wireless technology in here, which is always a sort of a curse at the DEF CON so So but this is what we're going to do And so I'll sort of list these and then we'll go to the demo and you will walk you through them But basically we're going to show you how we install the root kit on the phone Basically will activate the root kit via phone call And so we'll show that and then you'll see reverse shell open up And then we'll go through it and Krishna will basically show you some exploration there and finding where the SMS messages are viewing the person's contacts And and then basically looking up the GPS coordinates as well On the phone and then we'll attempt to make a phantom phone call But unfortunately when we're in the speaker ready room We realize that if he calls my phone many types those commands in on the screen You're gonna see my phone number on the screen. And so I'm not sure I really want that so We may disconnect the screen and in the run that for you so you can actually see the The root kit calling my phone and making a phantom phone call Yep, so we are connected to the phone right now using what is called the Android Android Debug bridge and what that is is just an interface which allows you to upload files download files And get a shell on the actual phone this is Just just to allow us to install the root kit This isn't an attack vector. This is default functionality provided by Android. So here's the here's the root kit itself Do you see mind trick that KO and so I believe I've already installed it You did okay. I already installed it So I've already installed the root kit just getting to just getting ready for the talk However, how you would install it is just like in small the mind trick that KO and that would load the root kit into the actual device We can see it with Alice mod that the two modules that are currently loaded Are the dub are the wireless modules for the actual phone? Nothing there to note anything related to mind trick. So now we will disconnect from the phone and Set up a neck hat listener, okay, so now I'm going to attempt to call this phone and It works. You should see a shell fingers crossed Did not work did not work demo. God's hate us Just reboot it Okay, so while we're rebooting the phone anybody have a good joke Guess that's what happens when you when you decide to do a run through it and the speaker's ready room Was it a yes back there? Oh That's great So it gets a little bit more about the setup here so basically We have a Wi-Fi access point and hopefully that's not the reason why that's that's going on So basically the phone is on the 3g network on Christian's phone It has the loadable kernel module or when it comes up it should have it loaded on it And then basically when I place a phone call it should open up a reverse shell So let's wait a couple minutes the thing we have We're fine on time so Yeah Let's try again. We're connected again to the phone. Well in some of the Rue kit Alice mod shows it's not there We will now try to disconnect and try again. We go. There we go One thing to note is that I have no missed call logs here. I Also The phone's in ring volume is up So that's a function after ride. Yes, so we're now on the phone. We're now actually connected to the phone And we'll run through obtaining the SMS database My girlfriend has sent me a couple of texts. I'll probably clear that quite quickly quickly And we'll also get the contact database We'll also try to get some GPS coordinates Try and initiate a phantom phone call as well So as I mentioned previously the Android uses SQLite for its storage system So we will use SQLite to connect to the SQL database Sorry to the SMS database view those And then likewise with contacts It's a nice long path for us It's now it it's a non-interactive shell. So you won't see You won't see the actual SQLite saying I've connected But we should be able to see the tables if we do that. So those are the tables So if we type text are from incoming message You get all the texts Another thing we'll do right now is get the contacts Yeah So these are all the tables in the contacts database We'll just select everything from wrong contacts. I Don't mind if you see these at 20 So these are all the contact database or that I have on my phone So the next thing we'll do is get some GPS coordinates And one thing we identified and we're trying to look for the GPS coordinates And we're gonna do more research into here, but basically The device on the GPS device isn't activated unless they of course a an app That's is actively using you actually using GPS. So we activated on basically Google Maps on the phone here and so Now we'll see if we were able to retrieve the GPS coordinates on the phone So these are GPS and may our court From the serial device GPS serial device You can then translate these into Google Maps and get a pin point for the actual device So the next thing we will do is try and initiate a phantom from coal, okay? So we'll see how we shall we disconnect or you want to move the screen below it can be type Yeah, well actually does anybody else want us to call their phone Any volunteers We do okay. Well once you come up on stage here. Well, it doesn't have to be an Android phone now. No What's the test phone cool? We get the number, okay? You have the ringer turned on is the ringer turned on Yeah One one zero zero one right, yeah zero zero one Six five zero Three three six three two eight four, okay, so One reason somebody would want to do this is let's say they've made a deal with Like a dodgy operator like sex phone operator something like that and they want to get some commission They would initiate some phantom call like this And let it on for as long as it's as long as it takes Hopefully this will work It takes a while. Let us know what your phone rings. It's ringing Yeah, it should be a should be a London phone number 4-4 Eric. Yeah, should be a London phone number Great so that worked great Yeah, so we can go back to the presentation Okay, that's his email Okay So we were able to show you just full screen Yes, basically we showed you all these things here the shut thing that's sitting on the phone isn't very exciting We just do shut down in the first type reboot or reset and phone reboots But basically, you know, and these are just the functionality that is available, you know through command line, you know This this could be extended for what had with automated features This is a very very basic root kit that basically allows you to have that root shell capability And then it's it's up to you to type those other commands in like searching the databases and pulling down the GPS coordinates So so current prevention, so what's the current prevention look like and this is really no real the main motivation You know one of the main motivations we spoke about is just where to raise awareness here So we tested both lookout mobile security and Norton Smartphone security on on on this phone with the loadable kernel module or the root kit loaded and neither detected it So that's that's pretty big awareness there. So there's not a lot of Technology out there or solutions out there for for end users or for any of us to go and Basically prevent or protect ourselves from these types of attacks So really, you know, so what can be done, you know, what what can manufacturers do? So manufacturers could ensure that all Device drivers LKMs are signed must be signed by let's say HTC not self-signed by the developers themselves Before they are actually loaded into a kernel Perhaps not allow you to root your device that would also help but personally, I wouldn't like that because I like having that functionality, but Centrally signing would be the ideal way to go for to prevent things like this So some of the conclusions so you know through our little journey here that we even barked a couple of months ago We found that it's you know, it is definitely possible to write a root kit for the Android platform You know, of course, we didn't include any other functionality We didn't really go much deeper, but it easily can be done So I'm sure there's people in this room that will take the source code off of the CD and play around with it And see what else they can do But then very little attention has been played, you know to smart phone security up until this point There's been great great talks the last few days and even at even at blackhatch around this topic And I think I think the industry is going to really really start moving in that direction But basically it's you know, it's it's really because you know All of us are using our phones nowadays and even you know the next five years It's going to really expand to the point where we rely on those devices More than we're going to rely on our PCs or laptops So in the next 10 years, you know, we're gonna see an explosive growth and in mobile devices and just with How the you know with the internet boom when you started seeing explosive growth and in home computers and and other things going on They're connected internet you saw it Sort of right now on path you started seeing explosive growth and malware and Viruses and other things so there's no reason why we're not going to see the same thing happen for mobile devices So it's a big bottom line question is and will we be prepared for that and that concludes our talk Thank you very much for your time