 Hello, everybody. I'm glad to be here my first time in Canada, my second time overboard. So I would like to present you a topic by the title, Android Practical Introduction to the Insecurity. Things that, as I've worked for the Croatian government cert, I presented a strain of this talk half a year ago to some government officials. My task was to make a, I would say, fat talk. So fear, uncertainty, doubt. So after this talk, they were really scared, or individuals were really scared. What are the capabilities of attackers on the Android platform? So my task was to go through all the security aspects of the Android and to pinpoint what you should do from your user's perspective and what you should not do. Also, as I've worked for the government, I have some inside info. So I would pinpoint what you should really take care of, especially those of you that are kind of crypto anarchists or hack activists. I would pinpoint you what you should do, what you should not do. As part of this talk, there will be a presentation. Presentation victims are enumerated here. I have the one old LG mobile, one new Z3 compact, and one with your EEPC. So I picked those because the first one is really obsolete. So nobody should use something like this. The third one is something that is kind of deprecated. So anything below Android KitKat should be slightly removed from the market. And also, the second one is my actual, I would say, official mobile that I take care of. So I'll also present what are the attack vectors on the up-to-date mobile phone. Demo gods were really angry at me. Yesterday, all started with the update of the metasploit. And yesterday it crashed. I also tried to update the main domino proxy, it crashed. Burp didn't work. So yesterday evening, I just went to the solitude of my hotel room, and I recorded everything that I should present here. So it all started something like this. Also, all of a sudden, one of important binaries or utilities that I am using Android screencast, it's really a cool tool to do the presentations on the Android phones and tablets. All of a sudden, that project just ceased to exist in the last couple of days. So it really had trouble. But as I said, I went to the solitude of my hotel room, and I just started with the maté in my lab. So these are most probably the most important slides of this talk. So I will go through all of these cases through the talk, and I'll pinpoint what's the problem in the first part of those vignoles, I would say, since of the Android insecurity. And the last one, deadly, is especially important from you or you as a user. So in vignoles or system problems, we have the sensitive data on SD card. Everybody does it. Also, we have the vulnerable OS, which is a majority of cases providers fault. So it's kind of a problem for provider to support all those older versions of Android. Also, they like you to buy new phones, new tablets. So they just passively force you to change your current device. Also, that third one, trust the CES credentials. I picked it by accident. And I think it's one of the greatest conspiracies. I will pinpoint here. You will see why. The deadly user problems are strictly related to your user decisions. So whether you will root your device, whether you will turn the USB debugging, whether you will not use the screen lock, or whether you will use the unknown sources as a source for installation of potential malicious binaries. I will go through all of these steps and pinpoint how you become vulnerable as a user if you just turn on a single step or single point in there. So sensitive data on SD card, as said, everybody has sensitive data. So attacker can just pick your mobile phone. So this is kind of inside info. So attackers, if they are targeting you physically, they will distract you from your mobile phone. They'll just need five to 10 minutes. And they'll just try to extract as much data as they can in less, at least time possible. So in this case, if everything is turned on, if each of those features is turned on or off as it should be, as a last resort, they will just take your SD card and just copy everything from there. So please just dummy demo. When you try to mount the screen locked mobile to your laptop, you won't get anything. But if you suddenly extract the SD card from a mobile phone, just use the SD card reader. You'll just be able to get some potentially problematic or sensitive information. So as said, I work for the government. So I really shouldn't have things in my downloads folder or inside the pictures. For example, I like to take pictures of passwords or some sensitive data when I go in certain visits. So it's kind of a bad habit. So a tech rich can just take your data from the SD card and copy it. There is something called Android phone encryption. It should prevent this kind of attacks. But one guy, specifically, he has the handle of G3RT. He noticed that if you install a software that which uses Android accessibility services, all of a sudden the encryption password of the SD card itself will be reset to the default. He doesn't know why it's so. He didn't get the reply. And the default password on Android phones is the default underscore password. So he also has a nice scenario where you can do the social engineering on a victim and just pretend or just force him to install some application. Like in this case, screen notifications is really a name of an application. That's when you try to install it and try to enable it, it will also kindly tell you that your device won't use your screen lock to enhance that encryption. So nobody cares about those warnings. But all of a sudden, if you thought that you are safe by installation of those kind of applications, you won't be safe enough. The second part, vulnerable OSes. This is slightly unreadable, but I will try to just summarize. Half of those devices here are vulnerable to quite a critical vulnerability. So you can do stuff like the remote code execution or privilege escalation. So in 50% of cases, you can just either do the remote attacks against the victim, or if you have the physical default, you can do the privilege escalation and do some data stealing from it. So roughly half of all devices currently are highly critical. According by this site here, Android vulnerabilities, this is slightly, I would say, these are not the numbers for the high critical vulnerabilities, but also including the less critical vulnerabilities. So around 80% of devices today are estimated to be vulnerable to some kind of vulnerability. Also, I'll just show you one demo on Android 4.0. So against the virtual ASUS EPC. So I had stored some sensitive data here inside the notes. So this is just for demo purposes. Then I started the metasploits. Inside the metasploit, when you search for the Android, you will be shown or you will be presented with around 20, 30 different exploits against the Android platform. In this case, this particular exploit web view, it's really a good way how to present the attacks against the Android platform. Here you can see if the victim visits some malicious URL, he will immediately contact back to the attacker. And now, here inside the shell, I'm the attacker. Now I'm a regular user called app understood six. When I try to search through some sensitive data, I'll immediately be in permission denied. But a good thing from the penetration test is point of view is when you have all the pre-rooted machine, in most cases, you just need to do the CSU to force the privilege escalation to the root. With the root privileges, here you can see that I've tried successfully been able to get those sensitive data that has stored inside the notepad. So you will see also through the demonstration parts, those DB files along the data folder inside the Android platform are the most, I would say, bountiful from the attacker's point of view. Lots of user information is stored there. So those are SQLite databases. And by just opening them inside the SQLite, I would say some utility, you can just prove what is stored there. And also, this is the demo against the Maya up-to-dates. Mobile phone, when you run the scanner as the VTS, you will see the perfect score. Now there is an anecdote here. Now it's a perfect score. So 25 out of 25. So my device is secure. But as the stage fright came half a year ago, almost a year ago, my device was full of holes. So until the first proof of concept came for bypassing the ISLR protection mechanism inside the Android, my provider just didn't push the update for the stage fright. So I was potentially being vulnerable for more than four or five months. So this all up to your provider, whether he will let your device be vulnerable or not. As said, and in the introduction, this is probably, I would say, the greatest conspiracy ever. So if you will take something from this presentation, I would just want you to give you a worm, set your brain to just do the proper research in this field. So everybody knows how the PKI or the CAs work in the security world or inside the browser. So you have the large amount of bodies, I would say, that you trust in some way. And the problem is, I don't have the screenshots here, but I went through the whole process of how could I become a CA or trust the CA inside the certain browser. And I went to the Chromium and Firefox repositories and their issues. And all of a sudden, I've seen lots of anonymous people. They are just forcing the ACAs inside the Firefox or the Chromium cold base. And that whole process can take up to a year. And all of a sudden, Google suddenly realizes, OK, we should include this same CA or this same authority inside our browsers and blind trust. And the problem is that I will show you. I have a nice demo here when I started to work on this. I just played around. I went to the settings. I went to the list of those certificate authorities that I blindly trust. So you can find them inside your mobile phone inside. You trust the credentials. And you scroll down. You'll see lots of trust CA's, lots of government CA's, American Online CA. And all of a sudden, I've seen a really nice one. I've seen a really nice one. Government root certification authority. So common name blank, organization unit blank, issued by blank, common name blank, organization unit blank. And it lasts for 30 years. It's 4,096 bits long. And it stays in your mobile for 30 years. And that same CA, attracted by its hash IDs, it belongs to the, in this case, it belongs to the Chinese government. So Chinese apparently somehow forced the Android to include that same fishy CA inside the Android phone. What that means, that means that's, I'll show you other examples along the way. But in this case, it means that Chinese government, if they won't, they can just do the main demo on any kind of SSL encrypted channels. So they just force the mobile phone users or mobile phone manufacturers to include the CA or fishy CA inside, let it be for 30 years and we can do whatever we want. And the problem is that there is not only Chinese involved. I'll show you. Just to show you the practical attack when you have a power like that. So I made a main demo proxy on my mobile. I inserted myself as a CA or to be correct, I inserted the Burbs CA inside of it. And I played the CA role, so main demo. So this myself, I'm playing the main demo transfer proxy. I'll show you inside my Wi-Fi settings. I put the proxy configuration forward toward my laptop. So on the laptop, I have the Burb installed. You can see the user certificates. You will see all of a sudden lots of HTTPS requests going on here. I as an end user would think that I'm not vulnerable, but at the end, all the HTTPS is playing and transparent on the Burb side. So also in this case, I've run the For Hub application. Just to show you, also the authorization tokens are being used. Also, you will see the username passwords and stuff like that. So I'm just the regular user, or I would say regular tester. And how would one government do it? So I went to the papers and I've seen lots and lots and lots of examples that are pinpointing the same thing, that the government authorities are forcing the mobile manufacturers, also the bruiser manufacturers, to include their own CAs inside of their trusted CA repository. You can see here that the Microsoft, Google, Apple and Mozilla included the Chinese authorities. Also, they are known attacks. So they are really known attacks that were being used by those same CAs implanted. But it's not only the problem of the Chinese. You can see also the French one. They're also being caught. So you can see, has found the intermediate CA, was using commercial device. Things that also they were being caught by using the main, the middle attacks by their own CAs. And this is the list I was able to extrude from different sources. What are the world's governments around the world, which government can do this kind of attacks? So transparently, just looking into your encrypted communication. So France, Hong Kong, Japan, Spain, Netherlands, they all can do just the main, the middle attacks against you. In some cases, you will see that the CA is really called the government, but in some cases, like China, you will see the internet information center. Also, I don't trust those CAs that have lots of trust inside, that there are like 50 different CAs that have the trust inside, and I really don't trust them. So the morale here or main point here is that at the end, there are no quantum computers. There are no huge rigs that do the decryption or cracking of the deep helmet or ecliptic curves. You just have to have the implanted trust the CA inside the browser or the mobile phone. That's it. Now the user since the first and maybe the most important one is the routing. So when you enter inside the Google what is Android routing, you will get the definition. So equivalent of jail breaking, unlocking of the operating system. So by doing the Android routing, you can do whatever you want, you as a user have the full right to fully exploit your mobile. The thing is that those shady organizations, they will like you to do the routing. I know that for fact. Also, when you try to search for the routes for your mobile, this is the main site where you will find some kind of routing tool or some kind of previous creation tool to be helpful to route your device. This is how common routing tools look like. So you have the from a route, lamb docking routes, super one click, those are the most famous one. Also, a cool thing with all those routing tools is that they install something called recovery mode. So things that your be with installation of your or by running your routing tool, you are giving a full right to that same tool to install something called recovery mode. Recovery mode has the full route privileges. It starts before the or it can start before the OS itself. And inside of it, you can do lots of goodies. For example, if some of you paid attention in the Mr. Robot, this was one of the screens being shown when the bad guy tried to install the remote administration tool. He used the recovery mode. He used this option, install zip from SD card. I will show you how it works. So by pressing a certain combination of buttons while powering on, you will get your mobile to the recovery mode. You will see much here. It's kind of clumsy, but you can mount all those special directories like data system, SD card. You can browse, install whatever you want. And attackers prefer just to put the USB inside. When you have the USB inside, you just get to the ADB shell and you can do whatever you want. So you have the full route privileges. They're just an example how to turn on the ADB if it's previously disabled. Just to help you as an attacker in following attacks, just to not push the device into the route. This was just an example how to use it. But I'll show you the proper example. So you can, as said, there are lots of those databases inside, like contacts. So you just put your USB into the root phone. You can just prove all your calls, all numbers, all dates, all the ratios, names. This is what agencies like to do. So contacts data, I'll also show you the SMSs. So there is no constraint in just pulling all the data from the phone itself. I'm just showing you how easy it is just to get to the nice parts. So all the dates, all the SMS contents, all numbers, who called you, what they wrote. So this is just an example. So routing your phone is a big no-no. I'll also show you. This is an example. This is similar to the Mr. Robot's hack. I'll just show you the, you're just pretending that you're trying to install the fake updates while inside there is an Android application. In this case, it's File Manager. So from inside the recovery modes, even if you can't use your USB, you can just install something like this File Manager. Or in case of Mr. Robot, you can install some remote administration tool. In this case, I deleted the gesture key. So I as an attacker. I want to delete any kind of screen protection mechanism. In this case, it was a swipe. I just removed it. And when I rebooted to the phone, then there was no swipe protection being left. USB debugging. So USB debugging is a mode that while being enabled on the Android, you can enforce or you can use as a developer a slightly higher privileges than the regular user. So you as a developer, you really want slightly higher. You don't want the pseudo privileges, but slightly higher than the regular user. One. So you can enable it inside the developer options, obviously. But the problem with the USB debugging. So you have the screen protection here. See? You have the screen protection here, swipe. But that doesn't prevent the ADB shell or you as an attacker with the USB cable to access the phone. Also, as said, you get slightly higher privileges. So by just pause here. By accessing the data with the regular privileges. So this was being run against my up-to-date phone. So by accessing my user data with the regular ADB shell, I won't be able to do any kind of browsing around the proud data. But as said, you get slightly higher privileges. You can do something called ADB backup. So ADB backup does the backup. So in this case, I backed up all the Firefox data. So all the bookmarks, history, cookies, everything. I got it on my machine. Also, it has some, I would say, obscure way how to obfuscate what is going on. But some smart guys at the mentioned forum, they found a way how to successfully extract data from it. So when you go through the data, you'll see those database goodies. For example, URLs that you visited, times with bookmarks, history, what you like to visit, screen lock. So screen lock is something that should be a regular user. I would say it's a user privilege. You should all use the screen lock. It's the first line of defense against the Snoopy attackers. So you can choose pattern, pin, and password. Each of those protection mechanisms are good enough. There is really not the best one here. So by turning it on, you'll get either the swipe, either pin, or password, whatever you like. Also, I just skipped the demo. Also, this is just an example. You have the rooted phone with the swipe turned on. I'll dimension you that gesture key. Inside of it, there are some binary data. But there are some smart people that successfully made these kind of tools. So by having a rooted phone, even if you have the screen lock, the attacker will successfully, in this case, extract your swipe pattern. So I tried the swipe, and that's it. Then this is also the example. I don't need even to crack it. So obviously, I don't know the swipe. I just go to the rooted phone and just remove the gesture key. And you can swipe whatever you want. And that's it. So rooting your device is a big no-no. But even this is my latest up-to-date mobile phone. It has the ADB or USB debugging turned on. There are also some smart people around that made this. So I don't know the pattern, but the USB debugging is turned on. I downloaded it. It's called anti-guard. I pushed it. I started it. So we shall start anti-guard and lock. Oh, no-screen lock. There's also a nice icon here called Launcher. Just press it, and that's it. So nice thing. Afterwards, I just uninstall it, and nothing happened. So if you screw at least one of those things I've said at the beginning, the attackers will have the slight advantage. But also, there is a system problem. So as I've been pointed, in some cases, providers don't push the regular updates. This was being found in the start of the year. So one guy, John Gordon, he just typed in an insanely large password, and he bypassed the Lollipop passcode screen lock. So unknown sources. So lots of you, as a part of the security community, most probably turned on this feature. So to install some kind of either vorace, correct, software, some security, software. Also, the Android itself is really user-friendly because it says, OK, you can install this. But when you go and click to Settings, it will pinpoint you what to turn on. So to just nicely turn you to the page where you should turn on the unknown sources. So when you turn it on, it will have the nice warning. You're going to go to Attacks, and blah, blah, blah. This is the report from the Juniper, online report, which says that currently there are more than 500 third-party app stores online. Also, out of those 500 third-party stores, lots of applications hide some kind of malicious software inside malware. So in majority of cases, there are no special user targeted attacks. You just turn on the unknown sources, and you blindly trust the guys from the other side that everything inside is valid, and it's benign. While, in reality, the majority of these cases just had some malicious purpose inside. So when you surf around, all those markets have some cool ads, cool games, cool correct software. Also, you're most probably seeing things like this. This is just the nice pop-up when you are being displayed, when you surf around. So imagine that you are an activist, and you have the turned on unknown sources, and you're just being displayed with this kind of nice pop-up, and you just press OK. You will immediately install some kind of malicious malware. So also, this is the case from my mobile phone. Most probably lots of you also has a nice Hello Kitty software inside. I know what's the purpose of this software, but if I didn't knew, I would be pretty skeptic. So I have the Hello Kitty software. I didn't install it, and it has the permissions to access the network states, access camera, internet, read external storage, read phone state, record audio, write external storage. So Hello Kitty is a Hell Kitty. This slide should pinpoint the problem with the current Android permission user land. So currently, there are more than 235 permissions. So you as a regular user, you'll be just presented with the nice pop-up box to just list and list all those permissions that the Hello Kitty wants. You just press yes. For example, Facebook app, this is part of this report here. Facebook app wants more than 20 permissions. It's the crazy application, legal application. So it wants you to give it more than 20 permissions. So by giving it, just read it, I can do it. So guess what real attack I could do against you? Also, when you surf around, I've seen lots and lots of occasions that I downloaded some APKs around. I didn't knew. So I wasn't aware. This was one occasion. There was one APK called News Reader. I didn't install it. It was being downloaded. So I went to its permissions. There are lots of permissions, but nothing strange because I had to be an expert to know what each of those permissions meant. But you don't have to be a genius that something that can do the recording of audio can access the camera, read contacts, call phone. It's probably malicious. So I went to travel to decompile it. And I found that it stills only made phone number, country operator, sync country, sync operator. So lots of juicy information. Also, I found this nice class called Android. So Android is an open source project. So when you install something like this, you immediately become some part of a larger botnet. And an operator at the other side of the world can just do the double click and do the calls on your own, steal your contacts, either steal SMSs or do things on your own. So now, demo, I'll make one such malicious APK. I'll run the metasploit. And I will install it on my up-to-date device. Here, I'm running the Metaprater Reverse Handler. I will download it on my mobile by using the browser. So this can be a link inside your Gmail account or anything. I'm just shortening the attack procedure. So I'm installing it. It needs crazy lot of permissions. But what the hell? You'll leave it only once. On this side, eyes on attacker, get a reverse connect. So I have the shell here. This is a nice script-persistent.sh, as the Metaprater's Android reverse handler or reverse payload is really not so stable. This is a trick. If it fails to be connected, you try to back connect at a period of 30 seconds. And here, you can see now I have the full control of the phone. So phone is not routed. But I can dump all the SMSs. So I said, this is up-to-date phone. It only had the option of unknown sources turned on. So I show you the content of. So all my SMS transcripts went out. Also, you can dump the call log. So who called whom? Also, there's a nice feature called webcam stream. So you can turn on the webcam on demand. And just one more thing is, you as an attacker, if you have the physical access, you don't have to force the user to download anything. You can just put the USB inside and just do this whole infection from the shell itself. So some shady organizations just need a five minutes of your phone. Just do the ADB install. Metasploit is on. Start it. Immediately, I get the Metasploits reverse connect. And that's basically it. And how to stay safe. So it's just a copy of the first slide. So don't store any sensitive data on SD card. Normal. Perform regular OS updates, preferably automatic. If you can afford, replace the obsolete Android device. I mean, that's also one of things that I hate about the Google. They just force you with all those heavy duty software just to pick the new ones. So you don't have the choice at the end. You will just skip to the newer one. Don't root your device. Obviously, don't leave option USB debug in turn on. Use screen lock of any kind. And don't use optional source preferably. That's it.