 Good morning ladies and gentlemen. How is everything going? Today I'm going to show you a security risk which I discovered is possible on Android system. So APK file infection on Android system. My name is Bob Pan. I'm a Chinese. I wrote text to JAR. Maybe some of you know me through my work. And I work for China Micro. I focus on the research on mobile security. I love my job. Yeah. Okay. When Android has been designed, Google certainly has security in mind. Now we start from three announcements that Google made to show Android is safe. Okay. So first was announced in March 2011. Because some bad guys play some bad application on the Google market. So Google through a Q switch on Android phones and they show their power by removing 50 infected or bad applications. And then Chris from Google made a statement, shocked the world. Chris said, Android is safe. Antivirus companies are scammers. Those are really strong words. And then on February 2002, 2012, sorry. So I'm going to show you a little bit of what I said. Although Google said Android is safe, they themselves add a new layer to the security of the Android. The Google banter. Google banter performs a set of analysis on everything on the Google market. And Google said some malware downloading are decreasing. After reading this, I'm sad. I found Android is safe. No antivirus companies are needed. I'm going to lose my job. Oh, shit. After I look into applications on the market, I found my job is safe. Because there are a lot of bad applications still there with a lot of downloads. So Google banter is infected. And this is the blog I published in May, so highlights the list of bad applications. And according to the date from China micro, the malware will be more and more and more this year. Why? Because a famous system like Android will be targeted by real scammers. Everyone knows it. So where is the challenge? Experience test, challenge is to explore the system. And only through exploring the system, we can find a way to protect the system. So let's look inside the system. I want to show you what happens to me and how I find the security list risk. Actually, this year on March, one day, I was playing a game on my mobile, on my Android phone, and the advertisement popped up on my screen. I had it. So I'm going to remove it. And then I look inside the APK files. And I find APKs, I sign the super files. It contains the Android manifest.xml. We can find the package name, version, definitions for the service, activities, receivers, whatever. And the classes.dx, we can find the code for the traffic machine. And the meta info photo, we can find the certificate and signature there. So let's look deeper into the Android manifest file. It's a Google defined xml file. Google defined but not documented. So we have to find it by ourselves. We can read the code, source code there. And there are many tools can read this. But all of them are limited. And we must do modification on it to make it suitable for the Android system. And we have to find it. And the dex file is in David, from what? This time Google defined and document. Yeah. We can find the format on the Android website. Yeah. And a lot of tools can modify it. I personally like the SM dex. It's well documented and have a nice API. And the smiley back smiley dex maker are also good. When I was modifying an application on my Android phone, I got an out of memory exception. Then I googled it and I find APKs can only use 16 to 32 meg bytes of memory. It is limited and it's not enough for the SM dex to modify a dex. So we must do in a clever way. And as last I find, I start a separate David version machine. We can bypass the limitation. Okay. The last is the meta info photo. It is designed by the sound micro system. Now it's oracle. So we can find the document from the oracle's website. And tools like JSON from the JDK and the sign APK from Android source can generate it. But the sign APK, we have the source. But it is dependent on the complement only available on the oracle. So to make it runable on Android platform, we have to do small modification to replace the dependence. Okay. I put the previous together and build my advertisement remover. And then I show the remover tool to the user. To my team mate, they said, oh shit. If the bad guy got this technology, they can build a virus. So I look inside code again and build proof of some concept virus. It can work on Android without root or without any exploit. So it's time to see the magic. Tom, the cat, has an Android phone and he installs a hello world on his device. One day he got a short message from the mouse, the mouse Jerry. And Jerry asked Tom to install a new version of job box and Tom downloaded it. Then he installed it. Yeah. So job box is actually a virus that it will try to infect other applications on the device. So let's open the job box. Yeah, it's actually just the same with the original one. So let's forget about the job box. Now Tom got an application update for the hello world. And it probed him to uninstall the previous hello world. Okay. And installs a new hello world. Okay. Now let's open the new hello world. Yeah. We got to use this app. You must pay me Barbara Dora. I don't want to pay so I click no. And a school on my screen. Oh, I hate it. And then we start again. Yeah, we want to use the original hello world. So we have to pay for the money. Okay. This is actually a virus. And this technology can hijack an APK. So to use. So we have to how this works. I split this into two parts. Part A and part B. Part A is the payload of the virus. It's duty is to extract and load part B. Part B is the payload of the virus. It will try to find an APK. Inject part A into the APK and copy itself the part B into the APK. Because the APK is modified. So part B will try to resign the APK. And at last part B will promote the user to install the infected APK. So when a virus begins, it starts part A. And part A starts part B. Part B infects another application. And when another application starts, the virus begins again. So part A, part B again and again. Yeah. This is truly a virus. Okay. Today, I flew from China to United States to talk about the security of Android system. There are certainly security risks on Android system. I hope by talking about the risk, the community can join together to solve it. And we are looking forward to work with anybody to make Android safe. Thank you.