HACKoDROID: An Increasing Tendency Toward Smartphone-Based Attacks

New Smartphone technologies have made our lives easier. At the touch of a button, you can call a cab, pay bills, connect with your friends and even reach your personal trainer. On the other hand, the world of hacking and cracking now also has a lot of useful tools to hack your system and steal your data, using a smartphone.

We have recently seen the development and publishing of hack applications for smartphones on underground forums. The wide range of such tools means that anybody can find a suitable tool for dubious purposes. The items available include a variety of DDoS tools, wireless crackers, sniffers, network spoofers and more.

HackForum Post
HackForum Post

Most tools are only available for Android smartphones, and many require root permissions. The most popular tool for cookie theft is DroidSheep. With the help of this tool, an attacker can collect all browsing data, including logins, passwords and more, merely by using the same Wi-Fi network as the victim.

Moreover, the attacker can connect to the victim’s password-protected Wi-Fi network. There are several Wi-Fi cracking tools, for example, WIBR+ uses uploaded password databases to identify passwords common to the victim’s network. The users can also upload and update these databases. Another tool – Wi-Fi Kill – is capable of shutting down any other device connected to the same network and can intercept pictures and webpages recently visited by users of this network.

More and more tools now include more than one hacking capability. The DSploit tool features such functions as password sniffers, cookie sniffers, browsing history sniffers, and webpage redirecting. Another program, Bugtroid, contains cracking and protection applications. The owner can choose the most suitable program from a list and install it in one click. The tool offers a variety of tools to suit almost every cracking purpose.

Sniffers and DDoS Tools
Sniffers and DDoS Tools

For iOS systems, there is a limited number of hacking tools, mostly in the realm of game cracking. Examples of such tools are GameGem and iGameGuardian. These tools break games for the purpose of stealing monetary units. The most common tool for iOS is Metasploit, which contains a number of useful applications for different fields.

The tools presented above are not new, but they represent the main capabilities in the field. We are seeing a growing tendency to use portable devices, such as smartphones and tablets, to conduct attacks in public places. Mobile devices and public Wi-Fi networks tend to be less protected and more vulnerable. With the help of collected data by mobile device, the attackers can perform more complex attacks via PC. As long as there is no protection awareness regarding mobile devices, we expected a continued increase in the number of smartphone-based attacks.

List of Hacking Tools
List of Hacking Tools

Mind the Gap – Mind your Android

Android holds approximately 80% of the global mobile market today. Due to the popularity of the Android operating system for mobile phones, it serves as a more attractive target for hackers and cyber criminals than iOS mobile phones.

Security researchers have discovered ways to take control over roughly 70% of Android devices via a Web page or apps – mostly devices that have outdated versions. Although Google releases patches approximately every four months, most of the devices will likely remain vulnerable to attack because they will not be updated.

Security consultant Graham Cluley accentuated this point when he said, “The fundamental problem is that they [Google] don’t control the hardware and software. Even though all these devices are Android-operated, they run different tweaked versions with different UIs and add-ons.

While the iOS operating system is only installed on Apple devices and it is relatively easy to obtain updates, security updates for Android OS devices are forced to pass through the mobile network operators and carriers – a hindrance that often takes a great deal of time.

The following chart describes the patching process for an Android device, from the first discovery of a vulnerability through to the repair that ultimately reaches the end-user device. The repair process at point C is typical for every software product. The repair software represented by point C is usually the end vulnerability window shown at point A.

Points D – G represent the repair process specific to Google; whenever a patch to Android becomes necessary, Google provides an update via its open source forum. The manufacturers produce the update, vendors release it and then the user installs the updated customized version of his operating system.

Chart showing the creating of a patch for an Android device
Chart showing the creating of a patch for an Android device

It should be noted that the patch release date is not the date when these updates are actually available to users. Once Google releases an update, the manufacturer must update it to suit his material. There is a possibility that the updates may never actually become available to the user, for example, if the vendor decides that distributing the update is too expensive for him.

As a result of the window of vulnerability and the different Google and the manufacturer release dates, hackers can use reverse engineering techniques to identify and exploit the vulnerability of a device by using the information found in the original published patch, or that of any other manufacturer who may have issued the patch at an earlier date.

Clearly, the fact that Google provides a secure platform for Android is insufficient – it is also important to ensure that their patches reach their targets, Android users, within the shortest possible time, to minimize the attack window.

Mobile Redefines Mobility in Cyber Realm

Mobile vendors invest a lot of effort into their products. Usually, “bigger and faster” is their motto. And I have to admit that the last Mobile World Congress introduced some very interesting models, such as the Sony Xperia Z2. I am not into sales, so I will not get into every little spec detail, but I would like to point out the following:

  1. Memory: 3 GB RAM
  2. CPU: Quad-core 2.3 GHz Krait 400

(As published on GSM Arena).

Now if you ask me that looks like the specs of a pretty damn good laptop. And with a decent machine, you can do some serious damage. Assuming you have the proper tools, of course.

Anyone who knows me will tell you I am a fan of open source. I think that the concept is great and, simply put, sharing is caring. Most of the greatest tools that I have ever worked with were based on Linux and were shared freely by their authors.

One such bundle that was created and is now considered THE Swiss army knife for security purposes is the BackTrack. It is a combo of various tools that you can use to test your systems, networks and applications. Needless to say, this tool is not only used by security professionals, but also by less noble groups.

A particular aspect of open source that I admire is the flexibility, scalability, and ability to modify pretty much anything you want. It allows you to shape a better product or tailor one to suit your needs. I mention this because I have personally encountered various versions of BackTrack that had other tools and features.

So what do BackTrack and mobile phone companies have in common? Apparently a lot more than I expected.

We have encountered a suite of tools based on BackTrack capabilities but modified to operate on an Android phones. It is essentially a managing app that downloads various modules according to your tests. So if you want a DDoS app, all you need to do is download it and take it for a spin.

This suite is offered by a legitimate company and can be downloaded after paying a certain fee. Alas, as I mentioned, not everyone likes to play by the rules. We discovered that the suite was cracked and modified to include more features. You can download it for free, install it on your Android and execute a series of attacks – DDoS, network mapping or an injection of various sorts.

Samsung Ssomething

Going back to what I started with, you do not need serious equipment any more. All you need is good smartphone and a cracked app, and you are good to go.

This trend of modified applications that harness the hardware potential of smartphones is expanding rapidly. Cross-platform attacks are a growing phenomenon and smartphones play a vital role in them.

What can I say? It’s a brand new world out there.. and it only gets more interesting…

Protect your Mobile, or else – You Will Have to Pay Ransom for the Right to Use it Again!

Over the last couple of months, two major threats to the constantly evolving cybercrime world are becoming more and more prominent. Cybercriminals are seeking new sources of profit, as the old ones become harder to exploit over time. Lately, we have noticed a new developing trend, a procreation that combines the two mentioned below.

The first trend on the rise is the targeting of Android systems. Although the subject is not new on underground platforms, and dedicated rooms for discussing vulnerabilities on Android were already opened a couple of years ago, we can definitely say that a big step forward has been made in recent months in this area.

Malware for Android is frequently seen on underground forums and uploaded to file-sharing platforms. Since the beginning of 2014 alone, we have monitored approximately ten malware tools for infecting Android devices, for example Dendroid, AndroRAT, iDroid (targeting both iOS and Android systems), Stoned Cat, etc. The modus operandi can be different, but the final target is always the same: monetary theft, as opposed to stealing credentials for mobile banking applications, sending premium SMS messages, or some other method. The infection technique also varies. It usually happens when the victim installs a new application that is actually the virus itself, obviously well-disguised as something harmless. Another infection vector is binding a malicious code to a legitimate application. Finally, there are the good old emails and SMS messages containing a link that initiates the download of malware.

Dendroid's Admin Panel
Dendroid’s Admin Panel
IDroid's Admin Panel
IDroid’s Admin Panel

The second trend is the growing number of ransomware viruses that lock the user’s computer and/or encrypt his files, then demand remuneration for restoring the computer to its initial state. The most infamous malware of this kind is Cryptolocker, but there are some more that we wrote about in the past.

If these two methods are profitable, why not combine them and increase the odds of earning more easy money? We recently noticed the sale of two “ransomware for mobile” products on the Russian underground. The first is called Block Android Mobile – offered alongside additional products by the same seller, such as Syslocker and BrowBlock. The seller and his services appeared on one of the closed Russian forums in February 2014, but the mobile ransomware was offered as a new function in April 2014. According to the seller, there are two APIs for this malware – the first redirects traffic to a lending page, where an automatic downloading of a malicious file occurs. The victim then has to run the APK file later. The second API injects the APK file, directly by the cybercriminal, wherever he desires. A deeper analysis of this malware was provided in the Malware don’t need coffee blog, as he came across its files in action.

Another ransomware for mobile is Tor Android Cryptolocker. This was offered for sale for US$5,000 about two weeks ago. Once installed on the mobile device, the malware blocks the screen, thus preventing its deletion. At the same time, it encrypts all the files of a defined format that are found on the SD card and in the phone’s memory (including music, photos, videos, etc.). The victim is asked to pay a certain amount of WebMoney, and then his phone is unblocked. The author was offering only three copies for sale. According to our last check, two were already sold. This probably means that we will soon see this malware in action.

The blocking message sent by Tor Android Cryptolocker
The blocking message sent by Tor Android Cryptolocker

Taking into account the important role that mobile phones play in our lives, this can be a very profitable means of money extortion. Buying a new phone may not always be cheaper than paying hundreds of dollars to get the old one back. And there are also all those pics and videos (of extremely high emotional value) that we do not always backup, although it is widely known that we should. Cyber criminals can be good psychologists sometimes, and they can hurt us in the most painful places.

Cybercriminals Target iOS Devices

We recently discovered a post about a new mobile Trojan on one of the Russian underground forums. The uniqueness of this malware (if the publications prove true, of course) is that it is capable of attacking both iOS and Android systems. The magic malware’s name is iDroid bot 0.7.

The malware first appeared on the Web about a month ago, on two different underground forums. It was also mentioned in a thread on a Russian crowd-funding site that tried to raise RUB 16,000 (about $450) for further development of the malware.

Sales are conducted via a dedicated website, on which no contact details are published and the only way to contact the seller is to leave your contact details on the site. When you receive a response, you pay the sum of $800 (or 1.5 bitcoins if you prefer to count your money in virtual currency), and become the lucky owner of a malicious program that is supposed to help you become a rich person without too much effort.

So, what are iDroid’s capabilities? Obviously, the most important one is infecting both iOS (versions 7.1 and below) and Android (versions 2.2 and up). Members of the underground forums have expressed doubt about this feature, as the infection of iOS systems is very sophisticated, especially if combined with Android’s infection in the same tool. In addition, the admin panel uses the TOR browser and a proxy for connection.

The grabbing features of the tool include keylogger, CC grabber and email grabber. The main profit for the operator comes from grabbing data from mobile wallets (QIWI, Yandex.Money, and WebMoney Keeper Mobile), by substituting the operation on the mobile device. Finally, we have all the “regular features” of a mobile Trojan, such as SMS sending and interception, conversation records, receiving screenshots, etc.

Screenshots of the bot, uploaded to YouTube
Screenshots of the bot, uploaded to YouTube

Another fact worth mentioning is that the author is already working on the next version of his brainchild, iDroid bot 0.8. This version will contain additional functions, such as a utility for writing Zeus-like injections into banks and paying system applications, auto injections into applications of 56 banks and auto delivery of the Trojan via Bluetooth (only for Android).

iDroid bot is the second bot that purports to infect iOS devices (the first was Zorenium, whose sales started in January 2014). Apple is definitely the next big target for cybercriminals, and even if the above-mentioned tools prove fictional, they are working on this pretty hard. So as we see it, the odds for success in the short-term are high.

We have recently seen the development and publishing of hack applications for smartphones on underground forums. Check the updates in our new post: HACKoDROID: An Increasing Tendency Toward Smartphone-Based Attacks

RSA Wrap-up

Mark Twain once wrote that the coldest winter he’s had was a summer spent in San Francisco.

Good thing we came in the winter, and even better that we attended the annual RSA conference –  it was anything but cold. In fact, it was sizzling hot, almost to a boiling point when the water starts to bubble. In many ways the two adjacent, huge conference halls of the Moscone center felt like a giant pot left to boil and waiting to explode. Everyone who’s anyone was there, and then some hundred others you haven’t heard of. From the Industry Giants, who populated the north hall with huge booths, some two story tall, with the complimentary raffles (all offering mini iPads to the lucky winners) and booth babes, to modest small booths on the south side hosting some lesser-known start-ups company. The conference provided a terrific vantage point to view the current state of the industry. To summarize in one sentence – big and growing fast. This year’s expo was almost twice the size of last year’s, with close to 400 companies participating, many more companies “visiting” (or suitcasing) and thousands of visitors. And there is also great variety of products and offerings, almost to a point where the exhibition floor felt like a Middle Eastern bazaar… and the hustle bustle was not limited to the conference site, it was felt in a two miles’ radius, where every hotel, restaurant or bar was stuffed with RSA conference badge wearing folk, talking, having business meeting or just partying the night away.

Prior to the conference there was a bit of negative buzz and calls to boycott the conference due to RSA past involvement (according to Snowden) with the NSA, and some keynote speakers even cancelled their participation and opted to talk at a competing, non-mainstream event called Trustycon (also taking place at San Francisco at the same time). If people actually avoided the RSA due to this controversy, it went unnoticed – there were thousands of visitors who participated and enjoyed this event.

It was difficult, but we were able to identify several prominent trends from this mayhem.

Investment and Consolidation Craze

There’s definitely a feeling of “big fish eat little fish “, where entrepreneurs are being seduced by VCs, smaller companies being snatched by bigger ones, and medium companies being swallowed by the behemoth of the industry. Almost everyone we’ve talked to was either after raising some capital, after opening a US office or prior to meeting a potential investor. There’s some money on the floor and everybody wants a piece of the action. I attribute this both to the herd mentality of VCs (and investors alike), and the fact that in the last year the cyber security industry has become much more accessible to the general public in terms of understanding the needs and solution types required (some of which are yet to be developed).

Threat Intelligence and info Sharing Platforms

We should look outside and understand the type of threats which are out there. Also, information sharing would be a good idea. So why not combine the two an offer a platform where different threat information could be pushed and distributed to customers? Sounds almost obvious, but we are only now seeing a more mature view of the industry on what threat intelligence is and how it should be aggregated, filtered and disseminated.

Cloud

Sure, cloud is THE trendiest of them all. And with it come acute security challenges and possibilities. So there were many companies offering solutions for securing cloud applications, and, on the other hand, many offering cloud based security solutions.

Mobile

Again, not terribly difficult to predict that mobile and BYOD would be a hot topic. And there were myriad solutions for the mobile world. In fact, it has become almost impossible to distinguish between the different solutions, and too many companies appeared to be doing the exact same things. I assume it will take this segment of the industry several more years to reach maturity and allow clarity regarding solutions types and their merit (also safe to assume that mobile solutions companies will be quickly snatched by larger, more established companies to enrich their portfolio and provide a more holistic security approach to organizations).

Industry and US Centric

Kind of superfluous, but needs to be said – this event is very much industry centric, with few customers (or potential buyers) compared to industry participants. Also a very much US centric, which is not surprising, since the main bulk of the industry resides within the states. Notable non-US exhibitors were Germans and Chinese (each with a pavilion) and off course the Russian giant Kaspersky Lab (the only exception to this was the extremely high concentration of Israeli companies, which comprised a whopping 15-20% of exhibitors, and many of the visitors).

I hope these characteristics will erode over time, as the industry needs to open up more to the public and obviously there is a huge global market for cyber security solutions outside the states.

As for us, we did not invest in a booth but rather roamed the halls, trying to meet as many potential partners and sales channels. I gotta say we’ve met some terrific companies, some with very similar views to ours and hopefully we will be able to forge some alliances very soon and attack the US market.

And a final word- what was the greatest gadget on display? It was a small wooden box, semi analog and over 60 years old. Yes, there were two original Enigma deices on display, which attracted many more visitors to the booth displaying them (one of the belonged to the NSA) than any booth babe.

Enigma