Gremlin Apps & Gremlin Botnets by Chema Alonso

1. https://MyPublicInbox.com/ChemaAlonso Gremlin Apps & Gremlin Botnets Chema Alonso https://www.MyPublicInbox.com/ChemaAlonso

2. https://MyPublicInbox.com/ChemaAlonso Long tieme ago “FOCA is a Botnet” https://www.elladodelmal.com/2010/12/la-foca-es-una-botnet.html

3. https://MyPublicInbox.com/ChemaAlonso FOCA BOTNET Command & Control IMG with Payload (Steganography) Payload (IP+Command) GET IM G + ANSW ER GET IMG + ANSWER ANSWER Gremlim FOCA

4. https://MyPublicInbox.com/ChemaAlonso Steganography (C&C) Detection is complex = Stegoanalysis (Dinamyc App Analysis) + Reversing (Static Code Analysis)

5. https://MyPublicInbox.com/ChemaAlonso Gremlin Apps: Cut Rope Christmas

6. https://MyPublicInbox.com/ChemaAlonso Gremlin Apps: Cut Rope Christmas Goodware app until one event trigger the transformation: Data extracted, computer installed (Stuxnet), automatic app update, app stealing, selling/buyinng app, Company, “business strategy”

7. https://MyPublicInbox.com/ChemaAlonso Gremlin Apps: Pixel Batery Saver (from Battery Saver to Rogue AV) 1.- 50.000 active users 2.- Right Permisions. 3.- Cheap! 4.- Business Case works. https://www.elladodelmal.com/2015/01/la-venta-de- apps-al-cibercrimen.html

8. https://MyPublicInbox.com/ChemaAlonso Tacyt: Big Data & “Data in Motion” to watch Cybercrime in apps

9. https://MyPublicInbox.com/ChemaAlonso Tacyt: Big Data & “Data in Motion” to watch Cybercrime in apps

10. https://MyPublicInbox.com/ChemaAlonso Data Streams for “Dorks” like “Google hacking”

11. https://MyPublicInbox.com/ChemaAlonso Business Model: APT Provider with a Gremlin Botnet of apps to become malicious only one target. We sell targets, no malware. • Create a Gremlin botnet with lot of Apps to know who you are and sell you as a target for APT: • What Company you work for. • Who you are in social networks • Sell you for extorsion, data leakeage, CEO Attacks, part of a bigger APT, etc… • Who you are in the device Gremlin app is installed: • Accounts: Twitter, Facebook, etc… • Phone Number: WhatsApp, Telegram, 2FA, Account Recovery. • E-mail: Login. • A little of OSINT on the Internet • Dirty Business Card. • Turn a Gremlin App into malicious only to the target we sell. • Only one app becomes malicious. • Steganography to connect C&C • Opportunistic use of permissions (Install & RunTime)

12. https://MyPublicInbox.com/ChemaAlonso Tacyt: Android Apps (Install & RT) Permisions

13. https://MyPublicInbox.com/ChemaAlonso Permissions to get Phone Number • <uses-permission android:name="android.permission. READ_PHONE_STATE"/> • <uses-permission android:name="android.permission. READ_PHONE_NUMBERS "/>

14. https://MyPublicInbox.com/ChemaAlonso Permissions to get Phone Number & Accounts • TelephonyManager to Access phone number stored in SIM • AccountsManager get infor for Accounts (twitter, telegram, google…) • Some of them are: • Email • Phone number

15. https://MyPublicInbox.com/ChemaAlonso Version Codename API Distribution (%) Total Afectados Gingerbread 10 0,3 61,30 % < 8.0 2.3.3 -2.3.7 Ice Cream Sandwich 15 0,3 4.0.3 -4.0.4 4.1.x Jelly Bean 16 1,2 4.2.x 17 1,5 4.3 18 0,5 4.4 KitKat 19 6,9 5.0 Lollipop 21 3 5.1 22 11,5 6.0 Marshmallow 23 16,9 7.0 Nougat 24 11,4 7.1 25 7,8 8.0 Oreo 26 12,9 8.1 27 15,4 9 Pie 28 10,4 In 2018 (this PoC was done) almost 62% of devices had versions < Android 8 and let Access to Accounts (e-mail, twitter…). In 2021 (one week ago) aprox 50 % devices are still in Android 9 or less. Outdated (2018): Fragmentation and Update of Android Devices

16. https://MyPublicInbox.com/ChemaAlonso No Account pemisions? Oauth Login • Oauth Login could be more dangerous • Oauth: email, data, and you can change “scope” for one device and get everything

17. https://MyPublicInbox.com/ChemaAlonso Dirty Business Card

18. https://MyPublicInbox.com/ChemaAlonso Data Leakege & WebScrapping (weapponizing leaks) 1.- Reset Password para este e-mail 2.- Error: el usuario no existe 3.- Error: el usuario sí existe

19. https://MyPublicInbox.com/ChemaAlonso Gremlin Botnet: Buying the right app permissionName:"android.permission.GET_ACCOUNTS" permissionName:"android.permission.INTERNET" permissionName:"android.permission.READ_EXTERNAL_STORAG E" permissionName:"android.permission.READ_PHONE_STATE" permissionName:"android.permission.ACCESS_NETWORK_STATE

20. https://MyPublicInbox.com/ChemaAlonso Gremlin Botnet: Looking for the perfect target

21. https://MyPublicInbox.com/ChemaAlonso mASAPP. Controls app for sale!

22. https://MyPublicInbox.com/ChemaAlonso Gremlim Botnet: Oppotunistic permisions usage • Nobody suspects of a permission if they can explain it • ”Yeah… it is because this is an app for enhancing photos with beauty efects" • Use permisions opportunisticly • Ex: Pokemon Go & Photo Pictures • Ex: Select a photo and take them all. • Compiller / Lib Infections? • Ej: XCodeGhost • Do your own app and “be malicious” when permission you need is in use.

23. https://MyPublicInbox.com/ChemaAlonso Quiz App: PoC for our Gremlin Botnet • Quiz App is a PoC. • Quiz App is a “What do you prefer” Game • It´s working goodware in all devices until one target is activated.. • Use steganography to exchange commands and data from and to C&C.

24. https://MyPublicInbox.com/ChemaAlonso Quiz App: PoC for our Gremlin Botnet In Our PoC e-mail, Phone # or Twitter account activated Gremlin App.

25. https://MyPublicInbox.com/ChemaAlonso Banner is, in our, case Activation Channel Quiz App: PoC for our Gremlin Botnet

26. https://MyPublicInbox.com/ChemaAlonso Gremlin App in Gremlin Botnet

27. https://MyPublicInbox.com/ChemaAlonso Quiz App: Gremlin Botnet C&C. Sell the target

28. https://MyPublicInbox.com/ChemaAlonso Gremlin Botnet C&C

29. https://MyPublicInbox.com/ChemaAlonso “Stealling” Apps with Data in Motion • What happen when a developer “die”? • When app are outdated? • Can you re-register developer accounts? • Can you Steel and app? PROVEEDOR EXPIRATION POLICY (2018) Gmail 9 months* AOL Mail 3 months FastMail End of payment GMX Mail 6 months or end of payment Hushmail 3 weeks or end of payment ICloud Never Lycos 1 month Mail.com 6 months or end of payment Mail.ru 6 months or end of payment Mailfence 7 months (free) or never(paid) Outlook.com (live mail/Hotmail) 270 days ProtonMail 3 months Rackspace End of payment Rediffmail 3 months Runbox End of payment Tutanota Nevers Yahoo! 12 months Yandex Mail 24 months Zoho 4 months or end of payment

30. https://MyPublicInbox.com/ChemaAlonso Tacyt: Orphan “apps” without developers • Study for apps with developer accounts outdated and free. • Re-register again and take control of the Google developer account.. • How many installations affected. • We selected Outlook and a sample of 217 e-mail accounts for old apps. 0 50 100 150 200 250 Cuentas sin caducar Cuentas caducadas Cuentas sin caducar Cuentas caducadas Total 209 8 Cuentas caducadas Outlook

31. https://MyPublicInbox.com/ChemaAlonso “Dead Poets Society” Cuenta de correo Apps# Nombre de las apps Downloads# XXXXXcolla@outlook.com 12 1.Insta Mirror 1,256,150 2.Insta Face 3.Insta Eyes 4.Face Blender 5.Insta Effects 6.Insta Collage 7.Insta Color 8.Animal Face 9.Insta Frames 10.Photo Shape for Instagram 11.Insta Camera 12.Insta Square XXXXXXloperapps@outlook. com 1 1.Download Video Downloader Free 1,000,000 XXXXXenes@outlook.com 1 1.Imágenes para Whatsapp 1,000,000 XXXXXXnloader@outlook.co m 1 1.IDM+ Download Manager free 500,000 XXXXXtudios@outlook.com 1 1.Super Artie World 500,000 XXXXXkit4u@outlook.com 12 346,200 2.Military Armor Mod Installer 3.Poke Cube Mod Installer 4.Elsa Mod Installer 5.RhanCandia Elevator Installer 6.Instant Structure Mod Instaler 7.Better Lucky Blocks Installer 8.AutomatedCraft Mod Installer 9.Christmas Bosses Mod Installer 10.MineKart Mod Installer 11.Security Camera Mod Installer 12.Morph Victim Mod Installer XXXXXX.sp@outlook.com 1 1.Video player for android 100,000 XXXXXX.rocha@outlook.co m 6 1.Quiz Millonario Español Gratis 152,000 2.Millionaire 3.Millionaire Quiz English 4.Quiz Milionario Italiano 5.Millionnaire Quiz FranÃ§ais 8 accouts = 4,854,350 downloads

32. https://MyPublicInbox.com/ChemaAlonso “Dead Poets Society”

33. https://MyPublicInbox.com/ChemaAlonso Bring Your Own Device vs Take Your Own Device • BYOD • User has a personal account with Google or Apple. • User onws the device. • Installs corporate apps IF they agree to that. • When employeer/empoloyee relationship ends user manages device to restore it as it was before. • TYOD (not a SMDM) • User has a personal account with Google or Apple. • Company owns the device. • User is ”forced” to Install apps • Whe employeer/empoloyee relationship ends.. Who manages device?

34. https://MyPublicInbox.com/ChemaAlonso Corporate Gremlin Botnet & BYOD • Corporate & Event Apps • Sideloading & Testflight (No Apps Store) • No Audit / No Open Source • Opportunistic usage of permisions • BYOD: Your Own Device • Your own Photos • Your own Contacts • Your own Messages • TYOD or Corporate device • Apple Contract / Google Contract?

35. https://MyPublicInbox.com/ChemaAlonso Corporate Gremlin Botnet in BYOD&TYOD

36. https://MyPublicInbox.com/ChemaAlonso Thanks! • Every installed app (even your Company one) can do in your device everything permisions allow it to do, therefore, always think the worst. • Trust is not enought –> Zero Trust. • Security for Top excutives means to control security for every single app installed in their profesional devices and teach them to do it in their personal ones. • Any app can become a Gremlin App eventually just because: • An evil developer • A bug in its code • App is sold • Apps is stolen Contact to Chema Alonso at MyPublicInbox.com https://MyPublicInbox.com/ChemaAlonso ”Dad, mum… can I play a free game in your device that my friends play? No.”

Gremlin Apps & Gremlin Botnets by Chema Alonso

Estás leyendo una previsualización.

Eche un vistazo a continuación

Gremlin Apps & Gremlin Botnets by Chema Alonso

Más Contenido Relacionado

Similares a Gremlin Apps & Gremlin Botnets by Chema Alonso (20)

Más de Chema Alonso (20)

Más reciente (20)